Solved

"Access is denied" when attempting to promote server to become second Domain Controller

Posted on 2007-12-05
7
3,684 Views
Last Modified: 2013-12-05
Hi,

I'm getting an error message while running dcpromo to promote a server to become a second Domain Controller.

The error message is :

=====================================
(Error window's caption: New Credentials)
The operation failed because : The Active Directory Installation Wizard was unable to convert the computer account GEMINI$ to a domain controller account. "Access is denied".
=====================================

I'm then asked to type a username & password of an account with sufficient privileges to create an additional domain controller, and to click 'Retry' or to optionally 'Cancel' the promotion process.
I've retried several times, and can confirm that I'm getting the name & password correct.

I haven't pressed 'Cancel' yet, as I've heard that cancelling dcpromo can leave the computer with a faulty configuration.

The acccount I'm trying to use is the built-in administrator account "administrator" on the domain, which is a member of the Administrators, Domain Admins, Enterprise Admins and Schema Admins groups.

The network has a single Windows domain.
The current DC is running on Windows 2000 Server SP4.
adprep /forestprep and adprep /domainprep were run on the current DC before the dcpromo.

The server to be promoted to become an additional DC is Windows 2003 Server EE R2.
This server is called "GEMINI"

Any help would be appreciated.

Many thanks,
amral22
0
Comment
Question by:amral22
7 Comments
 
LVL 6

Accepted Solution

by:
arunexp earned 90 total points
Comment Utility
Try the following

1. Go to Active Directory Users and Computers, right click Domain Controllers Organizational Unit go to properties.
click group policy tab edit the Default Domain Controllers Policy.
2. Double-click Computer Configuration, click Windows Settings, click Security Settings, click Local Policies, and then click User Rights Assignment.
3. Under Enable Computer and User Accounts to be trusted for Delegation, add the appropriate account or group.
Force the policy replication using
secedit /refreshpolicy machine_policy /enforce
0
 

Author Comment

by:amral22
Comment Utility
Hi arunexp, thank you,

I've just tried your suggestion, doing it on both the current DC server and the server that I'm trying to promote (although on the latter, which is a Win2k3 EE R2 server, the secedit command does not have a /refreshpolicy tag.).

Unfortunately, I still get the same error.

I've checked the system clocks, and they are within a minute of each other (apparently, larger skews of more than a couple of minutes  can cause problems with Kerberos).

I've also done the following (but still get the error):

net stop w32time
w32tm /unregister
w32tm /register
net start w32time
w32tm /configure /update /syncfromflags:DOMHIER

Apparently, the following might help, will let you know of the results:

http://support.microsoft.com/kb/308311
http://support.microsoft.com/kb/250874

Regards,
amral22
0
 
LVL 13

Assisted Solution

by:Kini pradeep
Kini pradeep earned 60 total points
Comment Utility
can you check the dcpromo.log, it would be under C;\windows\debug folder.
this should give us an indication of why it failed promotion.
and no an unsucessful promotion should not leave any traces or faulty settings.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:amral22
Comment Utility
Hi kprad,

This is the set of entries in dcpromo.log resulting from the last (unsuccessful) run of dcpromo:

