Urgent Help Needed with DCPROMO

Home Forums Microsoft Networking and Management Services Active Directory Urgent Help Needed with DCPROMO

This topic contains 4 replies, has 3 voices, and was last updated by Avatar Si_Pe 13 years, 5 months ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • Avatar
    Si_Pe
    Member
    #112850

    Hello all,

    I have a problem promoting a new server to become a dc. I only have one dc and it is slowly dying and I want to get AD off it and put on another server.

    The new server is on the domain and is looking at the correct DNS server.

    I am getting the following error during the Dcpromo setup.
    The operation failed because: Failed to modify the necessary properties for the machine account Server$
    “Access is denied. “Text

    I have also tried to delagate trust in AD but get a error saying the following error.

    “Your security settings do not allow you to specify whether or not this computer can be trusted for delegation”

    I have tired to check the the DC security policy and get a error about the path not being found for group policy. Access may be denied?

    Sorry about my first post being so long but I really need some help with this one.

    Thanks very much!

    Simon

    Avatar
    rodhajj
    Member
    #278058

    Re: Urgent Help Needed with DCPROMO

    Si_Pe,

    Assuming you have administrative privilege on the domain try to check the time between the two servers.

    I prefer to disjoin the new server from the domain, in the preferred DNS put the IP of the existing DC and try to promote again.

    BR,

    Avatar
    Si_Pe
    Member
    #278059

    Re: Urgent Help Needed with DCPROMO

    Thanks for your very quick response.

    On the dc that is slowly failing i have tried to go in to local domain security policy and its has come up with a permmisons error.

    Its seems that the administrator has no access? but everything else is running ok?

    Dciag comes back with the following:

    Domain Controller Diagnosis

    Performing initial setup:
    * Verifying that the local machine gardserv01, is a DC.
    * Connecting to directory service on server gardserv01.
    * Collecting site info.
    * Identifying all servers.
    * Found 1 DC(s). Testing 1 of them.
    Done gathering initial info.

    Doing initial required tests

    Testing server: Default-First-SiteGARDSERV01
    Starting test: Connectivity
    * Active Directory LDAP Services Check
    * Active Directory RPC Services Check
    ……………………. GARDSERV01 passed test Connectivity

