"Access is denied" when attempting to promote server to become second Domain Controller
Hi,
I'm getting an error message while running dcpromo to promote a server to become a second Domain Controller.
The error message is :
==========================
(Error window's caption: New Credentials)
The operation failed because : The Active Directory Installation Wizard was unable to convert the computer account GEMINI$ to a domain controller account. "Access is denied".
==========================
I'm then asked to type a username & password of an account with sufficient privileges to create an additional domain controller, and to click 'Retry' or to optionally 'Cancel' the promotion process.
I've retried several times, and can confirm that I'm getting the name & password correct.
I haven't pressed 'Cancel' yet, as I've heard that cancelling dcpromo can leave the computer with a faulty configuration.
The acccount I'm trying to use is the built-in administrator account "administrator" on the domain, which is a member of the Administrators, Domain Admins, Enterprise Admins and Schema Admins groups.
The network has a single Windows domain.
The current DC is running on Windows 2000 Server SP4.
adprep /forestprep and adprep /domainprep were run on the current DC before the dcpromo.
The server to be promoted to become an additional DC is Windows 2003 Server EE R2.
This server is called "GEMINI"
Any help would be appreciated.
Many thanks,
amral22
I'm getting an error message while running dcpromo to promote a server to become a second Domain Controller.
The error message is :
==========================
(Error window's caption: New Credentials)
The operation failed because : The Active Directory Installation Wizard was unable to convert the computer account GEMINI$ to a domain controller account. "Access is denied".
==========================
I'm then asked to type a username & password of an account with sufficient privileges to create an additional domain controller, and to click 'Retry' or to optionally 'Cancel' the promotion process.
I've retried several times, and can confirm that I'm getting the name & password correct.
I haven't pressed 'Cancel' yet, as I've heard that cancelling dcpromo can leave the computer with a faulty configuration.
The acccount I'm trying to use is the built-in administrator account "administrator" on the domain, which is a member of the Administrators, Domain Admins, Enterprise Admins and Schema Admins groups.
The network has a single Windows domain.
The current DC is running on Windows 2000 Server SP4.
adprep /forestprep and adprep /domainprep were run on the current DC before the dcpromo.
The server to be promoted to become an additional DC is Windows 2003 Server EE R2.
This server is called "GEMINI"
Any help would be appreciated.
Many thanks,
amral22
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi kprad,
This is the set of entries in dcpromo.log resulting from the last (unsuccessful) run of dcpromo:
--- Start of log file --
12/05 17:09:22 [INFO] Promotion request for replica domain controller
12/05 17:09:22 [INFO] DnsDomainName IG.local
12/05 17:09:22 [INFO] ReplicaPartner (NULL)
12/05 17:09:22 [INFO] SiteName (NULL)
12/05 17:09:22 [INFO] DsDatabasePath C:\WINDOWS\NTDS, DsLogPath C:\WINDOWS\NTDS
12/05 17:09:22 [INFO] SystemVolumeRootPath C:\WINDOWS\SYSVOL
12/05 17:09:22 [INFO] Account IG.local\administrator
12/05 17:09:22 [INFO] Options 131264
12/05 17:09:22 [INFO] Validate supplied paths
12/05 17:09:22 [INFO] Validating path C:\WINDOWS\NTDS.
12/05 17:09:22 [INFO] Path is a directory
12/05 17:09:22 [INFO] Path is on a fixed disk drive.
12/05 17:09:22 [INFO] Validating path C:\WINDOWS\NTDS.
12/05 17:09:22 [INFO] Path is a directory
12/05 17:09:22 [INFO] Path is on a fixed disk drive.
12/05 17:09:22 [INFO] Validating path C:\WINDOWS\SYSVOL.
12/05 17:09:22 [INFO] Path is on a fixed disk drive.
12/05 17:09:22 [INFO] Path is on an NTFS volume
12/05 17:09:22 [INFO] Start the worker task
12/05 17:09:22 [INFO] Request for promotion returning 0
12/05 17:09:22 [INFO] Searching for a domain controller for the domain IG.local that contains the account GEMINI$12/05 17:09:23 [INFO] Located domain controller APOLLO.IG.local for domain IG.local12/05 17:09:23 [INFO] Using site Default-First-Site for server \\APOLLO.IG.local12/05 17:09:23 [INFO] Forcing time sync
12/05 17:09:23 [INFO] Forcing a time synch with \\APOLLO.IG.local12/05 17:09:22 [INFO] Stopping service NETLOGON12/05 17:09:22 [INFO] Stopping service NETLOGON12/05 17:10:22 [INFO] Configuring service NETLOGON to 1 returned 0
12/05 17:10:22 [INFO] Stopped NETLOGON
12/05 17:10:22 [INFO] Deleting current sysvol path C:\WINDOWS\SYSVOL
12/05 17:10:24 [INFO] Created system volume path
12/05 17:10:24 [INFO] Copying initial Directory Service database file C:\WINDOWS\system32\ntds.d
12/05 17:10:24 [INFO] Starting Active Directory installation
12/05 17:10:24 [INFO] Validating user supplied options
12/05 17:10:24 [INFO] Determining a site in which to install
12/05 17:10:24 [INFO] Examining an existing Active Directory forest
12/05 17:10:24 [INFO] Configuring the local domain controller to host Active Directory
12/05 17:10:26 [INFO] Creating the NTDS Settings object for this domain controller on the remote domain controller APOLLO.IG.local&
12/05 17:10:26 [INFO] Replicating the schema directory partition
12/05 17:10:29 [INFO] Replicating CN=Schema,CN=Configuration
12/05 17:10:31 [INFO] Replicating CN=Schema,CN=Configuration
12/05 17:10:31 [INFO] Replicated the schema container.
