Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

PRE-CREATE READ-ONLY DOMAIN CONTROLLER - ACCESS DENIED

Posted on 2012-08-16
7
Medium Priority
?
1,639 Views
Last Modified: 2012-09-23
Hi,
I have 2 DC's (2008 R2) running on function level 2008.  I'm trying to add a 2008 R2 RODC, but i got an error, so i tried to pre-create a read only domain controller but getting the same error, here from debug:

dcpromoui 1360.15E0 07A8 12:31:16.093             Enter CLdapExpressionPresent::Compute pattern=dcAccountExists
dcpromoui 1360.15E0 07A9 12:31:16.093               ==> false
dcpromoui 1360.15E0 07AA 12:31:16.093             ==> true
dcpromoui 1360.15E0 07AB 12:31:16.093           msDS-RevealOnDemandGroup: replace
dcpromoui 1360.15E0 07AC 12:31:16.093             <SID=01050000000XXXXXXXXXXXXXXXXXXX40718574D3B020000>
dcpromoui 1360.15E0 07AD 12:31:16.093           ldap_add("CN=DC900,OU=Domain Controllers,DC=REMOVED,DC=REMOVED,DC=REMOVED")
dcpromoui 1360.15E0 07AE 12:31:16.140           _lastLdapError_ <- "50"
dcpromoui 1360.15E0 07AF 12:31:16.140           ldap_add(CN=DC900,OU=Domain Controllers,DC=REMOVED,DC=REMOVED,DC=REMOVED) failed, err=50
00000522: SecErr: DSID-031A1190, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

dcpromoui 1360.15E0 07B0 12:31:16.140           Enter GetErrorMessage 80070005
dcpromoui 1360.15E0 07B1 12:31:16.140       ***** EXCEPTION: 80070005 The operation cannot continue because LDAP add operation failed: object "CN=DC900,OU=Domain Controllers,DC=REMOVED,DC=REMOVED,DC=REMOVED", error: 5 (Access is denied.).
dcpromoui 1360.15E0 07B2 12:31:16.140       Enter CLdapOperationDisconnect::Execute
dcpromoui 1360.15E0 07B3 12:31:16.140     ExecuteScript() failed:
The operation cannot continue because LDAP add operation failed: object "CN=DC900,OU=Domain Controllers,DC=REMOVED,DC=REMOVED,DC=REMOVED", error: 5 (Access is denied.).

dcpromoui 1360.15E0 07B4 12:31:16.140     Rolling back script operations

dcpromoui 1360.15E0 07B5 12:31:16.140     Enter CLdapContext::ExecuteScript opMode=undo
dcpromoui 1360.15E0 07B6 12:31:16.140       Enter CLdapOperationBlock::Execute
dcpromoui 1360.15E0 07B7 12:31:16.140     Rollback successful
dcpromoui 1360.15E0 07B8 12:31:16.140   FAIL

I tried making the server part of the domain, but still the same problem.
The debug information does not give me much to go on.

I tried with different users.  My admin user is member of all admin groups, as well as some other groups, still same problem.  We have pretty strict group policies.
0
Comment
Question by:polstj
  • 4
5 Comments
 

Author Comment

by:polstj
ID: 38300464
I also just tried to run adprep /rodcprep, and i get the same error 5, access denied message. It worked if i ran it as "run as administrator".  Howver it skipped all processes because the operation was already run.

On the error it listed all the groups i had to be a member of, but i am already a member of these groups. Seems really strange.

Same error when trying to pre-create though...
0
 
LVL 11

Expert Comment

by:Venugopal N
ID: 38300691
Did you run the Adprep /rodcprep on the writable domain controller ( preferred to run on Schema master) and the user needs to be member of Enterprise Admins group.

For pre-create RODC refer the link for steps need to follow
http://blogs.technet.com/b/11/archive/2009/08/31/installing-a-read-only-domain-controller-rodc-in-sbs-2008-and-essential-business-server-2008-environment.aspx

Also the below link will give more information...

http://technet.microsoft.com/en-us/library/cc754629(v=ws.10).aspx
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_24554686.html
0
 

Author Comment

by:polstj
ID: 38311939
I know the steps for the RODC, but its seems to be the same as the other case you referred to on EE.  However, we definately don't want to reset the entire default domain policy as they did, unaware of what impact it will have on our systems.

So if someone could help me identifty what policy or file permission that denies me access, i would be grateful.  I really don't know what i should look for when i get this:

The operation cannot continue because LDAP add operation failed: object "CN=DC900,OU=Domain Controllers,DC=REMOVED,DC=REMOVED,DC=REMOVED", error: 5 (Access is denied.).

What kind of option would limit this access?   I'm both in Enterprise admin and Domain admin.
0
 

Accepted Solution

by:
polstj earned 0 total points
ID: 38409856
This was just solved by doing the following:

Using ADSI Edit i added a SPN (http/blabla) to enable the delegation tab.  Enabled my account for delegation.  

Found the GPO and enabled the delegation options under local security policy.
0
 

Author Closing Comment

by:polstj
ID: 38426014
This was just solved by doing the following:

Using ADSI Edit i added a SPN (http/blabla) to enable the delegation tab.  Enabled my account for delegation.  

Found the GPO and enabled the delegation options under local security policy.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
Scripts are great for performing batch jobs against users, however sometimes the GUI is all you need.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question