Active Directory could not create the NTDS Settings object for this domain controller
Wish I could give more points [500 max] out for this one, perhaps anyone who can work this one out I can give an extra 175 points as an incentive/encouragement...
I have two servers running Windows 2003, latest service pack installed. The Primary Domain Controller is on a 10.0.0.0/24 network and is named 'Ernie'. The second server is on a 10.1.0.0/24 network [named 'Fozzie'] and is on the domain and I can log in using the domain's [GNE] Administrator credentials.
The Administrator is member of:
Account Operators
Administrators
Backup Operators
DHCP Administrators
Domain Admins
Domain Users
Enterprise Admins
Group Policy Creator Owners
Remote Desktop Users
Schema Admins
When using 'dcpromo' to change this server into a Secondary Domain Controller, by selecting 'Additional domain controller for an existing domain', the wizard stops the NetLogon and then tries to update the NTDS Settings. It then returns this error message:
The operation failed because:
Active Directory could not create the NTDS Settings object for this domain controller
CN=NTDS Settings,CN=FOZZIE,CN=Serv
on the remote domain controller ernie.globecastne.com.
Ensure the provided network credentials have sufficient permissions.
"An internal error occurred."
--------------------------
How can I give Administrator the rights to do this. I have policies in place, and I predicted that it has something to do with this, but even after removing these policies [and changing their settings] I' am still receiving these errors. Any ideas guys and gals...?
Things I have tried:
Correct timezone + time in each server.
The new server point to the current DC as DNS server + NSLOOKUP.
The new server member of the current domain.
FSMO on the first DC working.
No firewall beetwen the exiting DC and the new server (disabled Win 2003 ICF)
Remote registry service working on each server.
The new subnet (of the new DC) added to the currect active directory site.
Played about with MTU settings.
Directory Cleanup
http://support.microsoft.com/default.aspx?scid=kb;en-us;216498
Force kerberos to use TCP
http://www.adminlife.com/247reference/msgs/15/75851.aspx
http://support.microsoft.com/?kbid=244474
Followed this URL too:
http://support.microsoft.com/default.aspx?scid=kb;en-us;837932
Some System Infomation:
[ernie]:\>NetDOM Query fsmo
Schema owner ernie.globecastne.com
Domain role owner ernie.globecastne.com
PDC role ernie.globecastne.com
RID pool manager ernie.globecastne.com
Infrastructure owner ernie.globecastne.com
[ernie]:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : ernie
Primary Dns Suffix . . . . . . . : globecastne.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : globecastne.com
Ethernet adapter Globecastne:
Connection-specific DNS Suffix . : globecastne.com
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-11-43-E6-42-6F
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.0.7
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.0.250
DNS Servers . . . . . . . . . . . : 10.0.0.7
Primary WINS Server . . . . . . . : 10.0.0.7
Secondary WINS Server . . . . . . : 10.1.0.3
[fozzie]:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : fozzie
Primary Dns Suffix . . . . . . . : globecastne.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : globecastne.com
Ethernet adapter Globecastne:
Connection-specific DNS Suffix . : globecastne.com
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-11-43-E6-43-5F
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.1.0.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.0.250
DNS Servers . . . . . . . . . . . : 10.0.0.7
Primary WINS Server . . . . . . . : 10.1.0.3
Secondary WINS Server . . . . . . : 10.0.0.7
I have two servers running Windows 2003, latest service pack installed. The Primary Domain Controller is on a 10.0.0.0/24 network and is named 'Ernie'. The second server is on a 10.1.0.0/24 network [named 'Fozzie'] and is on the domain and I can log in using the domain's [GNE] Administrator credentials.
The Administrator is member of:
Account Operators
Administrators
Backup Operators
DHCP Administrators
Domain Admins
Domain Users
Enterprise Admins
Group Policy Creator Owners
Remote Desktop Users
Schema Admins
When using 'dcpromo' to change this server into a Secondary Domain Controller, by selecting 'Additional domain controller for an existing domain', the wizard stops the NetLogon and then tries to update the NTDS Settings. It then returns this error message:
The operation failed because:
Active Directory could not create the NTDS Settings object for this domain controller
CN=NTDS Settings,CN=FOZZIE,CN=Serv
on the remote domain controller ernie.globecastne.com.
