Below procedure was tested using Windows Server 2012 R2 Datacenter and SSO 8.4.0
When upgrading SSO you must run adaminstall.cmd script with same user as originally installed the database. The users that have sufficient access rights for running adaminstall.cmd are listed in LDAP CN=Configuration,CN={993612A3-D948-4D4A-8690-125E5AFF0241},CN=Roles,CN=Administrators.
If those usernames are not known or not accessible you need to change the ownership to a new user. Running adaminstall.cmd with user that is not ADLDS administrator would result in errors like:
...
3. Take ownership and set full access for yourself for the partition and its sub tree to be able to read and edit ADLDS Administrators group. When you have read / edit rights to configuration partition you can view current ADLDS administrator accounts and add new windows accounts to be ADLDS administrators. FIll in below <Domain>\<User> as per your environment.
| Code Block | ||||
|---|---|---|---|---|
| ||||
dsacls \\localhost:389\CN=Administrators,CN=Roles,CN=Configuration,CN={993612A3-D948-4D4A-8690-125E5AFF0241} /takeownership
dsacls \\localhost:389\CN=Administrators,CN=Roles,CN=Configuration,CN={993612A3-D948-4D4A-8690-125E5AFF0241} /I:T /G <servername><Domain>\<username><User>:GA
|
4. Use adsi edit to view username present in ADLDS Administrators group. You can use this user to run adaminstall.cmd. If using current admin is not possible or you want to start using different administrator name add your windows username to CN=Configuration,CN={993612A3-D948-4D4A-8690-125E5AFF0241},CN=Roles,CN=Administrators → Member → Add Windows Account...
...