Hi,
I have 2 DC's (2008 R2) running on function level 2008. I'm trying to add a 2008 R2 RODC, but i got an error, so i tried to pre-create a read only domain controller but getting the same error, here from debug:
dcpromoui 1360.15E0 07A8 12:31:16.093 Enter CLdapExpressionPresent::Compute pattern=dcAccountExists
dcpromoui 1360.15E0 07A9 12:31:16.093 ==> false
dcpromoui 1360.15E0 07AA 12:31:16.093 ==> true
dcpromoui 1360.15E0 07AB 12:31:16.093 msDS-RevealOnDemandGroup: replace
dcpromoui 1360.15E0 07AC 12:31:16.093 <SID=01050000000XXXXXXXXXXXXXXXXXXX40718574D3B020000>
dcpromoui 1360.15E0 07AD 12:31:16.093 ldap_add("CN=DC900,OU=Domain Controllers,DC=REMOVED,DC=REMOVED,DC=REMOVED")
dcpromoui 1360.15E0 07AE 12:31:16.140 _lastLdapError_ <- "50"
dcpromoui 1360.15E0 07AF 12:31:16.140 ldap_add(CN=DC900,OU=Domain Controllers,DC=REMOVED,DC=REMOVED,DC=REMOVED) failed, err=50
00000522: SecErr: DSID-031A1190, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
dcpromoui 1360.15E0 07B0 12:31:16.140 Enter GetErrorMessage 80070005
dcpromoui 1360.15E0 07B1 12:31:16.140 ***** EXCEPTION: 80070005 The operation cannot continue because LDAP add operation failed: object "CN=DC900,OU=Domain Controllers,DC=REMOVED,DC=REMOVED,DC=REMOVED", error: 5 (Access is denied.).
dcpromoui 1360.15E0 07B2 12:31:16.140 Enter CLdapOperationDisconnect::Execute
dcpromoui 1360.15E0 07B3 12:31:16.140 ExecuteScript() failed:
The operation cannot continue because LDAP add operation failed: object "CN=DC900,OU=Domain Controllers,DC=REMOVED,DC=REMOVED,DC=REMOVED", error: 5 (Access is denied.).
dcpromoui 1360.15E0 07B4 12:31:16.140 Rolling back script operations
dcpromoui 1360.15E0 07B5 12:31:16.140 Enter CLdapContext::ExecuteScript opMode=undo
dcpromoui 1360.15E0 07B6 12:31:16.140 Enter CLdapOperationBlock::Execute
dcpromoui 1360.15E0 07B7 12:31:16.140 Rollback successful
dcpromoui 1360.15E0 07B8 12:31:16.140 FAIL
I tried making the server part of the domain, but still the same problem.
The debug information does not give me much to go on.
I tried with different users. My admin user is member of all admin groups, as well as some other groups, still same problem. We have pretty strict group policies.