Ensure the provided network credentials have sufficient permissions.
"An internal error occurred."
--------------------------
How can I give Administrator the rights to do this. I have policies in place, and I predicted that it has something to do with this, but even after removing these policies [and changing their settings] I' am still receiving these errors. Any ideas guys and gals...?
Things I have tried:
Correct timezone + time in each server.
The new server point to the current DC as DNS server + NSLOOKUP.
The new server member of the current domain.
FSMO on the first DC working.
No firewall beetwen the exiting DC and the new server (disabled Win 2003 ICF)
Remote registry service working on each server.
The new subnet (of the new DC) added to the currect active directory site.
Played about with MTU settings.
Directory Cleanup
http://support.microsoft.com/default.aspx?scid=kb;en-us;216498
Force kerberos to use TCP
http://www.adminlife.com/247reference/msgs/15/75851.aspx
http://support.microsoft.com/?kbid=244474
Followed this URL too:
http://support.microsoft.com/default.aspx?scid=kb;en-us;837932
Some System Infomation:
[ernie]:\>NetDOM Query fsmo
Schema owner ernie.globecastne.com
Domain role owner ernie.globecastne.com
PDC role ernie.globecastne.com
RID pool manager ernie.globecastne.com
Infrastructure owner ernie.globecastne.com
[ernie]:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : ernie
Primary Dns Suffix . . . . . . . : globecastne.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : globecastne.com
Ethernet adapter Globecastne:
Connection-specific DNS Suffix . : globecastne.com
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-11-43-E6-42-6F
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.0.7
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.0.250
DNS Servers . . . . . . . . . . . : 10.0.0.7
Primary WINS Server . . . . . . . : 10.0.0.7
Secondary WINS Server . . . . . . : 10.1.0.3
[fozzie]:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : fozzie
Primary Dns Suffix . . . . . . . : globecastne.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : globecastne.com
Ethernet adapter Globecastne:
Connection-specific DNS Suffix . : globecastne.com
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-11-43-E6-43-5F
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.1.0.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.0.250
DNS Servers . . . . . . . . . . . : 10.0.0.7
Primary WINS Server . . . . . . . : 10.1.0.3
Secondary WINS Server . . . . . . : 10.0.0.7
ASKER
Yes I can manually create the entry Fozzie.
does your gateway make filtering ?
is it the first dcpromo on that server ?
is it the first dcpromo on that server ?
ASKER
There is no filtering on the gateway and no it was a DC before and it was de-promoted [using dcpromo] and now I'm trying to promote it again. I have perfomed a cleanup using this guide: http://support.microsoft.com/default.aspx?scid=kb;en-us;216498
also, try previous operation from server FOZZIE
detach server FOZZIE of your domain.
Delete the account and recreate a new one then join the domain again.
Then try dcpromo.
Delete the account and recreate a new one then join the domain again.
Then try dcpromo.
ASKER
I have done that too. Remember because Fozzie is not a DC, you can not connect to it using 'ntdsutil', but I can connect to Ernie from Fozzie using 'ntdsutil'. If you do try to connect from Ernie/Fozzie to Fozzie you recieve this error message:
[ernie]:\>ntdsutil
ntdsutil: metadata cleanup
metadata cleanup: connections
server connections: connect to server fozzie
Binding to fozzie ...
DsBindW error 0x6d9(There are no more endpoints available from the endpoint mapper.)
[fozzie]:\>ntdsutil
ntdsutil: metadata cleanup
metadata cleanup: connections
server connections: connect to server fozzie
Binding to fozzie ...
DsBindW error 0x6d9(There are no more endpoints available from the endpoint mapper.)
The server has been removed now using that link and there is no trace of the old Fozzie DC. Unless there is another way to cleanup the metadata to a higher degree, then I'am certain that it has been removed from Ernie's DC metadata.