    Doing primary tests

    Testing server: Default-First-SiteGARDSERV01
    Starting test: Replications
    * Replications Check
    ……………………. GARDSERV01 passed test Replications
    Starting test: Topology
    * Configuration Topology Integrity Check
    * Analyzing the connection topology for CN=Schema,CN=Configuration,DC=GARDNET,DC=local.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the connection topology for CN=Configuration,DC=GARDNET,DC=local.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the connection topology for DC=GARDNET,DC=local.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    ……………………. GARDSERV01 passed test Topology
    Starting test: CutoffServers
    * Configuration Topology Aliveness Check
    * Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=GARDNET,DC=local.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the alive system replication topology for CN=Configuration,DC=GARDNET,DC=local.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the alive system replication topology for DC=GARDNET,DC=local.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    ……………………. GARDSERV01 passed test CutoffServers
    Starting test: NCSecDesc
    * Security Permissions Check for
    CN=Schema,CN=Configuration,DC=GARDNET,DC=local
    * Security Permissions Check for
    CN=Configuration,DC=GARDNET,DC=local
    * Security Permissions Check for
    DC=GARDNET,DC=local
    ……………………. GARDSERV01 passed test NCSecDesc
    Starting test: NetLogons
    * Network Logons Privileges Check
    ……………………. GARDSERV01 passed test NetLogons
    Starting test: Advertising
    The DC GARDSERV01 is advertising itself as a DC and having a DS.
    The DC GARDSERV01 is advertising as an LDAP server
    The DC GARDSERV01 is advertising as having a writeable directory
    The DC GARDSERV01 is advertising as a Key Distribution Center
    The DC GARDSERV01 is advertising as a time server
    The DS GARDSERV01 is advertising as a GC.
    ……………………. GARDSERV01 passed test Advertising
    Starting test: KnowsOfRoleHolders
    Role Schema Owner = CN=NTDS Settings,CN=GARDSERV01,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=GARDNET,DC=local
    Role Domain Owner = CN=NTDS Settings,CN=GARDSERV01,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=GARDNET,DC=local
    Role PDC Owner = CN=NTDS Settings,CN=GARDSERV01,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=GARDNET,DC=local
    Role Rid Owner = CN=NTDS Settings,CN=GARDSERV01,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=GARDNET,DC=local
    Role Infrastructure Update Owner = CN=NTDS Settings,CN=GARDSERV01,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=GARDNET,DC=local
    ……………………. GARDSERV01 passed test KnowsOfRoleHolders
    Starting test: RidManager
    * Available RID Pool for the Domain is 1605 to 1073741823
    * gardserv01.GARDNET.local is the RID Master
    * DsBind with RID Master was successful
    * rIDAllocationPool is 1105 to 1604
    * rIDNextRID: 1158
    * rIDPreviousAllocationPool is 1105 to 1604
    ……………………. GARDSERV01 passed test RidManager
    Starting test: MachineAccount
    * SPN found :LDAP/gardserv01.GARDNET.local/GARDNET.local
    * SPN found :LDAP/gardserv01.GARDNET.local
    * SPN found :LDAP/GARDSERV01
    * SPN found :LDAP/gardserv01.GARDNET.local/GARDNET
    * SPN found :LDAP/2b38c396-dd29-4336-8689-8caf719bb41e._msdcs.GARDNET.local
    * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/2b38c396-dd29-4336-8689-8caf719bb41e/GARDNET.local
    * SPN found :HOST/gardserv01.GARDNET.local/GARDNET.local
    * SPN found :HOST/gardserv01.GARDNET.local
    * SPN found :HOST/GARDSERV01
    * SPN found :HOST/gardserv01.GARDNET.local/GARDNET
    * SPN found :GC/gardserv01.GARDNET.local/GARDNET.local
    ……………………. GARDSERV01 passed test MachineAccount
    Starting test: Services
    * Checking Service: Dnscache
    * Checking Service: NtFrs
    * Checking Service: IsmServ
    * Checking Service: kdc
    * Checking Service: SamSs
    * Checking Service: LanmanServer
    * Checking Service: LanmanWorkstation
    * Checking Service: RpcSs
    * Checking Service: RPCLOCATOR
    * Checking Service: w32time
    * Checking Service: TrkWks
    * Checking Service: TrkSvr
    * Checking Service: NETLOGON
    * Checking Service: Dnscache
    * Checking Service: NtFrs
    ……………………. GARDSERV01 passed test Services
    Starting test: OutboundSecureChannels
    * The Outbound Secure Channels test
    ** Did not run Outbound Secure Channels test
    because /testdomain: was not entered
    ……………………. GARDSERV01 passed test OutboundSecureChannels
    Starting test: ObjectsReplicated
    GARDSERV01 is in domain DC=GARDNET,DC=local
    Checking for CN=GARDSERV01,OU=Domain Controllers,DC=GARDNET,DC=local in domain DC=GARDNET,DC=local on 1 servers
    Object is up-to-date on all servers.
    Checking for CN=NTDS Settings,CN=GARDSERV01,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=GARDNET,DC=local in domain CN=Configuration,DC=GARDNET,DC=local on 1 servers
    Object is up-to-date on all servers.
    ……………………. GARDSERV01 passed test ObjectsReplicated
    Starting test: frssysvol
    * The File Replication Service Event log test
    The SYSVOL has been shared, and the AD is no longer
    prevented from starting by the File Replication Service.
    ……………………. GARDSERV01 passed test frssysvol
    Starting test: kccevent
    * The KCC Event log test
    Found no KCC errors in Directory Service Event log in the last 15 minutes.
    ……………………. GARDSERV01 passed test kccevent
    Starting test: systemlog
    * The System Event log test
    An Error Event occured. EventID: 0xC0040009
    Time Generated: 06/12/2006 16:40:13
    Event String: The device, DeviceIdeIdePort0, did not respond
    within the timeout period.
    ……………………. GARDSERV01 failed test systemlog

    Running enterprise tests on : GARDNET.local
    Starting test: Intersite
    Skipping site Default-First-Site, this site is outside the scope
    provided by the command line arguments provided.
    ……………………. GARDNET.local passed test Intersite
    Starting test: FsmoCheck
    GC Name: \gardserv01.GARDNET.local
    Locator Flags: 0xe00001fd
    PDC Name: \gardserv01.GARDNET.local
    Locator Flags: 0xe00001fd
    Time Server Name: \gardserv01.GARDNET.local
    Locator Flags: 0xe00001fd
    Preferred Time Server Name: \gardserv01.GARDNET.local
    Locator Flags: 0xe00001fd
    KDC Name: \gardserv01.GARDNET.local
    Locator Flags: 0xe00001fd
    ……………………. GARDNET.local passed test FsmoCheck

    Thanks for your help!

    Avatar
    Si_Pe
    Member
    #278060

    Re: Urgent Help Needed with DCPROMO

    Sorry I noticed I haven’t followed the posting rules correctly.

    I am running one domain controller using 2000 advance server.

    DCdiag has come back ok. I seem to be having problems when running a few snap in’s on the Current dc with permission denied errors. I guess this is why I can’t promote the new server as the administraor account is happy. I have tried to create a new account and give them the same permissons but that hasn’t worked either.

    All help would be greatly appreciated!

    Thanks

    Avatar
    guyt
    Member
    #193221

    Re: Urgent Help Needed with DCPROMO

    Remove the new server from the domain (move to workgroup), delete it’s computer account from the AD and run dcpromo again.

    The error you are getting is usually related to setting userAccountControl atrribute value of the new DC’s computer account. Could be a result of GPO’s applied to OU the computer account of the server was before running dcpromo.

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.