DCPROMO will not install DC; error during membership change "Access Denied"
Posted on 2005-04-16
Network with 3 Windows 2000 DC's.
55 PCs at 4 different offices.
T1's in place, all routing is functioning. Bandwidth is not a problem.
First 3 DC's went in without incident.
last DC to be installed was in February.
Problem began 2 days ago when an additional DC was being added at a new office.
DNS is installed and functioning network wide; reverse zones are correct on all servers. All servers can resolve other servers (including new one).
nslookup is able to resolve all servers (forward and reverse)
SRV records are present and correct.
PCs are able to be joined to the domain.
Running DCPROMO on new server:
DCPROMO executes, accepts Administrator user name and password.
specify directory locations for AD.
When the machine account change begins, DCPROMO errors out and the following message is generated:
The operation failed because: Failed to modify the necessary properties for the machine account SERVERNAME$. "Access is denied".
Group policy has been verified for the "Enable Computer and User Accounts to be trusted for Delegation" setting.
file permissions have been verified for the ntds.dit file
an attempt at DCPROMO was run on the same LAN as the GC server to verify the problem.
We were able to duplicate the problem with a test server.
Forward and reverse DNS zones are standard DNS zones, not AD integrated.
A member server can be added successfully and there are no problem joining PCs to the domain. DNS can be installed on a server and the zone transfers are working properly.