[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3929
  • Last Modified:

"Access is denied" when attempting to promote server to become second Domain Controller

Hi,

I'm getting an error message while running dcpromo to promote a server to become a second Domain Controller.

The error message is :

=====================================
(Error window's caption: New Credentials)
The operation failed because : The Active Directory Installation Wizard was unable to convert the computer account GEMINI$ to a domain controller account. "Access is denied".
=====================================

I'm then asked to type a username & password of an account with sufficient privileges to create an additional domain controller, and to click 'Retry' or to optionally 'Cancel' the promotion process.
I've retried several times, and can confirm that I'm getting the name & password correct.

I haven't pressed 'Cancel' yet, as I've heard that cancelling dcpromo can leave the computer with a faulty configuration.

The acccount I'm trying to use is the built-in administrator account "administrator" on the domain, which is a member of the Administrators, Domain Admins, Enterprise Admins and Schema Admins groups.

The network has a single Windows domain.
The current DC is running on Windows 2000 Server SP4.
adprep /forestprep and adprep /domainprep were run on the current DC before the dcpromo.

The server to be promoted to become an additional DC is Windows 2003 Server EE R2.
This server is called "GEMINI"

Any help would be appreciated.

Many thanks,
amral22
0
amral22
Asked:
amral22
2 Solutions
 
arunexpCommented:
Try the following

1. Go to Active Directory Users and Computers, right click Domain Controllers Organizational Unit go to properties.
click group policy tab edit the Default Domain Controllers Policy.
2. Double-click Computer Configuration, click Windows Settings, click Security Settings, click Local Policies, and then click User Rights Assignment.
3. Under Enable Computer and User Accounts to be trusted for Delegation, add the appropriate account or group.
Force the policy replication using
secedit /refreshpolicy machine_policy /enforce
0
 
amral22Author Commented:
Hi arunexp, thank you,

I've just tried your suggestion, doing it on both the current DC server and the server that I'm trying to promote (although on the latter, which is a Win2k3 EE R2 server, the secedit command does not have a /refreshpolicy tag.).

Unfortunately, I still get the same error.

I've checked the system clocks, and they are within a minute of each other (apparently, larger skews of more than a couple of minutes  can cause problems with Kerberos).

I've also done the following (but still get the error):

net stop w32time
w32tm /unregister
w32tm /register
net start w32time
w32tm /configure /update /syncfromflags:DOMHIER

Apparently, the following might help, will let you know of the results:

http://support.microsoft.com/kb/308311
http://support.microsoft.com/kb/250874

Regards,
amral22
0
 
Kini pradeepCommented:
can you check the dcpromo.log, it would be under C;\windows\debug folder.
this should give us an indication of why it failed promotion.
and no an unsucessful promotion should not leave any traces or faulty settings.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
amral22Author Commented:
Hi kprad,

This is the set of entries in dcpromo.log resulting from the last (unsuccessful) run of dcpromo:

