• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 251
  • Last Modified:

Adding a DC to existing Windows 2000 domain generates The operation failed because: Failed to modify the necessary properties for the machine account SERVERNAME$. "Access is denied".

Network with 3 Windows 2000 DC's.
55 PCs at 4 different offices.
T1's in place, all routing is functioning.  Bandwidth is not a problem.
First 3 DC's went in without incident.
last DC to be installed was in February.
Problem began 2 days ago when an additional DC was being added at a new office.

DNS is installed and functioning network wide; reverse zones are correct on all servers.  All servers can resolve other servers (including new one).
nslookup is able to resolve all servers (forward and reverse)
SRV records are present and correct.
PCs are able to be joined to the domain.

Running DCPROMO on new server:
DCPROMO executes, accepts Administrator user name and password.
specify directory locations for AD.
When the machine account change begins, DCPROMO errors out and the following message is generated:
The operation failed because: Failed to modify the necessary properties for the machine account SERVERNAME$.  "Access is denied".

Group policy has been verified for the "Enable Computer and User Accounts to be trusted for Delegation" setting.
file permissions have been verified for the ntds.dit file
an attempt at DCPROMO was run on the same LAN as the GC server to verify the problem.
We were able to duplicate the problem with a test server.
Forward and reverse DNS zones are standard DNS zones, not AD integrated.

Any technical documentation, notes, suggestions, or shots in the dark are welcome...  
0
tsystems-tx
Asked:
tsystems-tx
  • 10
  • 7
1 Solution
 
Nirmal SharmaSolution ArchitectCommented:
Delete the Domain Controller computer account from Domain Controllers OU if already exists and then make this PC member of domain controller and then run Dcpromo.exe. Also change Administrator password on primary domain controller (Roo Domain).

Let me know.
0
 
tsystems-txpresident Author Commented:
the server will appear in the Computers OU when DCPROMO bottoms out.  It shows the server to be a member of the Domain Computers Group; which can be changed and the Computer account for the server deleted.  DCPROMO still fails after this process.

The server will not join the domain as a member server; the 5789 error is still recieved in Event Viewer.

I will try modifying the Administrator accounts password.
0
 
Nirmal SharmaSolution ArchitectCommented:
>>>The server will not join the domain as a member server.

That means you are promoting this pc as domain controller without making it a member of domain.
0
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

 
Nirmal SharmaSolution ArchitectCommented:
What error message do you get when you make server member of domain ? Do you get something related to SRVs?

check this also: -
http://support.microsoft.com/kb/257623/EN-US/

Let me know.
0
 
tsystems-txpresident Author Commented:
yes, I do however, the DNS suffix (membership change box is already checked) and the same domain name as the Windows 2000 domain is in the DNS suffix box.

The server is a member of a workgroup, and I ran DCPROMO to install AD and set the server up as a DC.
0
 
Nirmal SharmaSolution ArchitectCommented:
>>>The server is a member of a workgroup, and I ran DCPROMO to install AD and set the server up as a DC.

What error message do you get when you join server to domain?
0
 
tsystems-txpresident Author Commented:
after joining the server as a member server to the domain, the following event is generated in the system log:

Attempt to update HOST Service Principal Names (SPNs) of the computer object in Active Directory failed. The updated values were '<UNAVAILABLE>' and '<UNAVAILABLE>'. The following error occurred:
Logon failure: unknown user name or bad password.

The username and password is good.
0
 
tsystems-txpresident Author Commented:
This is the 5789 error that follows the other Netlogon error:

Attempt to update DNS Host Name of the computer object in Active Directory failed. The updated value was 'SERVERNAME.DOMAIN.LOCAL'. The following error occurred:
Logon failure: unknown user name or bad password.  
0
 
Nirmal SharmaSolution ArchitectCommented:
Check the Security Tab on DNS Zone.

Check this too: -
http://support.microsoft.com/kb/258503/EN-US/
0
 
tsystems-txpresident Author Commented:
Security tab on DNS server showed all appropriate groups and Administrator user.  Rights assignments appear to be correct.

The name space is not disjointed and the checkbox was already set on the server, the DNS suffix was already set for the domain.

I am going to reset the password for the administrator account and try again.
0
 
tsystems-txpresident Author Commented:
same results with new password
0
 
tsystems-txpresident Author Commented:
I now have a new error in the event log:

Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1000
Date:            4/8/2005
Time:            10:57:33 AM
User:            NT AUTHORITY\SYSTEM
Computer:      SERVERNAME
Description:
Windows cannot unload your registry file.  If you have a roaming profile, your settings are not replicated. Contact your administrator.  

DETAIL - Access is denied. , Build number ((2195)).

******
I followed the instructions in 258503 and the results are the same.
0
 
Nirmal SharmaSolution ArchitectCommented:
Its late night. I will post tommo.

Thanks
0
 
tsystems-txpresident Author Commented:
Thank you for all your help; I am going to bounce all 3 servers tonight and try again tomorrow.

0
 
tsystems-txpresident Author Commented:
I restarted the DC's; still cannot add a DC with DCPROMO.
0
 
Nirmal SharmaSolution ArchitectCommented:
Hello there?
0
 
Wayne BarronAuthor, Web DeveloperCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:
[Delete - No Refund]

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

Carrzkiss
EE Cleanup Volunteer
0
 
tsystems-txpresident Author Commented:
Domain Controllers were not in the Domain Controllers OU; I moved the DCs back into the Domain Controllers OU and I was able to install more domain controllers.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 10
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now