"LDAP add operation failed" error 5 (Access is denied) for a new RODC

Hello,

I've the problem, that I want to add an Read Only Domain Controller to my AD.
It worked the last 4 times but today I get this message:

Network Credentials
The operation failed with the following error: "The operation cannot continue because LDAP add operation failed: obect "CN=G9001230,OU=Domain Controllers,DC=mynet,DC=com", error: 5 (access is denied.)."

BUT
1. my user is schema-, role- & domain Admin. So he must have access rights
2. I made the dcpromo like the last 4 one
3. I testet to pre-create a RODC machine account at user&computers and there is the same error
4. I can create Users over LDAP
5. I deactivated the "User account control"

So what can I do?

You can find the dcpromo Log at the attatchment

Thanks for your help
Martin
dcpromoui.003.log
chief-MHAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dnilsonCommented:
Have you checked file ACLs and registry permissions, say using the MMC securty configuration, resultant security and security template adins?

open a command prompt

run mmc /a
File | add remove snapin
add
Resultant set of policy
Security configuration and analysis
Security templates

Close the dialogs, righ click on Security configuration and analysis
Select the appropriate template, perhaps secure DC

and run the analysis

You will clearly see the differneces between the policy and the machine.

Check the system logs to see if the access denied message gices any further clues as to what is being denied, check the analysis in that area and make appropriate changes,

O simply apply the policy to your DC which should eliminate the access denied, even if its not fully RO at that point.  Then you can re-address the RO config

If you are nor certain WHERE the secuity settings that are causing you isses are coming from (i.e. "That doesnt ake sense") run the RSOP tool which will TEEL you if its a local, or domain policy, etc so you know where to make the changes.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jhoncoopCommented:
Based on the error logs it appears that your account does not have the rights to update the RODC's AD object and is failing out.  Can you validate that you have the appropriate rights in the current location of the new RODC's account in Active Directory?

In addition, I can see you are able to successfully query information but you are failing at the Add stage.  One possibility is that your pre-positioned account was placed in the Domain Controllers OU, rather than the default "Computers" container and that could account for the differing behavior you've been seeing.

Hopefully this helps!
0
chief-MHAuthor Commented:
Hello jhoncoop,

thanks for your answer.
We checked our permissions at ADSIedit for the Domaincontrollers OU and we have all rights we need.
So this didn't helps, sorry

Martin
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

chief-MHAuthor Commented:
Hello,

now we found the solution.
We reseted our "Default Domain Policy" and the "Default Domain Controller Policy" with the DcGPOFix Tool  (DCGPOFix /ignoreschema /target:BOTH). But becarefull with this tool. There will be all options in your policys reseted and synced to all others DCs and RODC.
After we set our configuration at those two policys, we can precreate a RODC Account

Thanks for your answers.
Martin
0
dnilsonCommented:
The bulk reset the author employed resolved the problem, which confirms my solution would have worked and given the author enough granular control of te settings that the caveat that "But becarefull with this tool. There will be all options in your policys reseted and synced to all others DCs and RODC. " could have been avoided by changing only the settings affecting the author,nd everything.
0
chief-MHAuthor Commented:
Hello dnilson,

our "Default Domain Policy" and the "Default Domain Controller Policy" were definitely corrupted.
The only way to fix this corruption is the DcGPOfix tool. The Tool corrected all corruptions because it configuers those two policys to Microsoft default settings. After the Reset we made the same configurations as before. And after that it works.
So there must be corruptions inside those two Policys which you couldn't see at the GroupPolicymanagment tool. An indication that there is a corruption is the counter at the Policy Version counter. Because the counter shows at the moment a computerverision 38213 and belive my we didn't made so many changes. So there were the automatic AD checks which tryed to repair those Policys.

So you will see, there was no other chance to tix our problem.

I posted those warning only for other users which have the same problem and in my environment some systems updated there lokal settings with the microsoft default settings. This was not so good ;-)

sincerely
Martin
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Databases

From novice to tech pro — start learning today.