Adding a new DC to an existing domain fails: "access denied" (KB232070 reviewed!)
Raistlin
following error: "The operation failed because: The Active Directory
Installation Wizard was unable to convert the computer account SERVER2$
to a domain controller account. Access is denied.". Yes, I read
http://support.microsoft.com/kb/232070/en-us. The group my account is
in (Administrators) is added to "Enable Computer and User Accounts to
be trusted for Delegation", both servers - SERVER1 (the only current
DC) and SERVER2 - were restarted a couple of times. The error still
exists. I tried to add both 2k- and 2k3-based servers as DC - results
are the same - negative.
The fact is that earlier there was second DC in this domain, named
SERVER2, but due the hardware failure I had to manually clean out any
mentions of it from AD (using ldp.exe). But I don't think this is the
cause of the issue - servers with names other than SERVER2 cannot be
added as DCs, too.
Any ideas please?
Paul Bergson
http://support.microsoft.com/?id=216498
--
Paul Bergson
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Raistlin" <gcrai...@yandex.ru> wrote in message
news:1156340918.2...@m73g2000cwd.googlegroups.com...
Raistlin
seemed to be successfully completed, but SERVER2 still remained in
Domain Controllers OU. So I use ldp.exe and I'm quite sure that there's
no tracks of SERVER2 in my AD. Besides that, as I said, I tried to
install DC on another server (VMWare's Win2K AS "machine" named VM-AS)
and got the same error.
Jorge de Almeida Pinto [MVP - DS]
server to the domain?
These are the default UserAccountControl values for the certain objects:
Typical user : 0x200 (512)
Domain controller : 0x82000 (532480)
Workstation/server: 0x1000 (4096)
If you want to restore the default DC value You can use either LDP or
ADSIEDIT.MSC
When using adsiedit:
* Connect to the domain NC
* Navigate to the Domain Controllers OU
* Right click on the properties of the DC for which you want to change the
UserAccountControl value.
* Goto the UserAccountControl attribute
* You should see some value: <something>
* Change that value to: 532480
After this is you go to LDP to the same location you see:
userAccountControl: 0x82000 = ( UF_SERVER_TRUST_ACCOUNT |
UF_TRUSTED_FOR_DELEGATION )
what is the value for "userAccountControl" in your case?
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Raistlin" <gcrai...@yandex.ru> wrote in message
news:1156340918.2...@m73g2000cwd.googlegroups.com...
Paul Bergson
errors.
If you don't have the tools installed load them from your install disk.
d:\i386\adminpak.msi (Server tools for remote management of servers)
d:\support\tools\setup.exe (Server Utilities)
Copy the following to a cmd file and run look for error, fail and warn
within the reports. Post any errors you can't figure out. make sure you
modify DC_Name to the name of a dc in your domain.
@echo off
c:
cd \
cd "program files\support tools"
del c:\dcdiag.log
dcdiag /e /c /v /s:DC_Name /f:c:\dcdiag.log
start c:\dcdiag.log
netdiag.exe /v > c:\netdiag.log
start c:\netdiag.log
repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
start c:\repl.txt
See for more details
--
Paul Bergson
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Raistlin" <gcrai...@yandex.ru> wrote in message
news:1156353088.0...@i42g2000cwa.googlegroups.com...
Raistlin
EventID: 5774
Source: NetLogon
Description (my translation from Russian): Cannot register DNS record
'8adbf7b9-376c-46ea-a66a-04f01aaeab4d._msdcs.domain.ru. 600 IN CNAME
server1.domain.ru.' because of the error: DNS RR set that ought to
exist, does not exist.
I tried all advices I found on EventID.net but they didn't help.
DCDiag reports about this problem, accordingly:
<-------------------- Start of DCDiag.log -------------------->
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x00004E8A
Time Generated: 08/25/2006 12:58:07
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000168E
Time Generated: 08/25/2006 13:03:18
(Event String could not be retrieved)
......................... SERVER1 failed test systemlog
<-------------------- End of DCDiag.log -------------------->
(Second error, as said in corresponded Microsoft KB, can be ignored)
Something interesting in NetDiag.log:
<-------------------- Start of NetDiag.log -------------------->
DNS test . . . . . . . . . . . . . : Passed
...
