- Active Directory
- Windows OS
- Windows Networking
- Security
- OS Security
- Network Security
- Windows Server 2012
- Windows Server 2008
- Windows Server 2003
- Microsoft Server OS
PRE-CREATE READ-ONLY DOMAIN CONTROLLER - ACCESS DENIED
Hi,
I have 2 DC's (2008 R2) running on function level 2008. I'm trying to add a 2008 R2 RODC, but i got an error, so i tried to pre-create a read only domain controller but getting the same error, here from debug:
dcpromoui 1360.15E0 07A8 12:31:16.093 Enter CLdapExpressionPresent::Co
dcpromoui 1360.15E0 07A9 12:31:16.093 ==> false
dcpromoui 1360.15E0 07AA 12:31:16.093 ==> true
dcpromoui 1360.15E0 07AB 12:31:16.093 msDS-RevealOnDemandGroup: replace
dcpromoui 1360.15E0 07AC 12:31:16.093 <SID=01050000000XXXXXXXXXX
dcpromoui 1360.15E0 07AD 12:31:16.093 ldap_add("CN=DC900,OU=Doma
dcpromoui 1360.15E0 07AE 12:31:16.140 _lastLdapError_ <- "50"
dcpromoui 1360.15E0 07AF 12:31:16.140 ldap_add(CN=DC900,OU=Domai
00000522: SecErr: DSID-031A1190, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
dcpromoui 1360.15E0 07B0 12:31:16.140 Enter GetErrorMessage 80070005
dcpromoui 1360.15E0 07B1 12:31:16.140 ***** EXCEPTION: 80070005 The operation cannot continue because LDAP add operation failed: object "CN=DC900,OU=Domain Controllers,DC=REMOVED,DC=
dcpromoui 1360.15E0 07B2 12:31:16.140 Enter CLdapOperationDisconnect::
dcpromoui 1360.15E0 07B3 12:31:16.140 ExecuteScript() failed:
The operation cannot continue because LDAP add operation failed: object "CN=DC900,OU=Domain Controllers,DC=REMOVED,DC=
dcpromoui 1360.15E0 07B4 12:31:16.140 Rolling back script operations
dcpromoui 1360.15E0 07B5 12:31:16.140 Enter CLdapContext::ExecuteScrip
dcpromoui 1360.15E0 07B6 12:31:16.140 Enter CLdapOperationBlock::Execu
dcpromoui 1360.15E0 07B7 12:31:16.140 Rollback successful
dcpromoui 1360.15E0 07B8 12:31:16.140 FAIL
I tried making the server part of the domain, but still the same problem.
The debug information does not give me much to go on.
I tried with different users. My admin user is member of all admin groups, as well as some other groups, still same problem. We have pretty strict group policies.
I have 2 DC's (2008 R2) running on function level 2008. I'm trying to add a 2008 R2 RODC, but i got an error, so i tried to pre-create a read only domain controller but getting the same error, here from debug:
dcpromoui 1360.15E0 07A8 12:31:16.093 Enter CLdapExpressionPresent::Co
dcpromoui 1360.15E0 07A9 12:31:16.093 ==> false
dcpromoui 1360.15E0 07AA 12:31:16.093 ==> true
dcpromoui 1360.15E0 07AB 12:31:16.093 msDS-RevealOnDemandGroup: replace
dcpromoui 1360.15E0 07AC 12:31:16.093 <SID=01050000000XXXXXXXXXX
dcpromoui 1360.15E0 07AD 12:31:16.093 ldap_add("CN=DC900,OU=Doma
dcpromoui 1360.15E0 07AE 12:31:16.140 _lastLdapError_ <- "50"
dcpromoui 1360.15E0 07AF 12:31:16.140 ldap_add(CN=DC900,OU=Domai
00000522: SecErr: DSID-031A1190, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
dcpromoui 1360.15E0 07B0 12:31:16.140 Enter GetErrorMessage 80070005
dcpromoui 1360.15E0 07B1 12:31:16.140 ***** EXCEPTION: 80070005 The operation cannot continue because LDAP add operation failed: object "CN=DC900,OU=Domain Controllers,DC=REMOVED,DC=
dcpromoui 1360.15E0 07B2 12:31:16.140 Enter CLdapOperationDisconnect::
dcpromoui 1360.15E0 07B3 12:31:16.140 ExecuteScript() failed:
The operation cannot continue because LDAP add operation failed: object "CN=DC900,OU=Domain Controllers,DC=REMOVED,DC=
dcpromoui 1360.15E0 07B4 12:31:16.140 Rolling back script operations
dcpromoui 1360.15E0 07B5 12:31:16.140 Enter CLdapContext::ExecuteScrip
dcpromoui 1360.15E0 07B6 12:31:16.140 Enter CLdapOperationBlock::Execu
dcpromoui 1360.15E0 07B7 12:31:16.140 Rollback successful
dcpromoui 1360.15E0 07B8 12:31:16.140 FAIL
I tried making the server part of the domain, but still the same problem.
