Announcement

Collapse
No announcement yet.

1st Win 2003 DC in a W2K AD network

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • 1st Win 2003 DC in a W2K AD network

    Hi

    I have a W2K (SP4, all updates) ad network. Also Exchange 2003. I am trying to setup a Windows 2003 DC. I tried to run adprep /forestprep and received the following message - Forest-wide information has already been updated, also the same message when I try and run adprep /domainprep.

    On the new Windows 2003 machine I have tried to run DCPROMO and receive the following error message - The operation failed because: The Active Directory Installation Wizard was unable to convert the computer account MACHINE$ to a domain controller account. "Access is denied." It keeps prompting me for a username and password.

    I am logged in as domain admin with all the correct permissions.

    Any help would be great

  • #2
    Fixed

    Problem fixed

    Comment


    • #3
      and what have you done to fixed it?
      Marcel
      Technical Consultant
      Netherlands
      http://www.phetios.com
      http://blog.nessus.nl

      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
      "No matter how secure, there is always the human factor."

      "Enjoy life today, tomorrow may never come."
      "If you're going through hell, keep going. ~Winston Churchill"

      Comment


      • #4
        I edited the Default domain group policy -
        Default Domain Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Right Assignment \ Enable computer and user accounts to be trusted for delegation

        I had this policy defined with the admin account I was using to run DCPROMO and it didn't work, so I added the Domain Admins group and from a cmd prompt ran - secedit /refreshpolicy machine_policy /enforce. Re-ran DCPROMO and it worked no problem.

        Comment


        • #5
          Thank you for sharing this information.
          Cheers,

          Daniel Petri
          Microsoft Most Valuable Professional - Active Directory Directory Services
          MCSA/E, MCTS, MCITP, MCT

          Comment


          • #6
            thnx
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              This is a known issue and it's recommended to perform the mentioned change to the Default Domain
              Controllers Policy and not Default Domain Policy.

              Trusting all computer accounts in the AD for delegation opens up a security hole.
              Guy Teverovsky
              "Smith & Wesson - the original point and click interface"

              Comment


              • #8
                Re: 1st Win 2003 DC in a W2K AD network

                i have the same situation exactly.
                first 2k3 server in a win2k domain. after ADPREP /FORESTPREP
                and ADPREP /DOMAINPREP.
                I get the same error messege, but the GPO editing and reactivation of the DCPROMO, still gives me the Error, and i can't continue..

                does anyone has an idea?

                Comment


                • #9
                  Re: 1st Win 2003 DC in a W2K AD network

                  I am having this issue as well and have tried all the steps recommended in this thread. If anybody has any suggestions short of calling Microsoft, I am very open to them.

                  Picture of the network:

                  1 DC in California, first DC in domain. (2k)
                  2nd DC in Nevada, second DC in domain. (2k)
                  New 2k3 server, cannot promote to DC. DCPROMO log shows it is trying to authenticate to the Nevada server.

                  Thanks in advance.

                  Comment


                  • #10
                    Re: 1st Win 2003 DC in a W2K AD network

                    Question to all of you. Is this Win2003 R2?
                    If so, are you using ADPREP of the 2nd CD?
                    This is a requirement for R2!
                    TIA

                    Steven Teiger [SBS-MVP(2003-2009)]
                    http://www.wintra.co.il/
                    sigpic
                    Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

                    We donít stop playing because we grow old, we grow old because we stop playing.

                    Comment


                    • #11
                      Re: 1st Win 2003 DC in a W2K AD network

                      Steven, instead of starting his own thread, JWMorgan77 has hijacked one that started back in Dec 2004. If he posts back with an approprite reason for doing this then I can try and split it off to its own topic. (You know what happened last time I tried that)
                      1 1 was a racehorse.
                      2 2 was 1 2.
                      1 1 1 1 race 1 day,
                      2 2 1 1 2

                      Comment


                      • #12
                        Re: 1st Win 2003 DC in a W2K AD network

                        Mea Culpa
                        Didn't check the dates!
                        Still, the question stands!
                        TIA

                        Steven Teiger [SBS-MVP(2003-2009)]
                        http://www.wintra.co.il/
                        sigpic
                        Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

                        We donít stop playing because we grow old, we grow old because we stop playing.

                        Comment


                        • #13
                          Re: 1st Win 2003 DC in a W2K AD network

                          Hi,
                          I have a similar problem while trying to do adprep /forestprep and encounter some error and fail. I have 3 Win2K Server, one PDC and the SDC, the other Win2K server is a SDC as it has exchange 5.5 in it.

                          I have attach the adprep log and hope someone can advice how i can resolve this error. Thanks,


                          Adprep modified the default security descriptor on object CN=organizational-Unit,CN=Schema,CN=Configuration,DC=portrust,DC=com .

                          [Status/Consequence]

                          Adprep merged the existing default security descriptor with the new access control entry (ACE).

                          Adprep was about to call the following LDAP API. ldap_add_s(). The entry to add is cn=ccfae63a-7fb5-454c-83ab-0e8e1214974e,cn=Operations,cn=ForestUpdates,CN=Con figuration,DC=portrust,DC=com.

                          LDAP API ldap_add_s() finished, return code is 0x0

                          Adprep successfully created the directory service object cn=ccfae63a-7fb5-454c-83ab-0e8e1214974e,cn=Operations,cn=ForestUpdates,CN=Con figuration,DC=portrust,DC=com.

                          Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=ad3c7909-b154-4c16-8bf7-2c3a7870bb3d,cn=Operations,cn=ForestUpdates,CN=Con figuration,DC=portrust,DC=com.

                          LDAP API ldap_search_s() finished, return code is 0x20

                          Adprep verified the state of operation cn=ad3c7909-b154-4c16-8bf7-2c3a7870bb3d,cn=Operations,cn=ForestUpdates,CN=Con figuration,DC=portrust,DC=com.

                          [Status/Consequence]

                          The operation has not run or is not currently running. It will be run next.

                          Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=portrust,D C=com.

                          LDAP API ldap_modify_s() finished, return code is 0x33

                          ADPREP was unable to modify the default security descriptor on object CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=portrust,D C=com.

                          [Status/Consequence]

                          Adprep attempts to merge the existing default security descriptors with the new access control entry (ACE).

                          [User Action]

                          Check the log file Adprep.log in the system root System32\Debug\Adprep\Logs directory for more information.

                          Adprep encountered an LDAP error.

                          Error code: 0x33. Server extended error code: 0x20d9, Server error message: 000020D9: SvcErr: DSID-030A05F8, problem 5001 (BUSY), data 33

                          Adprep set the value of registry key System\CurrentControlSet\Services\NTDS\Parameters\ Schema Update Allowed to 1

                          Adprep was unable to update forest-wide information.

                          [Status/Consequence]

                          Adprep requires access to existing forest-wide information from the schema master in order to complete this operation.

                          [User Action]

                          Check the log file, Adprep.log, in the C:\WINNT\system32\debug\adprep\logs\20070718141932 directory for more information.

                          Comment

                          Working...
                          X