12/05 17:10:32 [INFO] Active Directory updated the schema cache.
12/05 17:10:32 [INFO] Replicating the configuration directory partition
12/05 17:10:36 [INFO] Replicating CN=Configuration,DC=IG,DC=
12/05 17:10:41 [INFO] Replicating CN=Configuration,DC=IG,DC=
12/05 17:10:41 [INFO] Replicated the configuration container.
12/05 17:10:41 [INFO] Error - The Active Directory Installation Wizard was unable to convert the computer account GEMINI$ to a domain controller account. (5)
12/05 17:10:41 [INFO] NtdsInstall for IG.local returned 5
12/05 17:10:41 [INFO] DsRolepInstallDs returned 5
12/05 17:10:41 [ERROR] Failed to install to Directory Service (5)
12/05 17:10:45 [INFO] Starting service NETLOGON12/05 17:10:45 [INFO] Configuring service NETLOGON to 2 returned 0
12/05 17:10:45 [INFO] The attempted domain controller operation has completed12/05 17:10:45 [INFO] DsRolepSetOperationDone returned 0
-- End of log file --
Also at the same time (17:10) these two errors appeared in the 'Directory Service' Event log :
------- Event log error 1 -----------
Event Type: Error
Event Source: NTDS General
Event Category: Internal Processing
Event ID: 1168
Date: 05/12/2007
Time: 17:10:41
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: GEMINI
Description:
Internal error: An Active Directory error has occurred.
Additional Data
Error value (decimal):
-1073741823
Error value (hex):
c0000001
Internal ID:
3000e54
--------------------------
------- Event log error 2 --------
Event Type: Error
Event Source: NTDS General
Event Category: Internal Processing
Event ID: 1168
Date: 05/12/2007
Time: 17:10:25
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: GEMINI
Description:
Internal error: An Active Directory error has occurred.
Additional Data
Error value (decimal):
183
Error value (hex):
b7
Internal ID:
3001183
------------------------
The following also appears in the 'File Replication Service' event log at the same time:
----- Event log warning ------
Event Type: Warning
Event Source: NtFrs
Event Category: None
Event ID: 13512
Date: 05/12/2007
Time: 17:10:23
User: N/A
Computer: GEMINI
Description:
The File Replication Service has detected an enabled disk write cache on the drive containing the directory c:\windows\ntfrs\jet on the computer GEMINI. The File Replication Service might not recover when power to the drive is interrupted and critical updates are lost.
--------------------------
Thanks,
amral22
This is the set of entries in dcpromo.log resulting from the last (unsuccessful) run of dcpromo:
--- Start of log file --
12/05 17:09:22 [INFO] Promotion request for replica domain controller
12/05 17:09:22 [INFO] DnsDomainName IG.local
12/05 17:09:22 [INFO] ReplicaPartner (NULL)
12/05 17:09:22 [INFO] SiteName (NULL)
12/05 17:09:22 [INFO] DsDatabasePath C:\WINDOWS\NTDS, DsLogPath C:\WINDOWS\NTDS
12/05 17:09:22 [INFO] SystemVolumeRootPath C:\WINDOWS\SYSVOL
12/05 17:09:22 [INFO] Account IG.local\administrator
12/05 17:09:22 [INFO] Options 131264
12/05 17:09:22 [INFO] Validate supplied paths
12/05 17:09:22 [INFO] Validating path C:\WINDOWS\NTDS.
12/05 17:09:22 [INFO] Path is a directory
12/05 17:09:22 [INFO] Path is on a fixed disk drive.
12/05 17:09:22 [INFO] Validating path C:\WINDOWS\NTDS.
12/05 17:09:22 [INFO] Path is a directory
12/05 17:09:22 [INFO] Path is on a fixed disk drive.
12/05 17:09:22 [INFO] Validating path C:\WINDOWS\SYSVOL.
12/05 17:09:22 [INFO] Path is on a fixed disk drive.
