Active Directory (dcpromo) Fails
The operation failed because:
Active Directory Domain Services could not create the NTDS Settings object for this Active Directory Domain Controller.
Ensure the provided network credentials have suffient permissions.
The network has already been joined, this occurs while running DCPROMO. I am attempting to add a secondary domain controller. Any ideas???
Active Directory Domain Services could not create the NTDS Settings object for this Active Directory Domain Controller.
Ensure the provided network credentials have suffient permissions.
The network has already been joined, this occurs while running DCPROMO. I am attempting to add a secondary domain controller. Any ideas???
May seem obvious, but are you use Domain administrative credentials.
I.e. you may have through GPO limited which account can do what.
Check the event log. can the member server ping A DC? Is the principle DC that has the FSMO roles available? Use dcdiag to make sure that there are no issues for the AD that might explain this.
I.e. you may have through GPO limited which account can do what.
Check the event log. can the member server ping A DC? Is the principle DC that has the FSMO roles available? Use dcdiag to make sure that there are no issues for the AD that might explain this.
Hi,
create a new user member of : enterprise admins and domain admins.
and then try it again using that account
M@
create a new user member of : enterprise admins and domain admins.
and then try it again using that account
M@
I have seen this when you don't use a domain admin acccount.
Also, if you aren't pointing to an existing DNS server for DNS
Also, if you aren't pointing to an existing DNS server for DNS
Can U Please Check DCPRMO.LOG file in Windows Directory to see which Server it is pointing for Replication
ASKER
Okay. Ran dcdiag, all items passed. No firewall, no other messages, created a new account like you all said and made sure it was a member of Enterprise Admins and Domain Admins. Still fails. Also both machines are Win2k8 2008
Here's the log data:
Warning: NTDS General / Internal Configuration: 1463 Active Directory Domain Services has detected and deleted some possibly corrupted indices as part of initialization.
Error does not support Recycle Bin
NTDS Replication 1125 was unable to establish connection (even though it does connect!)
1722 - RPC Controller is Unavailable
Here's the log data:
Warning: NTDS General / Internal Configuration: 1463 Active Directory Domain Services has detected and deleted some possibly corrupted indices as part of initialization.
Error does not support Recycle Bin
NTDS Replication 1125 was unable to establish connection (even though it does connect!)
1722 - RPC Controller is Unavailable
ASKER
Any ideas?
dcdiag on your current dc passed with no errors?
Sounds like you have a problem with DNS, it can look like its working fine, but not on a service level.
Do the following in command prompt to ensure that the SRV records for the AD servers are in DNS properly:
nslookup
set type=srv
set type=srv
_ldap._tcp.dc._msdcs.YOURD
Server: dnsserver.yourdomain.com
Address: 192.168.100.2
you should see something like this:
_ldap._tcp.dc._msdcs.YOURD
priority = 0
weight = 100
port = 389
svr hostname = server1.YOURDOMAIN.COM
_ldap._tcp.dc._msdcs.YOURD
priority = 0
weight = 100
port = 389
svr hostname = server2.YOURDOMAIN.COM
server1.YOURDOMAIN.COM internet address = 1.1.1.2
server2.YOURDOMAIN.COM nternet address = 1.1.1.1
If you don't then you definately have a DNS problem.
Do the following in command prompt to ensure that the SRV records for the AD servers are in DNS properly:
nslookup
set type=srv
set type=srv
_ldap._tcp.dc._msdcs.YOURD
Server: dnsserver.yourdomain.com
Address: 192.168.100.2
you should see something like this:
_ldap._tcp.dc._msdcs.YOURD
priority = 0
weight = 100
port = 389
svr hostname = server1.YOURDOMAIN.COM
_ldap._tcp.dc._msdcs.YOURD
priority = 0
weight = 100
port = 389
svr hostname = server2.YOURDOMAIN.COM
server1.YOURDOMAIN.COM internet address = 1.1.1.2
server2.YOURDOMAIN.COM nternet address = 1.1.1.1
If you don't then you definately have a DNS problem.
ASKER
OK. I checked what you said, it indeed came back as it should. The only concern I have, if any, is that both public and private IPs show up. So what do I do now?
ASKER
Every single time it goes to creating NTDS Settings object it fails. Even when I do NOT enable global catalog on the second DC.
The error again is:
The RPC server is unavailable.
The operation failed because Active Directory Domain Services could not create the NTDS Settings object for this Active Directory Domain Controller. CN=NTDS Settings on the remote AD DC. Ensure the provided network credentials have sufficient permissions.
The error again is:
The RPC server is unavailable.
The operation failed because Active Directory Domain Services could not create the NTDS Settings object for this Active Directory Domain Controller. CN=NTDS Settings on the remote AD DC. Ensure the provided network credentials have sufficient permissions.
Are both private and public IPs accessible from the DC you are adding?
You need to limit the AD/dns records for the current DC to the IP on which both systems can communicate.
Does the DC have two network connection one for the outside and one for the LAN?
You need to limit the AD/dns records for the current DC to the IP on which both systems can communicate.
Does the DC have two network connection one for the outside and one for the LAN?
ASKER
Yes. Its hyper-v so all IPs can communicate fine. Any ideas whats causing the RPC problem? It seems to be when the NTDS settings objects are being created.
What should I do? is there a way to recreate permissions on the master DC? Is that even it?
What should I do? is there a way to recreate permissions on the master DC? Is that even it?
Can you from the new DC system connect to both IPs of the DC?
Is the primary DC also the Hyper-v host?
i.e. DC has ip1 and Ip2
The new DC has an Ip on the same segment as IP2, but can not get to ip1.
This be what the problem is.
You could try adding an entry in the c:\windows\system32\driver
an enrty
ip2 Primary_dc and see if this make a difference.
Is the primary DC also the Hyper-v host?
i.e. DC has ip1 and Ip2
The new DC has an Ip on the same segment as IP2, but can not get to ip1.
This be what the problem is.
You could try adding an entry in the c:\windows\system32\driver
an enrty
ip2 Primary_dc and see if this make a difference.
ASKER
Arnold, tried that. Again... It is not a connection problem. It seems to be either a permissions problem or schema problem of some kind. It does INDEED connect, I know this for a FACT because after it tries to dcpromo, I see under Domains and Sites where the computer has been moved to domain controller from computers (under groups). So it seems its hanging on something else, it IS connecting and authorizing,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Firewall Off, still not working. The NTDS settings seem to be standard and normal. Query Policy is Default, DNS Alias is filled in, Global Catalog Checked. Under security enterprise admins and domain admins have full access. Has anyone had this problem before?
Is one system a HYPER-V VM and the other the host?
Is there no entry in the dcdiag report that displays an error or a mismatch?
Is there no entry in the dcdiag report that displays an error or a mismatch?
Any other messages? Is this just a second box, any firewalls between the boxes. You can run dcdiag on you current DC to see if there are any issues.