The Active Directory Installation Wizard was unable to convert the computer account DATASERVER$ to a domain controller account. "Access is denied."

The Active Directory Installation Wizard was unable to convert the computer account DATASERVER$ to a domain controller account.  "Access is denied."
while run dc promo to add another dc on 2003 domain
hahh1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

deroyerCommented:
Check that the user you are running the DCPROMO as is a member of the Domain Admin and enterprise admin groups in AD Particularly if this is in the root forest
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
hahh1Author Commented:
the user already member of Domain Admin and enterprise admin groups in AD
0
deroyerCommented:
OK add the computer to a workgroup... reboot...

Then add it back to the domain as a member server...  This will create a new SID...  Reboot...

Then try and rerun the DCPROMO
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

hahh1Author Commented:
i tried but not working i got the same message
note thet i can demote the Dc but i got this error when promote any system to be a second dc
0
hahh1Author Commented:
any update till now i can't add extra DC
0
SysExpertCommented:
RUN DCDIAG and Netdiag in verbose mode and check the results.

SOmething is not right in your permissions somewhere.


I hope this helps !
0
hahh1Author Commented:
give more detailes about verbose mode
0
Netman66Commented:
The command is DCDIAG /v

In Active Directory Users and Computers make sure the computer has a checkmark in Trust for Delegation in the Properties applet.

Also, if you have modified the Default Domain Policy or Default Domain Controller Policy's default security permissions, this will cause this error.

0
hahh1Author Commented:
i noticed that when i made the computer has a checkmark in Trust for Delegation to any services (kerberos only) in the Properties applet. and run the dcpromo then it give me the error mesasge it become checkmark on do not trust this computer for deligation
in the Properties applet
also what must be the Default Domain Policy or Default Domain Controller Policy's default security permissions.

0
hahh1Author Commented:
DCdiag / v


Domain Controller Diagnosis
Performing initial setup:
   * Verifying that the local machine DC1, is a DC.
   * Connecting to directory service on server DC1.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 5 DC(s). Testing 1 of them.
   Done gathering initial info.
Doing initial required tests
   
   Testing server: site1\DC1
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... DC1 passed test Connectivity
Doing primary tests
   
   Testing server: site1\DC1
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
            DC=ForestDnsZones,DC=domain,DC=domain1,DC=com
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=DomainDnsZones,DC=domain,DC=domain1,DC=com
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Schema,CN=Configuration,DC=domain,DC=domain1,DC=com
               Latency information for 30 entries in the vector were ignored.
                  30 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Configuration,DC=domain,DC=domain1,DC=com
               Latency information for 30 entries in the vector were ignored.
                  30 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=domain,DC=domain1,DC=com
               Latency information for 30 entries in the vector were ignored.
                  30 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
         ......................... DC1 passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC DC1.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=domain,DC=domain1,DC=com
            (NDNC,Version 2)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=domain,DC=domain1,DC=com
            (NDNC,Version 2)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=domain,DC=domain1,DC=com
            (Schema,Version 2)
         * Security Permissions Check for
           CN=Configuration,DC=domain,DC=domain1,DC=com
            (Configuration,Version 2)
         * Security Permissions Check for
           DC=domain,DC=domain1,DC=com
            (Domain,Version 2)
         ......................... DC1 passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\DC1\netlogon
         Verified share \\DC1\sysvol
         ......................... DC1 passed test NetLogons
      Starting test: Advertising
         The DC DC1 is advertising itself as a DC and having a DS.
         The DC DC1 is advertising as an LDAP server
         The DC DC1 is advertising as having a writeable directory
         The DC DC1 is advertising as a Key Distribution Center
         The DC DC1 is advertising as a time server
         The DS DC1 is advertising as a GC.
         ......................... DC1 passed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=domain,DC=domain1,DC=com
         Role Domain Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=domain,DC=domain1,DC=com
         Role PDC Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=domain,DC=domain1,DC=com
         Role Rid Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=domain,DC=domain1,DC=com
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=DC2,CN=Servers,CN=site2,CN=Sites,CN=Configuration,DC=domain,DC=domain1,DC=com
         ......................... DC1 passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 21813 to 1073741823
         * DC1.domain.domain1.com is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 20813 to 21312
         * rIDPreviousAllocationPool is 20813 to 21312
         * rIDNextRID: 20885
         ......................... DC1 passed test RidManager
      Starting test: MachineAccount
         Checking machine account for DC DC1 on DC DC1.
         * SPN found :LDAP/DC1.domain.domain1.com/domain.domain1.com
         * SPN found :LDAP/DC1.domain.domain1.com
         * SPN found :LDAP/DC1
         * SPN found :LDAP/DC1.domain.domain1.com/domain
         * SPN found :LDAP/12031452-dae1-4638-87e2-86c1eaea76ad._msdcs.domain.domain1.com
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/12031452-dae1-4638-87e2-86c1eaea76ad/domain.domain1.com
         * SPN found :HOST/DC1.domain.domain1.com/domain.domain1.com
         * SPN found :HOST/DC1.domain.domain1.com
         * SPN found :HOST/DC1
         * SPN found :HOST/DC1.domain.domain1.com/domain
         * SPN found :GC/DC1.domain.domain1.com/domain.domain1.com
         ......................... DC1 passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... DC1 passed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         DC1 is in domain DC=domain,DC=domain1,DC=com
         Checking for CN=DC1,OU=ou1 DC,OU=Domain Controllers,DC=domain,DC=domain1,DC=com in domain DC=domain,DC=domain1,DC=com on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=DC1,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=domain,DC=domain1,DC=com in domain CN=Configuration,DC=domain,DC=domain1,DC=com on 1 servers
            Object is up-to-date on all servers.
         ......................... DC1 passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... DC1 passed test frssysvol
      Starting test: frsevent
         * The File Replication Service Event log test
         ......................... DC1 passed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         Found no KCC errors in Directory Service Event log in the last 15 minutes.
         ......................... DC1 passed test kccevent
      Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0x0000165B
            Time Generated: 11/11/2008   10:43:14
            Event String: The session setup from computer 'pc1'
failed because the security database does not
contain a trust account 'pc1$' referenced
by the specified computer.  
 
