Domain Controller

I recently performed a series of Domain Controller upgrades for a customer and experienced an error that does not appear to be commonly encountered. During the prerequisites check that is performed during the promotion, the following error was experienced:

“Verification of prerequisites for Active Directory preparation failed. The specified user does not have SeSecurityPrivilegeEnabled”

I had also noticed prior to the prerequisites check that the wizard was reporting my domain administrator account was not a member of either the Enterprise Admins or Schema Admins groups, which is required to extended the schema when promoting the first Windows Server 2012 domain controller. After researching the “SeSecurityPrivilegeEnabled” property, it appeared the domain administrator account did not have sufficient permissions over the “Manage auditing and security log” under the machines local group policy. To resolve the promotion issue, the following was performed:

1. Connect to an existing domain controller and open the group policy management console

2. Expand the domain and then the domain controllers OU and select to edit the default domain controllers group policy.

3. Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policy -> User Rights Assignment.

4. Select the “Manage auditing and security log” entry and open its properties.

5. Check the “Define these policy settings” checkbox and then use “Add user or group” button to add the Domain\Administrator account and Domain\Domain Admins group.

6. Close the group policy object editor and then open a new command prompt window and run “gpupdate /force”, additionally perform this step on the machine you are trying to promote to a domain controller.

7. Re-run the domain controller promotion wizard on the Windows Server 2012 platform and the prerequisites check should now complete.

That’s it, all done.

Time synchronisation on Windows servers is an issue that comes around every so often, which can cause some serious problems in an infrastructure. I recently had a customer with a time problem which was affecting several services from starting correctly, which were mainly Microsoft Exchange related. There is a ton of information on the internet about ways to fix time issues in Windows based domains, most of which reference third party time applications or registry fixes. Whenever I experience a time issue across an infrastructure I always utilise the following procedure:

1. Open up a command prompt window, if you have User Account Control enabled on your server ensure you open the command prompt window as an administrator

2. Firstly I like to find out the time difference between my domain controllers and an external trusted time source, to obtain this information run the following command. You can change the “computer” attribute to a time server in your geographical area, I have set this to uk.pool.ntp.org to reflect greenwich meantime:

w32tm /stripchart /computer:uk.pool.ntp.org /samples:5 /dataonly

3. You should now be able to see how far out of sync your domain controller is compared to an accurate external time source. To sync your domain controller with this external time source and rectify the issue, enter the following command into the same command prompt window. As with the previous command you can change the “manualpeerlist” entry to reflect an external time server in your geographical location:

w32tm /config /manualpeerlist:uk.pool.ntp.org /syncfromflags:manual /reliable:yes /update

4. That’s it, your domain controllers time you should have correctly synchronised against the external time source specified and other machines in your domain should also now inherit this time if they are configured to obtain time information from a domain controller.

You can find more information on external time sources at http://www.ntp.org

Windows Server 2012 – Unable To Promote To A Domain Controller

Windows Server 2008 – Time Synchronisation