Error convert applying security template

S

Steven L Umbach

The error message indicates there is a problem reading the file security section of
the security template. You might try to replace it from the install disk and also try
to apply it using the Security Configuration and Analysis mmc snapin tool. I read
that KB and it seems like you might have some major problem with replication if all
that was going on. If you still have problems with replication I suggest you post in
the win2000.active_directory newsgroup for help on resolving your issue. Replmon,
gpotool, repadmin, nltest, dnslint, netdiag, and dcdiag are support tools that you
may find helpful. --- Steve
 
R

Resonate

Following the advice of KB Q305837. I tried to apply the
security template as follows.


secedit /configure /cfg basicdc.inf /db basicdc.sdb /log
basicdc.log /verbose


The reply was:


The data is invalid, the task completed with error. See
log file.


The log stated:


Error 13: The data is invalid.
Error convert %DSDIT%.
Error 13: The data is invalid.
Error convertting section File Security.
----Configuration engine is initialized with error.----



----Un-initialize configuration engine...




Can anyone help please! My DC's are not replicating :(
 
S

Steven L Umbach

How did you try to change permissions? Did you manually change permissions, import a
template into Local Security Policy on one or more domain controllers, or import a
template into Domain Controller Security policy or another GPO?? Hopefully you did
this locally so that ntfs permissions are not replicating. What permission did you
modify? Below is some information on the Event ID 1126.

http://eventid.net/display.asp?eventid=1126&eventno=656&source=NTDS General&phase=1

What I would do for now, is try and manually change ntfs permissions for now on that
computer. For the system drive make sure administrators and system have full control,
that users have read/list/execute and everyone has read permissions. Do NOT force
those changes down, just configure in the root folder. Do the same for program files
and \winnt folder. Make sure there are no deny permissions listed either. The Sysvol
share should have administrators full control and users have read.
 
R

Resonate

Stephen

All this occored when i screwed around with the C: file permissions to try
and lock down security. It seems I have screwed the SYSVOL security etc and
I belive this template replaces the file permissions. As I couldnt do it I
decided to try and demote the DC and re add it to the domain but it wont
even let me do that.

I am not getting all them errors in that KB only these

Event Type: Error
Event Source: NTDS General
Event Category: Global Catalog
Event ID: 1126
User: Everyone
Description: Unable to establish connection with global catalog.

Event Type: Warning
Event Source: NTDS General
Event Category: Global Catalog
Event ID: 1655
Description: The attempt to communicate with global catalog
\\computername.SoftwareManager.TheSoftwareManager.com failed with the
following status:

Access is denied.

The operation in progress might be unable to continue. The directory service
will use the locator to try to find an available global catalog server for
the next operation that requires one.

The record data is the status code.
Data: 0000: 05 00 00 00

Any further help appreciated.
 
R

rflroes115

I forgot to mention an important item, my mistake am
trying to tech calls at the same time. I meant the
service for ipsec will not start - keeping getting an
error _ no trouble found message contact administration//
 
R

Resonate

In my infinate wisdom i manually removed Everyone from the whole of C: on
this DC as a security measure lol.

I have since before your recommendation to the contrary forced down
everyone>full control on the whole of C drive in a hope to get replication
going again but no joy.
 
R

Resonate

I would be happy to demote the DC and start again but it simply wont let me.

Error The Directory Service was unable to transfer the domain wide FSMO
roles to another domain controller in the domain.
 
S

Steven L Umbach

Forcing down everyone certainly could be a fix but if you force it down I believe it
will also change permissions of the user profile folders, though there should not be
many on a domain controller anyhow and you could repair that later. Running netdiag
/v and dcdiag /v on it may give you some idea what the problem is and I would verify
that administrators/system have full control to \winnt and \winnt\system32 folders.
The link below is another way to reset default ntfs permissions on a W2K computer.

http://support.microsoft.com/?kbid=266118

If you continue to have problems you may just want to dcpromo the computer as you
mention in your other post and I don't blame you as you can spend a lot of time
beating a dead horse. There is a procedure, that I have not tried myself, to forcibly
demote a domain controller. I would also make sure that at least one other domain
controller is a Global Catalog Server [try that and see if it helps with dcpromo] and
then transfer or seize the fsmo roles to another domain controller before trying to
force the dcpromo. Worse case scenario is to seize fsmo roles to other domain
controller, make sure that there is at least one global ctatlog server, and rebuilt
the operating system. In that case you have to use ntdsutil.exe to clean the metadata
for the domain and the procedure differs a bit depending on if you reinstall and
dcpromo with the same computer name or not. The links below explain more detail---
Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;255504
http://support.microsoft.com/default.aspx?kbid=332199
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q216498
 
R

Resonate

Wrong thread mate

I forgot to mention an important item, my mistake am
trying to tech calls at the same time. I meant the
service for ipsec will not start - keeping getting an
error _ no trouble found message contact administration//
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top