[ernie]:\>ntdsutil
ntdsutil: metadata cleanup
metadata cleanup: connections
server connections: connect to server fozzie
Binding to fozzie ...
DsBindW error 0x6d9(There are no more endpoints available from the endpoint mapper.)
[fozzie]:\>ntdsutil
ntdsutil: metadata cleanup
metadata cleanup: connections
server connections: connect to server fozzie
Binding to fozzie ...
DsBindW error 0x6d9(There are no more endpoints available from the endpoint mapper.)
The server has been removed now using that link and there is no trace of the old Fozzie DC. Unless there is another way to cleanup the metadata to a higher degree, then I'am certain that it has been removed from Ernie's DC metadata.
ASKER
I have also deteached Fozzie from the GNE domain, and made it a part of a WorkGroup, rebooted the machine, then joined it back into the GNE domain, rebooted as requested and then ran 'dcpromo'. It returned exactly the same error.
In regards to the metadata cleanup, if you use ntdsutil to connect to ernie and continue to clean you get this:
P:\>ntdsutil
ntdsutil: metadata cleanup
metadata cleanup: connections
server connections: connect to server ernie
Binding to ernie ...
Connected to ernie using credentials of locally logged on user.
server connections: quit
metadata cleanup: select operation target
select operation target: list domains
Found 1 domain(s)
0 - DC=globecastne,DC=com
select operation target: select domain 0
No current site
Domain - DC=globecastne,DC=com
No current server
No current Naming Context
select operation target: list sites
Found 2 site(s)
0 - CN=Grays-Inn-Road,CN=Sites
1 - CN=Brookmans-Park,CN=Sites
select operation target: select site 0
Site - CN=Grays-Inn-Road,CN=Sites
Domain - DC=globecastne,DC=com
No current server
No current Naming Context
select operation target: list servers in site
Found 1 server(s)
0 - CN=ERNIE,CN=Servers,CN=Gra
select operation target: select site 1
Site - CN=Brookmans-Park,CN=Sites
Domain - DC=globecastne,DC=com
No current server
No current Naming Context
select operation target: list servers in site
Found 0 server(s)
select operation target: q
metadata cleanup: q
ntdsutil: q
Disconnecting from ernie...
As you can see, you can see my primary domain controller, which I want to keep.
In regards to the metadata cleanup, if you use ntdsutil to connect to ernie and continue to clean you get this:
P:\>ntdsutil
ntdsutil: metadata cleanup
metadata cleanup: connections
server connections: connect to server ernie
Binding to ernie ...
Connected to ernie using credentials of locally logged on user.
server connections: quit
metadata cleanup: select operation target
select operation target: list domains
Found 1 domain(s)
0 - DC=globecastne,DC=com
select operation target: select domain 0
No current site
Domain - DC=globecastne,DC=com
No current server
No current Naming Context
select operation target: list sites
Found 2 site(s)
0 - CN=Grays-Inn-Road,CN=Sites
1 - CN=Brookmans-Park,CN=Sites
select operation target: select site 0
Site - CN=Grays-Inn-Road,CN=Sites
Domain - DC=globecastne,DC=com
No current server
No current Naming Context
select operation target: list servers in site
Found 1 server(s)
0 - CN=ERNIE,CN=Servers,CN=Gra
select operation target: select site 1
Site - CN=Brookmans-Park,CN=Sites
Domain - DC=globecastne,DC=com
No current server
No current Naming Context
select operation target: list servers in site
Found 0 server(s)
select operation target: q
metadata cleanup: q
ntdsutil: q
Disconnecting from ernie...
As you can see, you can see my primary domain controller, which I want to keep.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Also tried that, I created a user called 'Administrata' and used that user to run 'dcpromo' and still exactly the same error message...
ASKER
Ah no sorry, just tried it again and it's worked !! So 'scougourdan' you have won the 500 points for reminding me to try that option again.
ASKER
I hope that I can remove the user 'Administrata' without any side effects and get everything back to normal... Thanks for you help !! :D
in a mmc runs adsedit module and check yours rights in CN=Servers,CN=Brookmans-Pa
Try to manually create CN Fozzie.