First up, my account is DOMAIN ADMIN and ENTERPRISE ADMIN. I am running CMD "as administrator".
(Just wanted to get that out there, as the majority of suggestions I've found on the net state these are prerequisites).
I've run SysInternals Process Explorer and confirmed flag is "Mandatory" as opposed to "Deny". So the CMD is running with the required permissions (as far as I can tell!):
We're in the process of replacing 3 x old Domain Controllers (running 2008 R2) with 3 x new Domain Controllers (running 2019).
Before the DCPROMO of the first 2019 server, we ran /forestprep with no errors.
We then ran /domainprep and are getting this error:
D:\support\adprep>adprep /domainprep
Adprep was unable to create the object CN=TPM Devices,DC=ecs-ict,DC=net in Active Directory Domain Services.
[Status/Consequence]
This Adprep operation failed.
[User Action]
Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20220218172913 directory for more information. Restart Adprep.
Adprep encountered an LDAP error.
Error code: 0x32. Server extended error code: 0x5, Server error message: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Adprep was unable to update domain information.
[Status/Consequence]
Adprep requires access to existing domain-wide information from the infrastructure master in order to complete this operation.
[User Action]
Check the log file, ADPrep.log, in the C:\Windows\debug\adprep\logs\20220218172913 directory for more information.
I've been Googling the bejesus out of this issue and can't find the solution.
Gone into ADSIEDIT and made sure that the Enterprise Admins, Domain Admins, and my own username have the correct permissions on the CONFIGURATION key, as it seems this is the crux of the problem... my account cannot create a new OU in AD. (See first line of the error above).
If I open up Active Directory Users and Computers, there is no option for me to create a new OU in the root.
Any pointers in the right direction would be much appreciated!
Thanks,
Peter