[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Adding a DC to existing Windows 2000 domain generates The operation failed because: Failed to modify the necessary properties for the machine account SERVERNAME$.  "Access is denied".

Posted on 2005-04-07
18
Medium Priority
?
247 Views
Last Modified: 2010-04-13
Network with 3 Windows 2000 DC's.
55 PCs at 4 different offices.
T1's in place, all routing is functioning.  Bandwidth is not a problem.
First 3 DC's went in without incident.
last DC to be installed was in February.
Problem began 2 days ago when an additional DC was being added at a new office.

DNS is installed and functioning network wide; reverse zones are correct on all servers.  All servers can resolve other servers (including new one).
nslookup is able to resolve all servers (forward and reverse)
SRV records are present and correct.
PCs are able to be joined to the domain.

Running DCPROMO on new server:
DCPROMO executes, accepts Administrator user name and password.
specify directory locations for AD.
When the machine account change begins, DCPROMO errors out and the following message is generated:
The operation failed because: Failed to modify the necessary properties for the machine account SERVERNAME$.  "Access is denied".

Group policy has been verified for the "Enable Computer and User Accounts to be trusted for Delegation" setting.
file permissions have been verified for the ntds.dit file
an attempt at DCPROMO was run on the same LAN as the GC server to verify the problem.
We were able to duplicate the problem with a test server.
Forward and reverse DNS zones are standard DNS zones, not AD integrated.

Any technical documentation, notes, suggestions, or shots in the dark are welcome...  
0
Comment
Question by:tsystems-tx
  • 10
  • 7
18 Comments
 
LVL 35

Accepted Solution

by:
Nirmal Sharma earned 1500 total points
ID: 13733443
Delete the Domain Controller computer account from Domain Controllers OU if already exists and then make this PC member of domain controller and then run Dcpromo.exe. Also change Administrator password on primary domain controller (Roo Domain).

Let me know.
0
 

Author Comment

by:tsystems-tx
ID: 13733467
the server will appear in the Computers OU when DCPROMO bottoms out.  It shows the server to be a member of the Domain Computers Group; which can be changed and the Computer account for the server deleted.  DCPROMO still fails after this process.

The server will not join the domain as a member server; the 5789 error is still recieved in Event Viewer.

I will try modifying the Administrator accounts password.
0
 
LVL 35

Expert Comment

by:Nirmal Sharma
ID: 13733647
>>>The server will not join the domain as a member server.

That means you are promoting this pc as domain controller without making it a member of domain.
0
New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

 
LVL 35

Expert Comment

by:Nirmal Sharma
ID: 13733653
What error message do you get when you make server member of domain ? Do you get something related to SRVs?

check this also: -
http://support.microsoft.com/kb/257623/EN-US/

Let me know.
0
 

Author Comment

by:tsystems-tx
ID: 13735557
yes, I do however, the DNS suffix (membership change box is already checked) and the same domain name as the Windows 2000 domain is in the DNS suffix box.

The server is a member of a workgroup, and I ran DCPROMO to install AD and set the server up as a DC.
0
 
LVL 35

Expert Comment

by:Nirmal Sharma
ID: 13735719
>>>The server is a member of a workgroup, and I ran DCPROMO to install AD and set the server up as a DC.

What error message do you get when you join server to domain?
0
 

Author Comment

by:tsystems-tx
ID: 13736949
after joining the server as a member server to the domain, the following event is generated in the system log:

Attempt to update HOST Service Principal Names (SPNs) of the computer object in Active Directory failed. The updated values were '<UNAVAILABLE>' and '<UNAVAILABLE>'. The following error occurred:
Logon failure: unknown user name or bad password.

The username and password is good.
0
 

Author Comment

by:tsystems-tx
ID: 13736965
This is the 5789 error that follows the other Netlogon error:

Attempt to update DNS Host Name of the computer object in Active Directory failed. The updated value was 'SERVERNAME.DOMAIN.LOCAL'. The following error occurred:
Logon failure: unknown user name or bad password.  
0
 
LVL 35

Expert Comment

by:Nirmal Sharma
ID: 13737024
Check the Security Tab on DNS Zone.

Check this too: -
http://support.microsoft.com/kb/258503/EN-US/
0
 

Author Comment

by:tsystems-tx
ID: 13737454
Security tab on DNS server showed all appropriate groups and Administrator user.  Rights assignments appear to be correct.

The name space is not disjointed and the checkbox was already set on the server, the DNS suffix was already set for the domain.

I am going to reset the password for the administrator account and try again.
0
 

Author Comment

by:tsystems-tx
ID: 13737488
same results with new password
0
 

Author Comment

by:tsystems-tx
ID: 13737691
I now have a new error in the event log:

Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1000
Date:            4/8/2005
Time:            10:57:33 AM
User:            NT AUTHORITY\SYSTEM
Computer:      SERVERNAME
Description:
Windows cannot unload your registry file.  If you have a roaming profile, your settings are not replicated. Contact your administrator.  

DETAIL - Access is denied. , Build number ((2195)).

******
I followed the instructions in 258503 and the results are the same.
0
 
LVL 35

Expert Comment

by:Nirmal Sharma
ID: 13737842
Its late night. I will post tommo.

Thanks
0
 

Author Comment

by:tsystems-tx
ID: 13738146
Thank you for all your help; I am going to bounce all 3 servers tonight and try again tomorrow.

0
 

Author Comment

by:tsystems-tx
ID: 13744838
I restarted the DC's; still cannot add a DC with DCPROMO.
0
 
LVL 35

Expert Comment

by:Nirmal Sharma
ID: 14681525
Hello there?
0
 
LVL 31

Expert Comment

by:Wayne Barron
ID: 15681198
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:
[Delete - No Refund]

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

Carrzkiss
EE Cleanup Volunteer
0
 

Author Comment

by:tsystems-tx
ID: 15682371
Domain Controllers were not in the Domain Controllers OU; I moved the DCs back into the Domain Controllers OU and I was able to install more domain controllers.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Most folks would know the basics of how Dropbox works, so that’s not the purpose of this article. Security is what it’s all about, so here I’ll share how I choose to secure my Dropbox Account and the Data it contains.
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Suggested Courses

865 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question