Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 213
  • Last Modified:

DCPROMO will not install DC; error during membership change "Access Denied"

Network with 3 Windows 2000 DC's.
55 PCs at 4 different offices.
T1's in place, all routing is functioning.  Bandwidth is not a problem.
First 3 DC's went in without incident.
last DC to be installed was in February.
Problem began 2 days ago when an additional DC was being added at a new office.

DNS is installed and functioning network wide; reverse zones are correct on all servers.  All servers can resolve other servers (including new one).
nslookup is able to resolve all servers (forward and reverse)
SRV records are present and correct.
PCs are able to be joined to the domain.

Running DCPROMO on new server:
DCPROMO executes, accepts Administrator user name and password.
specify directory locations for AD.
When the machine account change begins, DCPROMO errors out and the following message is generated:
The operation failed because: Failed to modify the necessary properties for the machine account SERVERNAME$.  "Access is denied".

Group policy has been verified for the "Enable Computer and User Accounts to be trusted for Delegation" setting.
file permissions have been verified for the ntds.dit file
an attempt at DCPROMO was run on the same LAN as the GC server to verify the problem.
We were able to duplicate the problem with a test server.
Forward and reverse DNS zones are standard DNS zones, not AD integrated.

A member server can be added successfully and there are no problem joining PCs to the domain.  DNS can be installed on a server and the zone transfers are working properly.
0
tsystems-tx
Asked:
tsystems-tx
  • 2
  • 2
1 Solution
 
tsystems-txpresident Author Commented:
I have already checked this and the other KB articles that reference disjointed name space, and DNS permissions.

0
 
Leandro IaconoSenior Premier Field EngineerCommented:
I don thik this: "Group policy has been verified for the "Enable Computer and User Accounts to be trusted for Delegation" setting" will do the trick.

Are you sure you are using and Enterprise Admins user account to join the DC?
0
 
tsystems-txpresident Author Commented:
Stafi:

Thank you for your help; the second link you posted had the solution to the problem.  The Domain Controllers were not in the Domain Controllers OU; they had been inadvertently moved when other computer objects were being moved.  (DUH.)

You are awarded the points for the solution!


0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now