--- Start of log file --
12/05 17:09:22 [INFO] Promotion request for replica domain controller
12/05 17:09:22 [INFO] DnsDomainName  IG.local
12/05 17:09:22 [INFO]       ReplicaPartner  (NULL)
12/05 17:09:22 [INFO]       SiteName  (NULL)
12/05 17:09:22 [INFO]       DsDatabasePath  C:\WINDOWS\NTDS, DsLogPath  C:\WINDOWS\NTDS
12/05 17:09:22 [INFO]       SystemVolumeRootPath  C:\WINDOWS\SYSVOL
12/05 17:09:22 [INFO]       Account IG.local\administrator
12/05 17:09:22 [INFO]       Options  131264
12/05 17:09:22 [INFO] Validate supplied paths
12/05 17:09:22 [INFO] Validating path C:\WINDOWS\NTDS.
12/05 17:09:22 [INFO]       Path is a directory
12/05 17:09:22 [INFO]       Path is on a fixed disk drive.
12/05 17:09:22 [INFO] Validating path C:\WINDOWS\NTDS.
12/05 17:09:22 [INFO]       Path is a directory
12/05 17:09:22 [INFO]       Path is on a fixed disk drive.
12/05 17:09:22 [INFO] Validating path C:\WINDOWS\SYSVOL.
12/05 17:09:22 [INFO]       Path is on a fixed disk drive.
12/05 17:09:22 [INFO]       Path is on an NTFS volume
12/05 17:09:22 [INFO] Start the worker task
12/05 17:09:22 [INFO] Request for promotion returning 0
12/05 17:09:22 [INFO] Searching for a domain controller for the domain IG.local that contains the account GEMINI$12/05 17:09:23 [INFO] Located domain controller APOLLO.IG.local for domain IG.local12/05 17:09:23 [INFO] Using site Default-First-Site for server \\APOLLO.IG.local12/05 17:09:23 [INFO] Forcing time sync
12/05 17:09:23 [INFO] Forcing a time synch with \\APOLLO.IG.local12/05 17:09:22 [INFO] Stopping service NETLOGON12/05 17:09:22 [INFO] Stopping service NETLOGON12/05 17:10:22 [INFO] Configuring service NETLOGON to 1 returned 0
12/05 17:10:22 [INFO] Stopped NETLOGON
12/05 17:10:22 [INFO] Deleting current sysvol path C:\WINDOWS\SYSVOL
12/05 17:10:24 [INFO] Created system volume path
12/05 17:10:24 [INFO] Copying initial Directory Service database file C:\WINDOWS\system32\ntds.dit to C:\WINDOWS\NTDS\ntds.dit12/05 17:10:24 [INFO] Installing the Directory Service12/05 17:10:24 [INFO] Calling NtdsInstall for IG.local
12/05 17:10:24 [INFO] Starting Active Directory installation
12/05 17:10:24 [INFO] Validating user supplied options
12/05 17:10:24 [INFO] Determining a site in which to install
12/05 17:10:24 [INFO] Examining an existing Active Directory forest
12/05 17:10:24 [INFO] Configuring the local domain controller to host Active Directory
12/05 17:10:26 [INFO] Creating the NTDS Settings object for this domain controller on the remote domain controller APOLLO.IG.local&
12/05 17:10:26 [INFO] Replicating the schema directory partition
12/05 17:10:29 [INFO] Replicating CN=Schema,CN=Configuration,DC=IG,DC=local: received 1000 out of approximately 1387 objects
12/05 17:10:31 [INFO] Replicating CN=Schema,CN=Configuration,DC=IG,DC=local: received 1689 out of approximately 1689 objects
12/05 17:10:31 [INFO] Replicated the schema container.
12/05 17:10:32 [INFO] Active Directory updated the schema cache.
12/05 17:10:32 [INFO] Replicating the configuration directory partition
12/05 17:10:36 [INFO] Replicating CN=Configuration,DC=IG,DC=local: received 1000 out of approximately 2101 objects
12/05 17:10:41 [INFO] Replicating CN=Configuration,DC=IG,DC=local: received 1747 out of approximately 2101 objects
12/05 17:10:41 [INFO] Replicated the configuration container.
12/05 17:10:41 [INFO] Error - The Active Directory Installation Wizard was unable to convert the computer account GEMINI$ to a domain controller account. (5)
12/05 17:10:41 [INFO] NtdsInstall for IG.local returned 5
12/05 17:10:41 [INFO] DsRolepInstallDs returned 5
12/05 17:10:41 [ERROR] Failed to install to Directory Service (5)
12/05 17:10:45 [INFO] Starting service NETLOGON12/05 17:10:45 [INFO] Configuring service NETLOGON to 2 returned 0
12/05 17:10:45 [INFO] The attempted domain controller operation has completed12/05 17:10:45 [INFO] DsRolepSetOperationDone returned 0
-- End of log file --



Also at the same time (17:10) these two errors appeared in the 'Directory Service' Event log :

------- Event log error 1 -----------
Event Type:      Error
Event Source:      NTDS General
Event Category:      Internal Processing
Event ID:      1168
Date:            05/12/2007
Time:            17:10:41
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      GEMINI
Description:
Internal error: An Active Directory error has occurred.
 
Additional Data
Error value (decimal):
-1073741823
Error value (hex):
c0000001
Internal ID:
3000e54
-------------------------------------

------- Event log error 2 --------
Event Type:      Error
Event Source:      NTDS General
Event Category:      Internal Processing
Event ID:      1168
Date:            05/12/2007
Time:            17:10:25
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      GEMINI
Description:
Internal error: An Active Directory error has occurred.
 
Additional Data
Error value (decimal):
183
Error value (hex):
b7
Internal ID:
3001183
------------------------


The following also appears in the 'File Replication Service' event log at the same time:

----- Event log warning ------
Event Type:      Warning
Event Source:      NtFrs
Event Category:      None
Event ID:      13512
Date:            05/12/2007
Time:            17:10:23
User:            N/A
Computer:      GEMINI
Description:
The File Replication Service has detected an enabled disk write cache on the drive containing the directory c:\windows\ntfrs\jet on the computer GEMINI. The File Replication Service might not recover when power to the drive is interrupted and critical updates are lost.
--------------------------------


Thanks,
amral22
0
 

Author Closing Comment

by:amral22
Comment Utility
Hi, this problem wasn't solved, unfortunately.
I've split the points 90-60 but it may be more appropriate to delete the question.

Thanks,
Amir
0
 

Expert Comment

by:hahh1
Comment Utility
i have the same problem how we can solve it
0
 
LVL 4

Expert Comment

by:steedBmaher
Comment Utility
The first accepted solution here fixed my error I was having when promoting my first 2008 server R2. I was joining my current Windows 2000 native domain.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now