cannot get DCPROMO to complete

I cannot get DCPROMO to complete on a member server in my domain (2008 64 bit R2, SP1).  I have 6 DC's and 2 RODC's.  Trying to bring online 3 more RODCs.  I get this error in the GUI.

Failed to install Active Directory Domain Services binaries.  The error was: Fatal error during installation.

Then I look at some logs and get this information......
  From
C:\Windows\debug\dcpromoui.log
Enter CbsInstallPackageViaExe
dcpromoui 10F4.10F8 003A 21:43:48.256         update name is DirectoryServices-DomainController and package name is
dcpromoui 10F4.10F8 003B 21:43:48.256         Enter GenerateCbsLogName DirectoryServices-DomainController
dcpromoui 10F4.10F8 003C 21:43:48.256           The generated log name is C:\Windows\debug\DirectoryServices-DomainController_install.dcpromoui_cbs.log
dcpromoui 10F4.10F8 003D 21:43:48.256         Calling CreateProcess
dcpromoui 10F4.10F8 003E 21:43:48.256         C:\Windows\system32\dism.exe
dcpromoui 10F4.10F8 003F 21:43:48.256         /online /logpath:"C:\Windows\debug\DirectoryServices-DomainController_install.dcpromoui_cbs.log" /norestart /quiet /enable-feature:DirectoryServices-DomainController
dcpromoui 10F4.10F8 0040 21:43:48.256         Enter FS::GetPathSyntax C:\Windows\system32\dism.exe
dcpromoui 10F4.10F8 0041 21:43:48.287         CreateProcess hr is 0
dcpromoui 10F4.10F8 0042 21:44:04.245     Exit code is 0x643.
dcpromoui 10F4.10F8 0043 21:44:04.245   Enter HandleInstallationError
dcpromoui 10F4.10F8 0044 21:44:04.245     Enter GetErrorMessage 80070643
dcpromoui 10F4.10F8 0045 21:44:04.245     MessageBox: Active Directory Domain Services Installer : Failed to install Active Directory Domain Services binaries. The error was: Fatal error during installation.
dcpromoui 10F4.10F8 0046 21:44:05.821   Exit code is 65
dcpromoui 10F4.10F8 0047 21:44:05.821   Enter UnattendSplashDialog::SelfDestruct
dcpromoui 10F4.10F8 0048 21:44:05.821 closing log



From
C:\Windows\debug\DirectoryServices-DomainController_install.dcpromoui_cbs.log
2011-12-13 21:43:49, Info                  DISM   DISM Package Manager: PID=4452 Encountered the option "enable-feature" with value "DirectoryServices-DomainController" - CPackageManagerCLIHandler::Private_GetPackagesFromCommandLine
2011-12-13 21:43:49, Info                  DISM   DISM Package Manager: PID=4452 Encountered an unknown option "enable-feature" with value "DirectoryServices-DomainController" - CPackageManagerCLIHandler::Private_GetPackagesFromCommandLine
2011-12-13 21:43:51, Info                  DISM   DISM Package Manager: PID=4452 Initiating Changes on Package with values: 5, 7 - CDISMPackage::Internal_ChangePackageState
2011-12-13 21:44:03, Info                  DISM   DISM Package Manager: PID=4452  Error in operation: (null) (CBS HRESULT=0x80070643) - CCbsConUIHandler::Error
2011-12-13 21:44:03, Error                 DISM   DISM Package Manager: PID=4452 Failed finalizing changes. - CDISMPackageManager::Internal_Finalize(hr:0x80070643)
2011-12-13 21:44:03, Error                 DISM   DISM Package Manager: PID=4452 Failed processing package changes - CDISMPackageManager::ProcessChanges(hr:0x80070643)
2011-12-13 21:44:03, Error                 DISM   DISM Package Manager: PID=4452 Failed ProcessChanges. - CPackageManagerCLIHandler::Private_ProcessFeatureChange(hr:0x80070643)
2011-12-13 21:44:03, Error                 DISM   DISM Package Manager: PID=4452 Failed while processing command enable-feature. - CPackageManagerCLIHandler::ExecuteCmdLine(hr:0x80070643)
2011-12-13 21:44:03, Info                  DISM   DISM Package Manager: PID=4452 Further logs for online package and feature related operations can be found at %WINDIR%\logs\CBS\cbs.log - CPackageManagerCLIHandler::ExecuteCmdLine
2011-12-13 21:44:03, Error                 DISM   DISM.EXE: DISM Package Manager processed the command line but failed. HRESULT=80070643
LVL 1
Todd MostowyAmericas Regional IT ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike ThomasConsultantCommented:
This appears to be just an install issue, try installing the service (add role) separately rather than running DC promo, if that fails you would probably be better off just reinstalling the OS.
0
SandeshdubeySenior Server EngineerCommented:
Try this
Set the Remote Registry Service to start automaticaly if you disabled it. Reboot and run dcpromo again.
Hope this helps