The debug information does not give me much to go on.
I tried with different users. My admin user is member of all admin groups, as well as some other groups, still same problem. We have pretty strict group policies.
I also just tried to run adprep /rodcprep, and i get the same error 5, access denied message. It worked if i ran it as "run as administrator". Howver it skipped all processes because the operation was already run.
On the error it listed all the groups i had to be a member of, but i am already a member of these groups. Seems really strange.
Same error when trying to pre-create though...
On the error it listed all the groups i had to be a member of, but i am already a member of these groups. Seems really strange.
Same error when trying to pre-create though...
Did you run the Adprep /rodcprep on the writable domain controller ( preferred to run on Schema master) and the user needs to be member of Enterprise Admins group.
For pre-create RODC refer the link for steps need to follow
http://blogs.technet.com/b/11/archive/2009/08/31/installing-a-read-only-domain-controller-rodc-in-sbs-2008-and-essential-business-server-2008-environment.aspx
Also the below link will give more information...
http://technet.microsoft.com/en-us/library/cc754629(v=ws.10).aspx
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_24554686.html
For pre-create RODC refer the link for steps need to follow
http://blogs.technet.com/b/11/archive/2009/08/31/installing-a-read-only-domain-controller-rodc-in-sbs-2008-and-essential-business-server-2008-environment.aspx
Also the below link will give more information...
http://technet.microsoft.com/en-us/library/cc754629(v=ws.10).aspx
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_24554686.html
I know the steps for the RODC, but its seems to be the same as the other case you referred to on EE. However, we definately don't want to reset the entire default domain policy as they did, unaware of what impact it will have on our systems.
So if someone could help me identifty what policy or file permission that denies me access, i would be grateful. I really don't know what i should look for when i get this:
The operation cannot continue because LDAP add operation failed: object "CN=DC900,OU=Domain Controllers,DC=REMOVED,DC=
What kind of option would limit this access? I'm both in Enterprise admin and Domain admin.
So if someone could help me identifty what policy or file permission that denies me access, i would be grateful. I really don't know what i should look for when i get this:
The operation cannot continue because LDAP add operation failed: object "CN=DC900,OU=Domain Controllers,DC=REMOVED,DC=
What kind of option would limit this access? I'm both in Enterprise admin and Domain admin.
Explore More Content
Explore More ContentExplore courses, solutions, and other research materials related to this topic.
-
![]()
received a Solution
Best practice in Granting access to certain computer only for external contractor ? -
![]()
wrote an Article
![]()
Delegation of access to Bitlocker Recovery Passwords – this way, please!
-
![]()
created a Video
![]()
Exchange all versions - Check when a user mailbox was created
-
Explore Cloud Class® ![]()
70-640 R5: Configuring Windows Server 2008 R2 Active Directory
Premium Content
You need an Expert Office subscription to comment.Start Free Trial