USER ACTION  
If this is the first occurrence of this event for
the specified computer and account, this may be a
transient issue that doesn't require any action
at this time. Otherwise, the following steps may
be taken to resolve this problem:  
 
If 'pc1$' is a legitimate machine account
for the computer 'pc1', then
'pc1' should be rejoined to the domain.  
 
If 'pc1$' is a legitimate interdomain
trust account, then the trust should be
recreated.  
 
Otherwise, assuming that 'pc1$' is not a
legitimate account, the following action should
be taken on 'pc1':  
 
If 'pc1' is a Domain Controller, then the
trust associated with 'pc1$' should be
deleted.  
 
If 'pc1' is not a Domain Controller, it
should be disjoined from the domain.
         An Error Event occured.  EventID: 0x000016AD
            Time Generated: 11/11/2008   10:49:28
            Event String: The session setup from the computer pc1
failed to authenticate. The following error
occurred:
%%5
         ......................... DC1 failed test systemlog
      Test omitted by user request: VerifyReplicas
      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=DC1,OU=ou1 DC,OU=Domain Controllers,DC=domain,DC=domain1,DC=com
         and backlink on
         CN=DC1,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=domain,DC=domain1,DC=com
         are correct.
         The system object reference (frsComputerReferenceBL)
         CN=DC1,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=domain,DC=domain1,DC=com
         and backlink on
         CN=DC1,OU=ou1 DC,OU=Domain Controllers,DC=domain,DC=domain1,DC=com
         are correct.
         The system object reference (serverReferenceBL)
         CN=DC1,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=domain,DC=domain1,DC=com
         and backlink on
         CN=NTDS Settings,CN=DC1,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=domain,DC=domain1,DC=com
         are correct.
         ......................... DC1 passed test VerifyReferences
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : domain
      Starting test: CrossRefValidation
         ......................... domain passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... domain passed test CheckSDRefDom
   
   Running enterprise tests on : domain.domain1.com
      Starting test: Intersite
         Skipping site site1, this site is outside the scope provided by the
         command line arguments provided.
         Skipping site site2, this site is outside the scope provided by the
         command line arguments provided.
         Skipping site site3, this site is outside the scope provided by the
         command line arguments provided.
         ......................... domain.domain1.com passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\DC1.domain.domain1.com
         Locator Flags: 0xe00003fd
         PDC Name: \\DC1.domain.domain1.com
         Locator Flags: 0xe00003fd
         Time Server Name: \\DC1.domain.domain1.com
         Locator Flags: 0xe00003fd
         Preferred Time Server Name: \\DC1.domain.domain1.com
         Locator Flags: 0xe00003fd
         KDC Name: \\DC1.domain.domain1.com
         Locator Flags: 0xe00003fd
         ......................... domain.domain1.com passed test FsmoCheck
      Test omitted by user request: DNS
      Test omitted by user request: DNS
 
0
hahh1Author Commented:
note that
long time ago i moved domain controller (DC1) to another ou (ou1) inside (domain controllers ou) but now  i canot move DC1 back to the (domain controllers ou) access denied
0
hahh1Author Commented:
Dear all
 
i discovered the problem nowmay be this will help some one one day
i discovered that some one put deny permissopn for aministrators on the domain controllers ou for the followings create computer opject deny and delete computer opject deny just i make them allow every thing working fine
i must take the points to myself i send two weeks to find this
0
hahh1Author Commented:
Dear all
 
i discovered the problem nowmay be this will help some one one day
i discovered that some one put deny permissopn for aministrators on the domain controllers ou for the followings create computer opject deny and delete computer opject deny just i make them allow every thing working fine
i must take the points to myself i send two weeks to find this
0
hahh1Author Commented:
Dear all
 
i discovered the problem nowmay be this will help some one one day
i discovered that some one put deny permissopn for aministrators on the domain controllers ou for the followings create computer opject deny and delete computer opject deny just i make them allow every thing working fine
i must take the points to myself i send two weeks to find this
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.