DCPROMO fails with error "Access is denied"
I am in the process of adding a Server 2008 R2 DC, in a Server 2003 Active Directory environment. When running DCPROMO on the 2008 server, I am receiving the following error - The operation failed because: The Active Directory Domain Services was unable to convert the computer account <hostname>$ to an Active Directory Domain Controllers account. "Access is Denied"
Steps that let up to the Error-
-I joined the 2008 server to the domain as a member server
-I have raised my Forest Functional Level to Server 2000 native
-I ran ADPREP32 /forestprep, and /domainprep on my 2003 DC, and it completed successfully
-Ran DCPROMO on the 2008 server, and received the error.
- Found the following article on MS support - http://support.microsoft.com/kb/2000939 , and followed the steps accordingly. Steps 1-3 I am confident have been completed correctly. 4-6 I believe i followed correctly, although im not 100% confident.
- Rebooted both the 2003 DC, and 2008 server. Reran DCPROMO on the 2008 server, and recieved the same error.
I'm trying to have this completed by Monday. So we can move forward with another project, that is pending the completion of this issue.
Thank you for your help.
Steps that let up to the Error-
-I joined the 2008 server to the domain as a member server
-I have raised my Forest Functional Level to Server 2000 native
-I ran ADPREP32 /forestprep, and /domainprep on my 2003 DC, and it completed successfully
-Ran DCPROMO on the 2008 server, and received the error.
- Found the following article on MS support - http://support.microsoft.com/kb/2000939 , and followed the steps accordingly. Steps 1-3 I am confident have been completed correctly. 4-6 I believe i followed correctly, although im not 100% confident.
- Rebooted both the 2003 DC, and 2008 server. Reran DCPROMO on the 2008 server, and recieved the same error.
I'm trying to have this completed by Monday. So we can move forward with another project, that is pending the completion of this issue.
Thank you for your help.
ASKER
Yes, I was logged in as the domain admin, which is a member of the enterprise admin group.
I have attached the DCPROMO log file.
Thanks.
DCPROMO.LOG
I have attached the DCPROMO log file.
Thanks.
DCPROMO.LOG
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Verify the account you are using for dcpromo is member of domain admin & enterprise admin .
Verify the default domain policy & default domain controller GPO is not corrupt using gpotool.exe.
Verify the default domain policy & default domain controller GPO is not corrupt using gpotool.exe.
ASKER
V_2abhis2- I have already previously added the policy prior. I logged in as the builtin administrator, and received the same error when running DCPROMO.
Awinish- I am using the domain admin account, which is a member of enterprise admins. I have also used my user account, and added myself to the domain admin, and enterprise admins.
I ran the gpotool.exe and the policy's were all okay. I have attached the log.
gpotool.txt
Awinish- I am using the domain admin account, which is a member of enterprise admins. I have also used my user account, and added myself to the domain admin, and enterprise admins.
I ran the gpotool.exe and the policy's were all okay. I have attached the log.
gpotool.txt
Can you disable AV on new DC & try to promote it again.
Can healthy dc & problem server which is going to be dc, post the IPconfig /all report unedited i mean.
Can healthy dc & problem server which is going to be dc, post the IPconfig /all report unedited i mean.
Can you post the below result too.
"dsquery * cn=schema,cn=configuration
dcdiag /v /c /d /e >>c:\dcpromo.log
Attach the above report,instead of posting inline.
"dsquery * cn=schema,cn=configuration
dcdiag /v /c /d /e >>c:\dcpromo.log
Attach the above report,instead of posting inline.
Maybe a security issue while moving the member server account to the domain controller account in the Domain Controllers container. You should verify if domain admin account has full control on the OU where the member server reside at this time, and the destination where it should be after DC promo.
To see security tab, you need to show advanced features. There you can verify the effective rights for an account.
To see security tab, you need to show advanced features. There you can verify the effective rights for an account.
I think, you have blocked inheritance on Domain controller OU, if yes, remove the block inheritance, enable inheritance on Domain controller OU & see to it domain admin has full permission on the DC OU.
Make sure you are running dcpromo at a elevated prompte.
Right-click Command prompt run as Admin.