--- Start of log file --
12/05 17:09:22 [INFO] Promotion request for replica domain controller
12/05 17:09:22 [INFO] DnsDomainName  IG.local
12/05 17:09:22 [INFO]       ReplicaPartner  (NULL)
12/05 17:09:22 [INFO]       SiteName  (NULL)
12/05 17:09:22 [INFO]       DsDatabasePath  C:\WINDOWS\NTDS, DsLogPath  C:\WINDOWS\NTDS
12/05 17:09:22 [INFO]       SystemVolumeRootPath  C:\WINDOWS\SYSVOL
12/05 17:09:22 [INFO]       Account IG.local\administrator
12/05 17:09:22 [INFO]       Options  131264
12/05 17:09:22 [INFO] Validate supplied paths
12/05 17:09:22 [INFO] Validating path C:\WINDOWS\NTDS.
12/05 17:09:22 [INFO]       Path is a directory
12/05 17:09:22 [INFO]       Path is on a fixed disk drive.
12/05 17:09:22 [INFO] Validating path C:\WINDOWS\NTDS.
12/05 17:09:22 [INFO]       Path is a directory
12/05 17:09:22 [INFO]       Path is on a fixed disk drive.
12/05 17:09:22 [INFO] Validating path C:\WINDOWS\SYSVOL.
12/05 17:09:22 [INFO]       Path is on a fixed disk drive.
12/05 17:09:22 [INFO]       Path is on an NTFS volume
12/05 17:09:22 [INFO] Start the worker task
12/05 17:09:22 [INFO] Request for promotion returning 0
12/05 17:09:22 [INFO] Searching for a domain controller for the domain IG.local that contains the account GEMINI$12/05 17:09:23 [INFO] Located domain controller APOLLO.IG.local for domain IG.local12/05 17:09:23 [INFO] Using site Default-First-Site for server \\APOLLO.IG.local12/05 17:09:23 [INFO] Forcing time sync
12/05 17:09:23 [INFO] Forcing a time synch with \\APOLLO.IG.local12/05 17:09:22 [INFO] Stopping service NETLOGON12/05 17:09:22 [INFO] Stopping service NETLOGON12/05 17:10:22 [INFO] Configuring service NETLOGON to 1 returned 0
12/05 17:10:22 [INFO] Stopped NETLOGON
12/05 17:10:22 [INFO] Deleting current sysvol path C:\WINDOWS\SYSVOL
12/05 17:10:24 [INFO] Created system volume path
12/05 17:10:24 [INFO] Copying initial Directory Service database file C:\WINDOWS\system32\ntds.dit to C:\WINDOWS\NTDS\ntds.dit12/05 17:10:24 [INFO] Installing the Directory Service12/05 17:10:24 [INFO] Calling NtdsInstall for IG.local
12/05 17:10:24 [INFO] Starting Active Directory installation
12/05 17:10:24 [INFO] Validating user supplied options
12/05 17:10:24 [INFO] Determining a site in which to install
12/05 17:10:24 [INFO] Examining an existing Active Directory forest
12/05 17:10:24 [INFO] Configuring the local domain controller to host Active Directory
12/05 17:10:26 [INFO] Creating the NTDS Settings object for this domain controller on the remote domain controller APOLLO.IG.local&
12/05 17:10:26 [INFO] Replicating the schema directory partition
12/05 17:10:29 [INFO] Replicating CN=Schema,CN=Configuration,DC=IG,DC=local: received 1000 out of approximately 1387 objects
12/05 17:10:31 [INFO] Replicating CN=Schema,CN=Configuration,DC=IG,DC=local: received 1689 out of approximately 1689 objects
12/05 17:10:31 [INFO] Replicated the schema container.
12/05 17:10:32 [INFO] Active Directory updated the schema cache.
12/05 17:10:32 [INFO] Replicating the configuration directory partition
12/05 17:10:36 [INFO] Replicating CN=Configuration,DC=IG,DC=local: received 1000 out of approximately 2101 objects
12/05 17:10:41 [INFO] Replicating CN=Configuration,DC=IG,DC=local: received 1747 out of approximately 2101 objects
12/05 17:10:41 [INFO] Replicated the configuration container.
12/05 17:10:41 [INFO] Error - The Active Directory Installation Wizard was unable to convert the computer account GEMINI$ to a domain controller account. (5)
12/05 17:10:41 [INFO] NtdsInstall for IG.local returned 5
12/05 17:10:41 [INFO] DsRolepInstallDs returned 5
12/05 17:10:41 [ERROR] Failed to install to Directory Service (5)
12/05 17:10:45 [INFO] Starting service NETLOGON12/05 17:10:45 [INFO] Configuring service NETLOGON to 2 returned 0
12/05 17:10:45 [INFO] The attempted domain controller operation has completed12/05 17:10:45 [INFO] DsRolepSetOperationDone returned 0
-- End of log file --



Also at the same time (17:10) these two errors appeared in the 'Directory Service' Event log :

------- Event log error 1 -----------
Event Type:      Error
Event Source:      NTDS General
Event Category:      Internal Processing
Event ID:      1168
Date:            05/12/2007
Time:            17:10:41
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      GEMINI
Description:
Internal error: An Active Directory error has occurred.
 
Additional Data
Error value (decimal):
-1073741823
Error value (hex):
c0000001
Internal ID:
3000e54
-------------------------------------

------- Event log error 2 --------
Event Type:      Error
Event Source:      NTDS General
Event Category:      Internal Processing
Event ID:      1168
Date:            05/12/2007
Time:            17:10:25
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      GEMINI
Description:
Internal error: An Active Directory error has occurred.
 
Additional Data
Error value (decimal):
183
Error value (hex):
b7
Internal ID:
3001183
------------------------


The following also appears in the 'File Replication Service' event log at the same time:

----- Event log warning ------
Event Type:      Warning
Event Source:      NtFrs
Event Category:      None
Event ID:      13512
Date:            05/12/2007
Time:            17:10:23
User:            N/A
Computer:      GEMINI
Description:
The File Replication Service has detected an enabled disk write cache on the drive containing the directory c:\windows\ntfrs\jet on the computer GEMINI. The File Replication Service might not recover when power to the drive is interrupted and critical updates are lost.
--------------------------------


Thanks,
amral22
0
 
amral22Author Commented:
Hi, this problem wasn't solved, unfortunately.
I've split the points 90-60 but it may be more appropriate to delete the question.

Thanks,
Amir
0
 
hahh1Commented:
i have the same problem how we can solve it
0
 
steedBmaherCommented:
The first accepted solution here fixed my error I was having when promoting my first 2008 server R2. I was joining my current Windows 2000 native domain.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now