Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

The Active Directory Installation Wizard was unable to convert the computer account DATASERVER$ to a domain controller account.  "Access is denied."

Posted on 2008-11-07
17
Medium Priority
?
2,928 Views
Last Modified: 2012-05-05
The Active Directory Installation Wizard was unable to convert the computer account DATASERVER$ to a domain controller account.  "Access is denied."
while run dc promo to add another dc on 2003 domain
0
Comment
Question by:hahh1
14 Comments
 
LVL 4

Accepted Solution

by:
deroyer earned 2000 total points
ID: 22908564
Check that the user you are running the DCPROMO as is a member of the Domain Admin and enterprise admin groups in AD Particularly if this is in the root forest
0
 

Author Comment

by:hahh1
ID: 22908600
the user already member of Domain Admin and enterprise admin groups in AD
0
 
LVL 4

Expert Comment

by:deroyer
ID: 22908720
OK add the computer to a workgroup... reboot...

Then add it back to the domain as a member server...  This will create a new SID...  Reboot...

Then try and rerun the DCPROMO
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Comment

by:hahh1
ID: 22908878
i tried but not working i got the same message
note thet i can demote the Dc but i got this error when promote any system to be a second dc
0
 

Author Comment

by:hahh1
ID: 22915499
any update till now i can't add extra DC
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 22918740
RUN DCDIAG and Netdiag in verbose mode and check the results.

SOmething is not right in your permissions somewhere.


I hope this helps !
0
 

Author Comment

by:hahh1
ID: 22918750
give more detailes about verbose mode
0
 
LVL 51

Expert Comment

by:Netman66
ID: 22918777
The command is DCDIAG /v

In Active Directory Users and Computers make sure the computer has a checkmark in Trust for Delegation in the Properties applet.

Also, if you have modified the Default Domain Policy or Default Domain Controller Policy's default security permissions, this will cause this error.

0
 

Author Comment

by:hahh1
ID: 22919927
i noticed that when i made the computer has a checkmark in Trust for Delegation to any services (kerberos only) in the Properties applet. and run the dcpromo then it give me the error mesasge it become checkmark on do not trust this computer for deligation
in the Properties applet
also what must be the Default Domain Policy or Default Domain Controller Policy's default security permissions.

0
 

Author Comment

by:hahh1
ID: 22928904
DCdiag / v


Domain Controller Diagnosis
Performing initial setup:
   * Verifying that the local machine DC1, is a DC.
   * Connecting to directory service on server DC1.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 5 DC(s). Testing 1 of them.
   Done gathering initial info.
Doing initial required tests
   
   Testing server: site1\DC1
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... DC1 passed test Connectivity
Doing primary tests
   
   Testing server: site1\DC1
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
            DC=ForestDnsZones,DC=domain,DC=domain1,DC=com
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=DomainDnsZones,DC=domain,DC=domain1,DC=com
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Schema,CN=Configuration,DC=domain,DC=domain1,DC=com
               Latency information for 30 entries in the vector were ignored.
                  30 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Configuration,DC=domain,DC=domain1,DC=com
               Latency information for 30 entries in the vector were ignored.
                  30 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=domain,DC=domain1,DC=com
               Latency information for 30 entries in the vector were ignored.
                  30 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
         ......................... DC1 passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC DC1.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=domain,DC=domain1,DC=com
            (NDNC,Version 2)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=domain,DC=domain1,DC=com
            (NDNC,Version 2)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=domain,DC=domain1,DC=com
            (Schema,Version 2)
         * Security Permissions Check for
           CN=Configuration,DC=domain,DC=domain1,DC=com
            (Configuration,Version 2)
         * Security Permissions Check for
           DC=domain,DC=domain1,DC=com
            (Domain,Version 2)
         ......................... DC1 passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\DC1\netlogon
         Verified share \\DC1\sysvol
         ......................... DC1 passed test NetLogons
      Starting test: Advertising
         The DC DC1 is advertising itself as a DC and having a DS.
         The DC DC1 is advertising as an LDAP server
         The DC DC1 is advertising as having a writeable directory
         The DC DC1 is advertising as a Key Distribution Center
         The DC DC1 is advertising as a time server
         The DS DC1 is advertising as a GC.
         ......................... DC1 passed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=domain,DC=domain1,DC=com
         Role Domain Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=domain,DC=domain1,DC=com
         Role PDC Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=domain,DC=domain1,DC=com
         Role Rid Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=domain,DC=domain1,DC=com
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=DC2,CN=Servers,CN=site2,CN=Sites,CN=Configuration,DC=domain,DC=domain1,DC=com
         ......................... DC1 passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 21813 to 1073741823
         * DC1.domain.domain1.com is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 20813 to 21312
         * rIDPreviousAllocationPool is 20813 to 21312
         * rIDNextRID: 20885
         ......................... DC1 passed test RidManager
      Starting test: MachineAccount
         Checking machine account for DC DC1 on DC DC1.
         * SPN found :LDAP/DC1.domain.domain1.com/domain.domain1.com
         * SPN found :LDAP/DC1.domain.domain1.com
         * SPN found :LDAP/DC1
         * SPN found :LDAP/DC1.domain.domain1.com/domain
         * SPN found :LDAP/12031452-dae1-4638-87e2-86c1eaea76ad._msdcs.domain.domain1.com
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/12031452-dae1-4638-87e2-86c1eaea76ad/domain.domain1.com
         * SPN found :HOST/DC1.domain.domain1.com/domain.domain1.com
         * SPN found :HOST/DC1.domain.domain1.com
         * SPN found :HOST/DC1
         * SPN found :HOST/DC1.domain.domain1.com/domain
         * SPN found :GC/DC1.domain.domain1.com/domain.domain1.com
         ......................... DC1 passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... DC1 passed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         DC1 is in domain DC=domain,DC=domain1,DC=com
         Checking for CN=DC1,OU=ou1 DC,OU=Domain Controllers,DC=domain,DC=domain1,DC=com in domain DC=domain,DC=domain1,DC=com on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=DC1,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=domain,DC=domain1,DC=com in domain CN=Configuration,DC=domain,DC=domain1,DC=com on 1 servers
            Object is up-to-date on all servers.
         ......................... DC1 passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... DC1 passed test frssysvol
      Starting test: frsevent
         * The File Replication Service Event log test
         ......................... DC1 passed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         Found no KCC errors in Directory Service Event log in the last 15 minutes.
         ......................... DC1 passed test kccevent
      Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0x0000165B
            Time Generated: 11/11/2008   10:43:14
            Event String: The session setup from computer 'pc1'
failed because the security database does not
contain a trust account 'pc1$' referenced
by the specified computer.  
 