Right-click Command prompt run as Admin.
ASKER
Awinish- The 2008 server doesnt have AV installed, I did disable AV on the 2003 server, and reran DCPROMO... same error.
Windows IP Configuration (from 2008 server)
Host Name . . . . . . . . . . . . : INTERSDC
Primary Dns Suffix . . . . . . . : DOMAIN.COM
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : DOMAIN.COM
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
VBD Client)
Physical Address. . . . . . . . . : 00-1C-C4-EC-A2-86
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::9d92:fb01:51fd:e927%
IPv4 Address. . . . . . . . . . . : 192.168.111.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.111.1
DHCPv6 IAID . . . . . . . . . . . : 234888388
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-C2-50-91-00
DNS Servers . . . . . . . . . . . : 192.168.111.11
192.168.111.8
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{1939A3D4-A002-4C97
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
__________________________
When running the dsquery i get error- dsquery failed: a refferal was returned from the server.
DCdiag log has been attached. dcpromo.log
Tasmant- I verified secuirty for the domain admin, and enterprise admin groups on the OU, and destination OU. Both have full acess.
Awinish- Inheritable permission are enabled on the domain controller OU. I verified teh domain admin has full control on the domain controller OU.
Dariusg- dcpromo is being run at an elevated level. I reran dcpromo using the right click, run as admin option and still recieved the error.
Windows IP Configuration (from 2008 server)
Host Name . . . . . . . . . . . . : INTERSDC
Primary Dns Suffix . . . . . . . : DOMAIN.COM
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : DOMAIN.COM
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
VBD Client)
Physical Address. . . . . . . . . : 00-1C-C4-EC-A2-86
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::9d92:fb01:51fd:e927%
IPv4 Address. . . . . . . . . . . : 192.168.111.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.111.1
DHCPv6 IAID . . . . . . . . . . . : 234888388
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-C2-50-91-00
DNS Servers . . . . . . . . . . . : 192.168.111.11
192.168.111.8
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{1939A3D4-A002-4C97
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
__________________________
When running the dsquery i get error- dsquery failed: a refferal was returned from the server.
DCdiag log has been attached. dcpromo.log
Tasmant- I verified secuirty for the domain admin, and enterprise admin groups on the OU, and destination OU. Both have full acess.
Awinish- Inheritable permission are enabled on the domain controller OU. I verified teh domain admin has full control on the domain controller OU.
Dariusg- dcpromo is being run at an elevated level. I reran dcpromo using the right click, run as admin option and still recieved the error.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
dariusg- I realize that is the solution for this, although when i followed the steps provided the issue persists.
I also read through both EE questions you linked prior, and have checked my servers accordingly to the solutions that were listed, and i cannot find the same issues they had found to be the problem.
I've rebooted both active DC's, and the new 2008 server multiple times now. And all current DC's are in the domain controllers container. The 2008 server is in the default computers OU, and i move it into the Domain controllers OU once, and tried DC Promo, and still go the Error.
I'm assuming this is a permissions issue within active directory, but i cant seem to find where.
I also read through both EE questions you linked prior, and have checked my servers accordingly to the solutions that were listed, and i cannot find the same issues they had found to be the problem.
I've rebooted both active DC's, and the new 2008 server multiple times now. And all current DC's are in the domain controllers container. The 2008 server is in the default computers OU, and i move it into the Domain controllers OU once, and tried DC Promo, and still go the Error.
I'm assuming this is a permissions issue within active directory, but i cant seem to find where.
ASKER
Dariusg- I retraced all my steps though the orignal document, and found out i missed something.
When changing the Default Domain Controllers policy I verified that it replicated to the other active DC, but not the dc I made the change on. I check the local policy on the server, and the settings did not take effect. So i manually added the administrators group, and reran DCPROMO, and it completed without error.
Thank you everyone for your assistance.
When changing the Default Domain Controllers policy I verified that it replicated to the other active DC, but not the dc I made the change on. I check the local policy on the server, and the settings did not take effect. So i manually added the administrators group, and reran DCPROMO, and it completed without error.
Thank you everyone for your assistance.
Can you paste the contentx of the dcpromo logs.