Authoritative NS:192.168.0.1 192.168.0.2
Verify DNS registration:
Name: server1.domain.ru
Expected IP: 192.168.0.1
Server 192.168.0.1: NO_ERROR
Server 192.168.0.2: Error 1460 ERROR_TIMEOUT
...
DNS server has more than one entries for this name, usually this means
there are multiple DCs for this domain.
Your DC entry is one of them on DNS server '192.168.0.1', no need to
re-register.
...
+------------------------------------------------------+
The record on your DC is:
DNS NAME = _ldap._tcp.dc._msdcs.domain.ru.
DNS DATA =
SRV 0 100 389 server1.domain.ru.
The record on DNS server 192.168.0.1 is:
DNS NAME = _ldap._tcp.dc._msdcs.domain.ru
DNS DATA =
SRV 0 100 389 server1.domain.ru
SRV 0 100 389 moral.domain.ru
+------------------------------------------------------+
...
+------------------------------------------------------+
The record on your DC is:
DNS NAME = domain.ru.
DNS DATA =
A 192.168.0.1
The record on DNS server 192.168.0.1 is:
DNS NAME = domain.ru
DNS DATA =
A 192.168.0.1
A 192.168.0.2
A 192.168.0.11
+------------------------------------------------------+
<-------------------- End of NetDiag.log -------------------->
Why is this interesting:
1. As I said I have no "multiple DCs in this domain".
2. I don't understand what is "Authoritative NS 192.168.0.2":
192.168.0.2 is the IP address of SERVER2, but now it isn't a DNS
server.
3. DNS record for moral.domain.ru (192.168.0.11) exists in
_ldap._tcp.dc._msdcs.domain.ru - I don't know why, it is a simple
WinXP-based workstation. I deleted this record before but it
reappeared.
repadmin.exe /showrepl dc* /verbose /all /intersite seems to be an
incorrect syntax?..
Paul Bergson
you should only have a single network card per dc.
The repadmin is for 2003
--
Paul Bergson
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Raistlin" <gcrai...@yandex.ru> wrote in message
news:1156505972.6...@75g2000cwc.googlegroups.com...
Raistlin
> The repadmin is for 2003
In fact, Win2K has repadmin, too, but its syntax is different. What is
to be checked with switches in your example?
Here's what in DCPROMO.LOG:
...
08/25 14:11:59 [INFO] Replicated the configuration container.
08/25 14:11:59 [INFO] Error - The Active Directory Installation Wizard
was unable to convert the computer account SERVER2$ to a domain
controller account. (5)
08/25 14:12:01 [INFO] NtdsInstall for domain.ru returned 5
08/25 14:12:01 [INFO] DsRolepInstallDs returned 5
08/25 14:12:01 [ERROR] Failed to install to Directory Service (5)
Maybe something wrong with ACL for this container?
Paul Bergson
repadmin - This run is of no value, I didn't originally catch that you only
have 1 dc.
Does your dc have an ISP in the dns client settigns?
--
Paul Bergson
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Raistlin" <gcrai...@yandex.ru> wrote in message
news:1156512753.5...@m79g2000cwm.googlegroups.com...
Raistlin
address 192.168.0.66). Every machine including DC uses this workstation
as secondary DNS server (earlier, when there were 2 DCs, as third DNS
server) and as default gate. This DNS server causes some errors to
appear in NetDiag.log but they are expected 'cause this DNS server
doesn't have any records concerning my LAN's zones and machines.
So my DC doesn't know anything about my ISP.
Raistlin
No match for domain name found
The domain name has not been registered with InterNIC
dnslint /ad 192.168.0.1 /s 192.168.0.1 reports all is OK.
Paul Bergson
http://support.microsoft.com/?kbid=232070
--
Paul Bergson
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Raistlin" <gcrai...@yandex.ru> wrote in message
news:1156766671.9...@75g2000cwc.googlegroups.com...
Paul Bergson
232070.
I am assuming you have logged on as a domain admin and the domain admin is a
member of the local admins group. Also on the properties of the dc select
the Delegation tab and see if the option "Trust this computer for delegation
to any service (Kerberos only)" is selected.
--
Paul Bergson
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Raistlin" <gcrai...@yandex.ru> wrote in message
news:1156766671.9...@75g2000cwc.googlegroups.com...
Raistlin
> member of the local admins group. Also on the properties of the dc select
> the Delegation tab and see if the option "Trust this computer for delegation
> to any service (Kerberos only)" is selected.
admins", "Schema admins" and "Enterprise admins". I believe it's enough
to be a local admin :-).
