"You must be a member of the Domain Admins, Schema Admins, and Enterprise Admins" error when you run the Windows Small Business Server 2003 Setup program (842694)



The information in this article applies to:

  • Microsoft Windows Small Business Server 2003, Standard Edition
  • Microsoft Windows Small Business Server 2003, Premium Edition

SYMPTOMS

When you run the Microsoft Windows Small Business Server 2003 Setup program, you may receive the following message in the Setup Requirements window:
You must be a member of the Domain Admins, Schema Admins, and Enterprise Admins groups.
However, if you view the group membership of the Administrator account, you see that the account is already a member of the Domain Admins, Schema Admins, and Enterprise Admins groups.

Note To view Administrator account group membership, double-click the Administrator account in the Active Directory Users and Computers snap-in, and then click the Member Of tab.

When this problem occurs, you may also receive one or more of the following messages:
Unable to contact all domain controllers.
Windows Small Business Server 2003 cannot be installed on a domain controller that is not the assigned the operations master roles.
Windows Small Business Server 2003 cannot be installed on a domain controller that is not assigned the operations master roles.
Note These messages are preceded by a red X that indicates that the Setup program cannot continue until the blocks are resolved.

CAUSE

This problem may occur if one or more of the following conditions are true:
  • The server where you are trying to install Windows Small Business Server 2003 does not own all the operations master roles.
  • There is an orphan domain controller object in Active Directory from a previously removed domain controller. In particular, this scenario may occur if you forcefully demote a domain controller by running the dcpromo /forceremoval command.
  • The Domain Controllers security group has been moved out of the Users organizational unit (OU).
  • Multiple domain controllers exist in your domain, and there are communication problems among them.
  • You start or restart the SBS server and replica domain controllers exist in the SBS domain.

RESOLUTION

To resolve this problem, transfer all operations master roles to the server where you are installing Windows Small Business Server 2003, remove any orphan domain controllers from Active Directory, and then verify that the Domain Controllers security group is located in the Users OU. If these steps do not resolve the issue, run the dcdiag /v command to identify communication problems among the domain controllers.

Verify that an initial inbound replication has occurred from replica domain controllers after you start Windows Small Business Server

  1. Click Start, click Administrative Tools, click Active Directory Sites and Services.
  2. Expand Sites, expand Default-First-Site-Name, expand Servers, expand Server-name, and then click NTDS Settings.
  3. Right-click the automatically generated connection object, and then click Replicate Now.
  4. Repeat steps 2 and 3 for each domain controller in the domain.
  5. Click Start, click Control Panel, click Add/Remove Programs, click Windows Small Business Server 2003, and then click Change/Remove to run Windows Small Business Server Setup.

Verify that the computer that will run Windows Small Business Server 2003 holds all the operations master roles

  1. Click Start, click Run, type cmd, and then press ENTER.
  2. Type the following commands. Press ENTER after each command.

    ntdsutil
    domain management
    connections
  3. Type connect to server ServerName, where ServerName is the name of the server where you are installing Windows Small Business Server 2003, and then press ENTER.
  4. Type quit, and then press ENTER.
  5. Type the following commands. Press ENTER after each command.

    select operation target
    list roles for connected server
A list is displayed that is similar to the following:
Server "ServerName" knows about 5 roles
Schema - CN=NTDS Settings,CN=ServerName,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domainname,DC=local
Domain - CN=NTDS Settings,CN=ServerName,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domainname,DC=local
PDC - CN=NTDS Settings,CN=ServerName,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domainname,DC=local
RID - CN=NTDS Settings,CN=ServerName,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domainname,DC=local
Infrastructure - CN=NTDS Settings,CN=ServerName,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domainname,DC=local
Verify that the server where you are trying to install Windows Small Business Server 2003 owns all five of the operations master roles. If the server does not own all these roles, use the Ntdsutil command to transfer the roles to the server. To do this, follow these steps on the server where you are installing Windows Small Business Server 2003:
  1. Click Start, click Run, type ntdsutil, and then click OK.
  2. Type the following commands. Press ENTER after each command.

    roles
    connections
  3. Type connect to server ServerName, where ServerName is the name of the server where you are installing Windows Small Business Server 2003, and then press ENTER.
  4. At the server connections: prompt, type q, and then press ENTER.
  5. Type seize role, where role is the role that you want to seize. For example, to seize the relative ID (RID) master role, type seize rid master. The one exception is for the primary domain controller emulator role. The syntax for this role would be "seize pdc" and not "seize pdc emulator".
  6. Press ENTER.
For more information about how to use Ntdsutil, click the following article number to view the article in the Microsoft Knowledge Base:

255504 Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller

Verify that no orphan domain controller objects are present

Open Active Directory Sites and Services, and then determine whether any previously removed domain controller server objects are present. If an orphan server object is present, follow these steps to remove it:
  1. Click Start, point to Administrative Tools, and then click Active Directory Sites and Services.
  2. Expand Sites, expand Default-First-Site-Name, and then click Servers.
  3. In the right pane, examine the list of servers to verify that all these servers exist. If you see a server that is listed that is no longer a domain controller on the network, right-click the server, and then click Delete.

    Caution If you recently demoted the domain controller, we recommend that you wait for full replication to occur before you perform this step. A demoted domain controller will remain listed in the Active Directory Sites and Services snap-in until the change is replicated to the remaining domain controllers.
  4. If you receive an error message when you try to delete the orphan server object, you must manually remove the server object.
For more information about how to remove orphaned objects in Active Directory, click the following article number to view the article in the Microsoft Knowledge Base:

216498 How to remove data in Active Directory after an unsuccessful domain controller demotion

Verify that the Domain Controllers security group is located in the Users OU

  1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Expand DomainName, and then click Users.
  3. In the Users OU, look for the Domain Controllers security group.
  4. If the Domain Controllers security group is not listed in the Users OU, find where this security group is located, and then move it to the Users OU. To find a security group, right-click DomainName, and then click Find. To move a security group, right-click the group, and then click Move.

    Note A common mistake is to move the Domain Controllers security group to the Domain Controllers OU.

Identify Active Directory communication problems

  1. Run the SupTools.msi program to install Windows Server 2003 Support Tools on a Windows Small Business Server that is a domain controller. The support tools are in the Support\Tools folder on your Windows Small Business Server 2003 CD.
  2. Log on to the computer that is running Windows Small Business Server.
  3. Click Start, click Run, type cmd, and then press ENTER.
  4. Type dcdiag /v /a /f:dcdiag1.txt. This command analyzes the state of the domain controllers and reports this information. This command also tests the communication among the servers in the domain and sends the test results to a text file.
  5. Type notepad dcdiag1.txt. This command opens the file that contains the results of the dcdiag command tests.
  6. If you see any output that indicates a test failure, verify and correct problems with the relevant servers.

Modification Type:MinorLast Reviewed:11/10/2005
Keywords:kbFSMO kbdomain kbtshoot kbprb KB842694 kbAudITPRO