Solved

"LDAP add operation failed" error 5 (Access is denied) for a new RODC

Posted on 2009-07-08
7
2,204 Views
Last Modified: 2013-12-24
Hello,

I've the problem, that I want to add an Read Only Domain Controller to my AD.
It worked the last 4 times but today I get this message:

Network Credentials
The operation failed with the following error: "The operation cannot continue because LDAP add operation failed: obect "CN=G9001230,OU=Domain Controllers,DC=mynet,DC=com", error: 5 (access is denied.)."

BUT
1. my user is schema-, role- & domain Admin. So he must have access rights
2. I made the dcpromo like the last 4 one
3. I testet to pre-create a RODC machine account at user&computers and there is the same error
4. I can create Users over LDAP
5. I deactivated the "User account control"

So what can I do?

You can find the dcpromo Log at the attatchment

Thanks for your help
Martin
dcpromoui.003.log
0
Comment
Question by:chief-MH
  • 3
  • 2
7 Comments
 
LVL 10

Accepted Solution

by:
dnilson earned 500 total points
ID: 24810101
Have you checked file ACLs and registry permissions, say using the MMC securty configuration, resultant security and security template adins?

open a command prompt

run mmc /a
File | add remove snapin
add
Resultant set of policy
Security configuration and analysis
Security templates

Close the dialogs, righ click on Security configuration and analysis
Select the appropriate template, perhaps secure DC

and run the analysis

You will clearly see the differneces between the policy and the machine.

Check the system logs to see if the access denied message gices any further clues as to what is being denied, check the analysis in that area and make appropriate changes,

O simply apply the policy to your DC which should eliminate the access denied, even if its not fully RO at that point.  Then you can re-address the RO config

If you are nor certain WHERE the secuity settings that are causing you isses are coming from (i.e. "That doesnt ake sense") run the RSOP tool which will TEEL you if its a local, or domain policy, etc so you know where to make the changes.

0
 
LVL 3

Expert Comment

by:jhoncoop
ID: 24810523
Based on the error logs it appears that your account does not have the rights to update the RODC's AD object and is failing out.  Can you validate that you have the appropriate rights in the current location of the new RODC's account in Active Directory?

In addition, I can see you are able to successfully query information but you are failing at the Add stage.  One possibility is that your pre-positioned account was placed in the Domain Controllers OU, rather than the default "Computers" container and that could account for the differing behavior you've been seeing.

Hopefully this helps!
0
 

Author Comment

by:chief-MH
ID: 24811798
Hello jhoncoop,

thanks for your answer.
We checked our permissions at ADSIedit for the Domaincontrollers OU and we have all rights we need.
So this didn't helps, sorry

Martin
0
 

Author Comment

by:chief-MH
ID: 24811842
Hello,

now we found the solution.
We reseted our "Default Domain Policy" and the "Default Domain Controller Policy" with the DcGPOFix Tool  (DCGPOFix /ignoreschema /target:BOTH). But becarefull with this tool. There will be all options in your policys reseted and synced to all others DCs and RODC.
After we set our configuration at those two policys, we can precreate a RODC Account

Thanks for your answers.
Martin
0
 
LVL 10

Expert Comment

by:dnilson
ID: 24813255
The bulk reset the author employed resolved the problem, which confirms my solution would have worked and given the author enough granular control of te settings that the caveat that "But becarefull with this tool. There will be all options in your policys reseted and synced to all others DCs and RODC. " could have been avoided by changing only the settings affecting the author,nd everything.
0
 

Author Comment

by:chief-MH
ID: 24814042
Hello dnilson,

our "Default Domain Policy" and the "Default Domain Controller Policy" were definitely corrupted.
The only way to fix this corruption is the DcGPOfix tool. The Tool corrected all corruptions because it configuers those two policys to Microsoft default settings. After the Reset we made the same configurations as before. And after that it works.
So there must be corruptions inside those two Policys which you couldn't see at the GroupPolicymanagment tool. An indication that there is a corruption is the counter at the Policy Version counter. Because the counter shows at the moment a computerverision 38213 and belive my we didn't made so many changes. So there were the automatic AD checks which tryed to repair those Policys.

So you will see, there was no other chance to tix our problem.

I posted those warning only for other users which have the same problem and in my environment some systems updated there lokal settings with the microsoft default settings. This was not so good ;-)

sincerely
Martin
0

Join & Write a Comment

Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now