There's no Delegation tab in the DC's properties (domain.ru\Domain
controllers\SERVER1 in AD: Users and Computers snap-in) but there's
checked option on General tab in the DC's properties named like "Trust
this computer for delegation".
Raistlin
> Did you by any chance pre-created that computer account before joining the
> server to the domain?
Yes, there was the computer with the same name in the domain before (I
wrote about it above). But when I renamed the server to unique (not
used before) name I got same negative results.
> These are the default UserAccountControl values for the certain objects:
> Typical user : 0x200 (512)
> Domain controller : 0x82000 (532480)
> Workstation/server: 0x1000 (4096)
I have used ADSIEDIT.MSC; UserAccountControl value for SERVER1 is
532480.
> After this is you go to LDP to the same location you see:
> userAccountControl: 0x82000 = ( UF_SERVER_TRUST_ACCOUNT |
> UF_TRUSTED_FOR_DELEGATION )
Probably I did something wrong but I can't find this using ldp. I did
search for CN=SERVER1,OU=Domain Controllers,DC=domain,DC=ru with filter
(objectclass=*).
Paul Bergson
--
Paul Bergson
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Raistlin" <gcrai...@yandex.ru> wrote in message
news:1156936275.8...@e3g2000cwe.googlegroups.com...
Raistlin
Jorge de Almeida Pinto [MVP - DS]
http://blogs.dirteam.com/blogs/jorge/archive/2006/08/27/Incorrect-_2600_quot_3B00_userAccountControl_2600_quot_3B00_-Attribute-value-causes-error-when-running-DCDIAG-or-during-promotion-of-a-server-to-a-DC.aspx
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Raistlin" <gcrai...@yandex.ru> wrote in message
news:1156936275.8...@e3g2000cwe.googlegroups.com...
Paul Bergson
been cleared up shouldn't it?
--
Paul Bergson
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Jorge de Almeida Pinto [MVP - DS]"
<SubstituteThisWithMyF...@gmail.com> wrote in message
news:up46jNG...@TK2MSFTNGP03.phx.gbl...
Raistlin
using ldp.exe - perhaps I just can't use it in a right way :-). All
seems to be OK but doesn't work.
Seth
I've read this post with great interest hoping to find a solution. I am
experiencing exactly the same problems at one of the schools I work at.
Here is a quick description of how I came to this situation.
The school Domain had two DC's, a Win2K server and Win2K3 server. On
one sad day, the Win2K3 server experienced complete hardware failure.
So I also had to manually clean the AD of this failed server using the
available tools. Once the school had purchased a new server running
Win2K3, I attempted to promote the box to a DC (using dcpromo)
resulting in the "access denied" message.
I've tried pretty much all the previous suggestions to no avail. It
seems that this problem is one that could be replicated. Maybe the
easiest solution would be to re-create the DOMAIN.
Paul Bergson
wouldn't resolve it.
I'm out of ideas, other than I would go through your forward and reverse dns
lookup zones to make sure there aren't any records that are incorrect.
--
Paul Bergson
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Seth" <tcarr...@yahoo.com.au> wrote in message
news:1157414583....@i42g2000cwa.googlegroups.com...
Raistlin
> lookup zones to make sure there aren't any records that are incorrect.
http://groups.google.com/group/microsoft.public.windows.server.active_directory/msg/b9b4ba01b21a6698.
Seth
addresses, remove reference to the old server address '192.168.0.2'.
Also, in the DNS console under 'Forward Lookup Zones' & 'Reverse Lookup
Zones', find the type 'Name Server'. In both areas, remove any
reference to the old server.
Hope that helps with the DNS issue.
Raistlin
> addresses, remove reference to the old server address '192.168.0.2'.
> Also, in the DNS console under 'Forward Lookup Zones' & 'Reverse Lookup
> Zones', find the type 'Name Server'. In both areas, remove any
> reference to the old server.
Um, yeah, you're right, I found one NS record for SERVER2 in the
reverse lookup zone. But unfortunately deleting it didn't help. DCPROMO
still returns the same error.
Raistlin
> Um, yeah, you're right, I found one NS record for SERVER2 in the
> reverse lookup zone. But unfortunately deleting it didn't help. DCPROMO
> still returns the same error.
Raistlin
problem still remains.