USER ACTION  
If this is the first occurrence of this event for
the specified computer and account, this may be a
transient issue that doesn't require any action
at this time. Otherwise, the following steps may
be taken to resolve this problem:  
 
If 'pc1$' is a legitimate machine account
for the computer 'pc1', then
'pc1' should be rejoined to the domain.  
 
If 'pc1$' is a legitimate interdomain
trust account, then the trust should be
recreated.  
 
Otherwise, assuming that 'pc1$' is not a
legitimate account, the following action should
be taken on 'pc1':  
 
If 'pc1' is a Domain Controller, then the
trust associated with 'pc1$' should be
deleted.  
 
If 'pc1' is not a Domain Controller, it
should be disjoined from the domain.
         An Error Event occured.  EventID: 0x000016AD
            Time Generated: 11/11/2008   10:49:28
            Event String: The session setup from the computer pc1
failed to authenticate. The following error
occurred:
%%5
         ......................... DC1 failed test systemlog
      Test omitted by user request: VerifyReplicas
      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=DC1,OU=ou1 DC,OU=Domain Controllers,DC=domain,DC=domain1,DC=com
         and backlink on
         CN=DC1,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=domain,DC=domain1,DC=com
         are correct.
         The system object reference (frsComputerReferenceBL)
         CN=DC1,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=domain,DC=domain1,DC=com
         and backlink on
         CN=DC1,OU=ou1 DC,OU=Domain Controllers,DC=domain,DC=domain1,DC=com
         are correct.
         The system object reference (serverReferenceBL)
         CN=DC1,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=domain,DC=domain1,DC=com
         and backlink on
         CN=NTDS Settings,CN=DC1,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=domain,DC=domain1,DC=com
         are correct.
         ......................... DC1 passed test VerifyReferences
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : domain
      Starting test: CrossRefValidation
         ......................... domain passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... domain passed test CheckSDRefDom
   
   Running enterprise tests on : domain.domain1.com
      Starting test: Intersite
         Skipping site site1, this site is outside the scope provided by the
         command line arguments provided.
         Skipping site site2, this site is outside the scope provided by the
         command line arguments provided.
         Skipping site site3, this site is outside the scope provided by the
         command line arguments provided.
         ......................... domain.domain1.com passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\DC1.domain.domain1.com
         Locator Flags: 0xe00003fd
         PDC Name: \\DC1.domain.domain1.com
         Locator Flags: 0xe00003fd
         Time Server Name: \\DC1.domain.domain1.com
         Locator Flags: 0xe00003fd
         Preferred Time Server Name: \\DC1.domain.domain1.com
         Locator Flags: 0xe00003fd
         KDC Name: \\DC1.domain.domain1.com
         Locator Flags: 0xe00003fd
         ......................... domain.domain1.com passed test FsmoCheck
      Test omitted by user request: DNS
      Test omitted by user request: DNS
 
0
 

Author Comment

by:hahh1
ID: 22929341
note that
long time ago i moved domain controller (DC1) to another ou (ou1) inside (domain controllers ou) but now  i canot move DC1 back to the (domain controllers ou) access denied
0
 

Author Comment

by:hahh1
ID: 22931612
Dear all
 
i discovered the problem nowmay be this will help some one one day
i discovered that some one put deny permissopn for aministrators on the domain controllers ou for the followings create computer opject deny and delete computer opject deny just i make them allow every thing working fine
i must take the points to myself i send two weeks to find this
0
 

Author Closing Comment

by:hahh1
ID: 31514535
Dear all
 
i discovered the problem nowmay be this will help some one one day
i discovered that some one put deny permissopn for aministrators on the domain controllers ou for the followings create computer opject deny and delete computer opject deny just i make them allow every thing working fine
i must take the points to myself i send two weeks to find this
0
 

Author Comment

by:hahh1
ID: 22931720
Dear all
 
i discovered the problem nowmay be this will help some one one day
i discovered that some one put deny permissopn for aministrators on the domain controllers ou for the followings create computer opject deny and delete computer opject deny just i make them allow every thing working fine
i must take the points to myself i send two weeks to find this
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question