0
gurdeep1302Commented:
Hi,

Try adding AADS role before you run dcpromo.
Are you using an unattended file to promote this server as DC?
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Todd MostowyAmericas Regional IT ManagerAuthor Commented:
The remote registry service is set to auto and is running, I cannot add the AADS role, I get a similar error.  No unattended file that I know of....   What is crazy is this is happening to 3 servers, all across the WAN.  I wonder if a firewall port is closed or something.
0
Mike ThomasConsultantCommented:
Were they all built from the same image?
0
Todd MostowyAmericas Regional IT ManagerAuthor Commented:
Nope.  They were loaded by hand from our ISO file from Microsoft.
0
Mike ThomasConsultantCommented:
Well something is up, 3 servers all unable to install a role, there are no ports that need to be open for this role to be installed or anything else of that matter, you are simply trying to install a server component prior to its configuration (DC promo) that requires nothing special at all...maybe try using different install media?

0
gurdeep1302Commented:
Try installing ADFS and then ADDS serviec.Disable Windows IPSec service and diasable Windows firewall using netsh command.

Hope this helps !!!
0
Todd MostowyAmericas Regional IT ManagerAuthor Commented:
More info.  We loaded 4 and sent the servers to Costa Rica, PA, MA and CA.  The one in Costa Rica worked fine w/ DCPROMO, adding the RODC and DNS roles.  The servers in PA, MA all are also VPN Site to Site links just like Costa Rica.  The one in CA is MPLS.
0
Todd MostowyAmericas Regional IT ManagerAuthor Commented:
So rather than do this all over the WAN, I have a guy going to be there on Monday.  I have to wait until Monday to install ADFS or make firewall changes as you suggest.  This is a production server.  ASo Monday we'll try the one in Boston and see how it goes.
0
Todd MostowyAmericas Regional IT ManagerAuthor Commented:
Here is the error I get when trying to add the ADDS role.

"Attempt to install Active Directory Domain Controller filed with error code 0x80070643.  Fatal error during installation."

0
Todd MostowyAmericas Regional IT ManagerAuthor Commented:
never could fix this, I guess it will stay open until I find a resolution.  may just call microsoft.
0
Todd MostowyAmericas Regional IT ManagerAuthor Commented:
Today I called Microsoft as I have not gotten an answer from Experts Exchange.  I opened a case and await the callback.  I will post the reply here when I get one.
0
Todd MostowyAmericas Regional IT ManagerAuthor Commented:
The solution was to uninstall the McAfee Enterprise software.  My security team ensured me they tested this and this was not the root cause.  Microsoft proved them wrong today.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Todd MostowyAmericas Regional IT ManagerAuthor Commented:
none of the tips helped so I called Microsoft and now it is fixed.
0
smeekCommented:
I just tried and was able to disable McAfee using unlock.

It was then able to run AD install afterwards and install GP.
0
Todd MostowyAmericas Regional IT ManagerAuthor Commented:
Cool!  Glad it worked smeek.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.