Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

 

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: SV: [ActiveDir] Missing one of the "default Password Replication Policy groups"
Prev Next
You are not authorized to post a reply.

AuthorMessages
Christoffer AnderssonUser is Offline

Posts:0

02/03/2010 3:26 PM  
Did you try the following?

You can re-try trigger the operational attribute runSamUpgradeTasks if I recall correct this operational attribute is responsible to create those groups.

http://msdn.microsoft.com/en-us/library/dd240061<http://msdn.microsoft.com/en-us/library/dd240061(PROT.13).aspx>(PROT.13).aspx<http://msdn.microsoft.com/en-us/library/dd240061(PROT.13).aspx>

________________________________
Från: activedir-owner@mail.activedir.org [activedir-owner@mail.activedir.org] för Brown, Ken F. [Ken.Brown@kbslp.com]
Skickat: den 3 februari 2010 15:57
Till: activedir@mail.activedir.org
Ämne: RE: [ActiveDir] Missing one of the "default Password Replication Policy groups"

OK, I was just asking to make sure...

In reviewing the steps I did a few months ago (upgrading from 2000 -> 2008) - I did all the schema steps (forestprep, domainprep, gpprep, rodcprep) over two weekends (large environments, lots of replication of sysvol on the gpprep stage) - but the PDC-E role wasn't moved to a 2008 DC until later - and that is when the new groups were created (based upon the create timestamp of the groups).

So...could you move the PDC-E FSMO role to a 2003 DC (assuming the functional level wasn't raised to 2008), let it sit a day (I'm not sure when those detection processes kickin) - then move it back to the 2008 DC? I'm (assuming/hoping/guessing) that the detection process will then detect it didn't create that built-in group - and would then create it.

Of course...maybe that was already attempted?

-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Paul Bergson (ALLETE)
Sent: Wednesday, February 03, 2010 8:09 AM
To: 'activedir@mail.activedir.org'
Subject: RE: [ActiveDir] Missing one of the "default Password Replication Policy groups"

He did do that as well

Thanks

Paul


From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Brown, Ken F.
Sent: Wednesday, February 03, 2010 6:39 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Missing one of the "default Password Replication Policy groups"

In your list of steps below...you didn't include the ADPREP /RODCPREP (run per domain if multi-domain forest) - was that done or just a step missing from your list?

The EBS Schema Upgrade Tool ran the following without erro:
adprep /forestprep
adprep /domainprep /gpprep


-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of James Brown
Sent: Tuesday, February 02, 2010 7:10 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Missing one of the "default Password Replication Policy groups"
... apologies for my previous partially composed email! What I was about to say was... Paul suggested I give you guys a try.

I have a single domain forest which we recently upgraded from 2003 DCs (on Small Business Server 2003) to 2008 DCs (on Essential Business Server 2008), I’m trying to add a Read-Only DC to be hosted by Windows Server 2008 R2 but when I run DCPROMO I get “The default Password Replication Policy groups are not present on the PDC [My PDC]. The parameter is incorrect”.

It turns out I’m missing one of the Well Known domain security groups namely the Domain Local “Allowed RODC Password Replication Group”.
Paul Bergson, Florian Frommherz and ‘KJ’ have been pointing me towards particular documentation but we’re running out of ideas. Paul found perhaps the most definitive exert:

After you upgrade the Windows Server 2003-based domain controller holding the role of the PDC emulator master in each domain in the forest to Windows Server 2008, or after you move the PDC emulator operations master role to a Windows Server 2008-based domain controller, or after you add a read-only domain controller (RODC) to your domain, the following new well-known and built-in groups are created:

a.. Builtin\IIS_IUSRS
b.. Builtin\Cryptographic Operators
c.. Allowed RODC Password Replication Group
d.. Denied RODC Password Replication Group
e.. Read-only Domain Controllers
f.. Builtin\Event Log Readers
g.. Enterprise Read-only Domain Controllers (created only on the forest
root domain)
h.. Builtin\Certificate Service DCOM Access

>From [Appendix A: Background Information for Upgrading Active Directory Domains] http://technet.microsoft.com/en-us/library/cc732838(WS.10).aspx

I can confirm I’ve got every group except “Allowed RODC Password Replication Group”. The timeline was as follows:

1.. SBS 2003 AD checked for health by EBS installation wizard
2.. 1st EBS 2008 server (Management role) joins domain
3.. The EBS Schema Upgrade Tool ran the following without erro:
adprep /forestprep
adprep /domainprep /gpprep
4.. 1st EBS 2008 Server promoted to DC
5.. FSMO roles transferred to this new 2008 DC
6.. 2nd DC joins the domain (Messaging role) and once promoted the FSMO roles are transferred to it
7.. A few minutes later all but one of the Well Known domain security groups is successfully created by some unknown process. No error messages seem to have been logged but I'm not sure what I'm looking for.
8.. Few days later PDCe role transferred back to 1st 2008 DC (Management)
9.. Week or so later the old 2003 DC is gracefully demoted
10. Attempted to install Windows Server 2008 R2 as a RODC, ran through new ADPREPs, without error before grinding to a halt with DCPROMO

What can I do to get the missing “Allowed RODC Password Replication Group” created in my AD?


James Brown

You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > SV: [ActiveDir] Missing one of the "default Password Replication Policy groups"



ActiveForums 3.7
Friends

Friends

VisualClickButoton
Members

Members

MembershipMembership:
Latest New UserLatest:cajoe64
New TodayNew Today:0
New YesterdayNew Yesterday:0
User CountOverall:5291
People OnlinePeople Online:
VisitorsVisitors:55
MembersMembers:0
TotalTotal:55
Online NowOnline Now:

Ads

Copyright 2012 ActiveDir.org
Terms Of Use