12/05 17:09:22 [INFO] Path is on an NTFS volume
12/05 17:09:22 [INFO] Start the worker task
12/05 17:09:22 [INFO] Request for promotion returning 0
12/05 17:09:22 [INFO] Searching for a domain controller for the domain IG.local that contains the account GEMINI$12/05 17:09:23 [INFO] Located domain controller APOLLO.IG.local for domain IG.local12/05 17:09:23 [INFO] Using site Default-First-Site for server \\APOLLO.IG.local12/05 17:09:23 [INFO] Forcing time sync
12/05 17:09:23 [INFO] Forcing a time synch with \\APOLLO.IG.local12/05 17:09:22 [INFO] Stopping service NETLOGON12/05 17:09:22 [INFO] Stopping service NETLOGON12/05 17:10:22 [INFO] Configuring service NETLOGON to 1 returned 0
12/05 17:10:22 [INFO] Stopped NETLOGON
12/05 17:10:22 [INFO] Deleting current sysvol path C:\WINDOWS\SYSVOL
12/05 17:10:24 [INFO] Created system volume path
12/05 17:10:24 [INFO] Copying initial Directory Service database file C:\WINDOWS\system32\ntds.d
12/05 17:10:24 [INFO] Starting Active Directory installation
12/05 17:10:24 [INFO] Validating user supplied options
12/05 17:10:24 [INFO] Determining a site in which to install
12/05 17:10:24 [INFO] Examining an existing Active Directory forest
12/05 17:10:24 [INFO] Configuring the local domain controller to host Active Directory
12/05 17:10:26 [INFO] Creating the NTDS Settings object for this domain controller on the remote domain controller APOLLO.IG.local&
12/05 17:10:26 [INFO] Replicating the schema directory partition
12/05 17:10:29 [INFO] Replicating CN=Schema,CN=Configuration
12/05 17:10:31 [INFO] Replicating CN=Schema,CN=Configuration
12/05 17:10:31 [INFO] Replicated the schema container.
12/05 17:10:32 [INFO] Active Directory updated the schema cache.
12/05 17:10:32 [INFO] Replicating the configuration directory partition
12/05 17:10:36 [INFO] Replicating CN=Configuration,DC=IG,DC=
12/05 17:10:41 [INFO] Replicating CN=Configuration,DC=IG,DC=
12/05 17:10:41 [INFO] Replicated the configuration container.
12/05 17:10:41 [INFO] Error - The Active Directory Installation Wizard was unable to convert the computer account GEMINI$ to a domain controller account. (5)
12/05 17:10:41 [INFO] NtdsInstall for IG.local returned 5
12/05 17:10:41 [INFO] DsRolepInstallDs returned 5
12/05 17:10:41 [ERROR] Failed to install to Directory Service (5)
12/05 17:10:45 [INFO] Starting service NETLOGON12/05 17:10:45 [INFO] Configuring service NETLOGON to 2 returned 0
12/05 17:10:45 [INFO] The attempted domain controller operation has completed12/05 17:10:45 [INFO] DsRolepSetOperationDone returned 0
-- End of log file --
Also at the same time (17:10) these two errors appeared in the 'Directory Service' Event log :
------- Event log error 1 -----------
Event Type: Error
Event Source: NTDS General
Event Category: Internal Processing
Event ID: 1168
Date: 05/12/2007
Time: 17:10:41
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: GEMINI
Description:
Internal error: An Active Directory error has occurred.
Additional Data
Error value (decimal):
-1073741823
Error value (hex):
c0000001
Internal ID:
3000e54
--------------------------
------- Event log error 2 --------
Event Type: Error
Event Source: NTDS General
Event Category: Internal Processing
Event ID: 1168
Date: 05/12/2007
Time: 17:10:25
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: GEMINI
Description:
Internal error: An Active Directory error has occurred.
Additional Data
Error value (decimal):
183
Error value (hex):
b7
Internal ID:
3001183
------------------------
The following also appears in the 'File Replication Service' event log at the same time:
----- Event log warning ------
Event Type: Warning
Event Source: NtFrs
Event Category: None
Event ID: 13512
Date: 05/12/2007
Time: 17:10:23
User: N/A
Computer: GEMINI
Description:
The File Replication Service has detected an enabled disk write cache on the drive containing the directory c:\windows\ntfrs\jet on the computer GEMINI. The File Replication Service might not recover when power to the drive is interrupted and critical updates are lost.
--------------------------
Thanks,
amral22
ASKER
Hi, this problem wasn't solved, unfortunately.
I've split the points 90-60 but it may be more appropriate to delete the question.
Thanks,
Amir
I've split the points 90-60 but it may be more appropriate to delete the question.
Thanks,
Amir
i have the same problem how we can solve it
The first accepted solution here fixed my error I was having when promoting my first 2008 server R2. I was joining my current Windows 2000 native domain.
ASKER
I've just tried your suggestion, doing it on both the current DC server and the server that I'm trying to promote (although on the latter, which is a Win2k3 EE R2 server, the secedit command does not have a /refreshpolicy tag.).
Unfortunately, I still get the same error.
I've checked the system clocks, and they are within a minute of each other (apparently, larger skews of more than a couple of minutes can cause problems with Kerberos).
I've also done the following (but still get the error):
net stop w32time
w32tm /unregister
w32tm /register
net start w32time
w32tm /configure /update /syncfromflags:DOMHIER
Apparently, the following might help, will let you know of the results:
http://support.microsoft.com/kb/308311
http://support.microsoft.com/kb/250874
Regards,
amral22