We help IT Professionals succeed at work.
Get Started

PRE-CREATE READ-ONLY DOMAIN CONTROLLER - ACCESS DENIED

2,097 Views
Last Modified: 2012-09-23
Hi,
I have 2 DC's (2008 R2) running on function level 2008.  I'm trying to add a 2008 R2 RODC, but i got an error, so i tried to pre-create a read only domain controller but getting the same error, here from debug:

dcpromoui 1360.15E0 07A8 12:31:16.093             Enter CLdapExpressionPresent::Compute pattern=dcAccountExists
dcpromoui 1360.15E0 07A9 12:31:16.093               ==> false
dcpromoui 1360.15E0 07AA 12:31:16.093             ==> true
dcpromoui 1360.15E0 07AB 12:31:16.093           msDS-RevealOnDemandGroup: replace
dcpromoui 1360.15E0 07AC 12:31:16.093             <SID=01050000000XXXXXXXXXXXXXXXXXXX40718574D3B020000>
dcpromoui 1360.15E0 07AD 12:31:16.093           ldap_add("CN=DC900,OU=Domain Controllers,DC=REMOVED,DC=REMOVED,DC=REMOVED")
dcpromoui 1360.15E0 07AE 12:31:16.140           _lastLdapError_ <- "50"
dcpromoui 1360.15E0 07AF 12:31:16.140           ldap_add(CN=DC900,OU=Domain Controllers,DC=REMOVED,DC=REMOVED,DC=REMOVED) failed, err=50
00000522: SecErr: DSID-031A1190, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

dcpromoui 1360.15E0 07B0 12:31:16.140           Enter GetErrorMessage 80070005
dcpromoui 1360.15E0 07B1 12:31:16.140       ***** EXCEPTION: 80070005 The operation cannot continue because LDAP add operation failed: object "CN=DC900,OU=Domain Controllers,DC=REMOVED,DC=REMOVED,DC=REMOVED", error: 5 (Access is denied.).
dcpromoui 1360.15E0 07B2 12:31:16.140       Enter CLdapOperationDisconnect::Execute
dcpromoui 1360.15E0 07B3 12:31:16.140     ExecuteScript() failed:
The operation cannot continue because LDAP add operation failed: object "CN=DC900,OU=Domain Controllers,DC=REMOVED,DC=REMOVED,DC=REMOVED", error: 5 (Access is denied.).

dcpromoui 1360.15E0 07B4 12:31:16.140     Rolling back script operations

dcpromoui 1360.15E0 07B5 12:31:16.140     Enter CLdapContext::ExecuteScript opMode=undo
dcpromoui 1360.15E0 07B6 12:31:16.140       Enter CLdapOperationBlock::Execute
dcpromoui 1360.15E0 07B7 12:31:16.140     Rollback successful
dcpromoui 1360.15E0 07B8 12:31:16.140   FAIL

I tried making the server part of the domain, but still the same problem.
The debug information does not give me much to go on.

I tried with different users.  My admin user is member of all admin groups, as well as some other groups, still same problem.  We have pretty strict group policies.
Comment
Watch Question
Commented:
This problem has been solved!
Unlock 1 Answer and 5 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE