Unable to promote a new server
Quo Vadis
domain. When attempting to promote the server, we get the following error
message, "The operation failed because: The Active Directory Installation
Wizard was unable to convert the computer account SERVER3$ to a domain
controller account. "Access is denied.""
Why would the server not promote? Help! Thanks.
lforbes
Is the server named server3$ ? If so remove the $ . Did you add the server
to the Domain as a member server? Is it registered properly in DNS? What is
the OS of the domain that you currently run? You will get errors if you add
a 2003 server to a 2000 domain without running the adprep
Cheers,
Lara
Quo Vadis
Windows 2003 Server SP1. We added SERVER3 to the domain without issue. It is
properly registered in DNS.
We've tried two different user accounts to accomplish the promotion. Our
current DC is sick and we need to get a backup DC promoted. Thanks for the
help!
lforbes
"Access is Denied" is a permissions error usually. If your original DC is
sick then that may be the problem. Do you have any event logs on either
server with regards to this? Make sure that you logon to the Server3 with a
Domain Administrator account or to be sure an Enterprise Administrator
account. You can always try removing the new server from the Domain, deleting
the account and re-adding it again.
Also, make sure the IP's are static.
Quo Vadis
you have recommended before posting. We have static IPs, we have tried the
built-in Administrator's account and another user account with both Domain
Admin and Enterprise Admin membership.
The current DC is having hard disk problems. The System Log shows
\Device\Harddisk0 has a bad block. The latest STOP code is 0x000000b8. This
is why we are anxious to get the new DC promoted
The only error showing up in the App Log on the server is that Windows
cannot find the machine account. The clocks on the client and server machines
are skewed. I have confirmed that the clocks are indeed correct, along with
the time zone.
The DNS Log only has two errors in the past six months. The DNS server has
encountered a critical error from the Active Directory (4015).
We are logging into the member server with the Domain Administrator account,
and authenticating with that during the DCPROMO. The new error is "Failed to
configure the service NETLOGON as requested. "The wait operation timed out."
Joseph
Any
lforbes
Have you synched the clocks using "net time \\dcserver /set /y " This is
the command required to sync to the second. If they aren't synched to the
second it may be an issue.
Did you do a "chkdsk" and set to repair errors on the DC? That bad block
may contain critical info that is making the promotion difficult. However, I
would do this as a last result after a full backup.
How was the new server installed? Did you do a clean install of Windows 2003
SP1 or did you just get one already built?
If it isn't a huge Domain than as a last result you can always build the new
server as a separate domain and use the AD migration Tool to migrate the
users and computers across.
Make sure there is a forward and a reverse lookup zone for the new server in
DNS.
There is also a tool part of the Windows 2003 tools on the Windows 2003 CD
that I found useful. On the old DC run
netdom reset server3
This will clean up those access is denied errors. If this fails then there
is a dns problem.
Jorge Silva
This problem has to do with problems converting the userAccountControl
attribute
read
http://support.microsoft.com/?id=305144
http://blogs.dirteam.com/blogs/jorge/archive/2006/08/27/Incorrect-_2600_quot_3B00_userAccountControl_2600_quot_3B00_-Attribute-value-causes-error-when-running-DCDIAG-or-during-promotion-of-a-server-to-a-DC.aspx
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"Quo Vadis" <quov...@news.postalias> wrote in message
news:338173D6-E0D4-4CB4...@microsoft.com...
Ada Pan [MSFT]
After reviewing the post log, I recommend you go to %system
root%\System32\Config\Netlogon.dns, renamed the netlogon.dns and
netlogon.dnb and restart the netlogon service, and then run dcpromo again.
If you still cannot promote the DC successfully, please try the following
approach:
1. Offline or shutdown the DC Server3.
2. Use NTDSUtil.exe to clean up the data for the DC Server3 on your current
DC by referring to the following MS KB article:
216498: Removing Active Directory Data After an Unsuccessful Demotion
http://support.microsoft.com/?id=216498
HINT: You may also use the metacleaner.vbs from the following links to
cleanup data in AD database instead:
http://www.tek-tips.com/faqs.cfm?fid=4733
http://groups.google.co.jp/group/Active-Directory/browse_thread/thread/ca695
d30142157e3/28c9c2cd1837d38a?lnk=st&q=metacleaner&rnum=1&hl=en-28c9c2cd1837d
38a
Disclaimer: This response contains a reference to a third party World Wide
Web site. Microsoft is providing this information as a convenience to you.
Microsoft does not control these sites and has not tested any software or
information found on these sites; therefore, Microsoft cannot make any
representations regarding the quality, safety, or suitability of any
software or information found there. There are inherent dangers in the use
of any software found on the Internet, and Microsoft cautions you to make
sure that you completely understand the risk before retrieving any software
from the Internet.
3. Rebuild Server3 as a clean installation and then join it into your
domain. Promote the server to DC again.
If this problem persists, please generate a Directory Services Edition
(Mpsrpt_dirsvc.exe) of MPS report on this new DC. For detailed
instructions, please refer to the following MS KB article:
818742.KB.EN-US Overview of the Microsoft Configuration Capture Utility
(MPS_REPORTS)
http://support.microsoft.com/default.aspx?scid=KB;EN-US;818742
HINT: Please send all the files to me at v-ad...@microsoft.com with the
following email subject:
35733452-Microsoft has responded to your post in
microsoft.public.windows.server.active_directory - (Your post's original
Date: 29 Sep 2006)
Hope this helps!
Regards,
Ada Pan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Quo Vadis
installing the OS was to add it to the domain and attempt promotion.
Joseph
Quo Vadis
Ada Pan [MSFT]
Thanks for posting back. I am glad to hear that you are going to apply my
suggestions. :)
Yes, I knew that Server3 was clean installed and then you tried to promote
it as another DC. However, it is still recommended to perform a clean
installation again in case the NTDSUtil or metacleaner.vbs fails to clean
up the AD database. A clean installation can help to create a new SID for
the server and also eliminate other potential issues remaining on the
server because of the failure of the DCPromo process.
Hope to hear from you with soon.
Quo Vadis
"The operation failed because: Failed to configure the service NETLOGON as
Does this give you any clues as to which direction to proceed now? Or should
we continue with the NTDSUtil?
Joseph
Ada Pan [MSFT]
The new error message means that Netlogon service failed to register to the
DNS server. The SRV records failed to create due to timeout. Please generate
a Directory Services Edition (Mpsrpt_dirsvc.exe) of MPS report on the
current DC. For detailed instructions, please refer to the following MS
KB article:
818742.KB.EN-US Overview of the Microsoft Configuration Capture Utility
(MPS_REPORTS)
http://support.microsoft.com/default.aspx?scid=KB;EN-US;818742
Please send the report to us for further research.
=====================================
I will be out of the office from Oct 5th to Oct 8th.
During this period, please post back in the newsgroup and my backup Vencent
Xu will continue working with you. To send the collected log files, please
direct your email to < v-x...@microsoft.com > and add the following
information.
Post queue (For example: microsoft.public.windows.server.active_directory)
Post title
My name
=====================================
We look forward to your reply.
Quo Vadis
Joseph
Vincent Xu [MSFT]
This is Vincent who is Ada's backup.
I checked the MPS report preparatoryly and I found the MPS report is clean
enough.
I reviewed this thread and I have following questions:
1. Before you try to promote server3 as DC, did you demote any other DCs?
In other words, Did other DC(s) ever introduced?
2. As you said , after you tried the first step, the error message changed.
I'd like to know which step you have tried and did you re-installed the
server3?
3. Please send us (Ada and me) the dcpromoUI.log on the Server3 since you
have ever run dcpromo on it.
4. Continue do the NTDSUtil steps.
Thanks.
Best regards,
Vincent Xu
Microsoft Online Partner Support
======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================
--------------------
>>Thread-Topic: Unable to promote a new server
>>thread-index: Acbns3gBxwqaIrmwQ+6CKZZBWpG8kA==
>>X-WBNR-Posting-Host: 198.181.184.86
>>From: =?Utf-8?B?UXVvIFZhZGlz?= <quov...@news.postalias>
>>References: <338173D6-E0D4-4CB4...@microsoft.com>
<9CBBCE3B-D28D-4B37...@microsoft.com>
<52394CF8-D242-44A4...@microsoft.com>
<FAB17B48-E482-4A56...@microsoft.com>
<1F1822B4-21D3-4A66...@microsoft.com>
<wwcjFxe5...@TK2MSFTNGXA01.phx.gbl>
<8D1EBD16-692E-4075...@microsoft.com>
<GMVoX6p5...@TK2MSFTNGXA01.phx.gbl>
<9DB266B0-AB17-40D7...@microsoft.com>
<uRERFv6...@TK2MSFTNGP06.phx.gbl>
>>Subject: Re: Unable to promote a new server
>>Date: Wed, 4 Oct 2006 05:49:02 -0700
>>Lines: 49
>>Message-ID: <427C469A-381A-4879...@microsoft.com>
>>MIME-Version: 1.0
>>Content-Type: text/plain;
>> charset="Utf-8"
>>Content-Transfer-Encoding: 7bit
>>X-Newsreader: Microsoft CDO for Windows 2000
>>Content-Class: urn:content-classes:message
>>Importance: normal
>>Priority: normal
>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
>>Newsgroups: microsoft.public.windows.server.active_directory
>>Path: TK2MSFTNGXA01.phx.gbl
>>Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.active_directory:87807
>>NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
>>X-Tomcat-NG: microsoft.public.windows.server.active_directory
Quo Vadis
of the old server. We did a metadata cleanup after that.
All we have done is rename the netlogon files, per Ada's instructions and
then attempt the dcpromo again. I started the NTDSUtil metadata cleanup, but
SERVER3 is not listed. Only the current DC is there. It looks clean.
Is it really necessary to reinstall the OS to get this brand new server
promoted??? That seems like a lot of work (on a pristine install) when the
error appears to be in the AD or the existing DC, doesn't it? (I guess I'm
just trying to avoid a reinstallation of the OS, just to find myself in
exactly the same position I am today.)
Joseph
Ada Pan [MSFT]
I can understand your concerns on rebuilding the server. I will work with
Vincent to check the MPS Reports again to see if everything is working
properly on the current DC. If everything is working properly on the
current DC, we will run the NewSID.exe on the server3 and then try to
promote it to a domain controller again.
More Information:
======
NewSID from Sysinternals.com is a utility to create a new computer SID
without utilizing Sysprep.exe and rebooting the server.
NewSID:
http://www.sysinternals.com/ntw2k/source/newsid.shtml
NOTE: The third-party tool mentioned here was designed by a provider
independent of Microsoft; you may have to purchase commercial licenses when
using these tools. Please contact the software provider to confirm legal
affairs. We make no warranty, implied or otherwise, regarding this
product's performance or reliability.
Thank you for your time and patience.
Quo Vadis
Joseph
Ada Pan [MSFT]
I am glad to hear that you will apply my suggestion. Hope to hear from you
with good news.
Quo Vadis
The result:
The operation failed because:
The Active Directory Installation Wizard was unable to convert the computer
account SERVER3$ to a domain controller account.
"Access is denied."
What do you suggest now. We're getting desperate.
Joseph
Ada Pan [MSFT]
We usually utilize Windows Server 2003 Default Group Policy Restore Utility
(Dcgpofix.exe) to re-create the default Group Policy objects or manually
revert the settings directly. Between the solutions, revert the settings
back is recommended.
NOTE: If you are using GPMC, it is recommended that you use GPMC to restore
all GPOs in your environment. The Dcgpofix tool is a disaster-recovery tool
that will restore your environment to a functional state only. It is best
not to use it as a replacement for a backup strategy using GPMC. It is best
to use the Dcgpofix tool only when a GPO back up for the Default Domain
Policy and Default Domain Controller Policy does not exist.
If you use the Dcgpofix tool, Microsoft recommends that as soon as you run
it, you review the security settings in these GPOs and manually adjust the
security settings to suit your requirements.
For detailed instructions on how to use the Dcgpofix tool, please refer to
the following MS article:
Default Group Policy objects become corrupted: disaster recovery
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Opera
tions/b9db0ae7-3d25-4e5e-9320-e5db0b0c9f8a.mspx
More Information:
=======
833783 The Dcgpofix tool does not restore security settings in the Default
http://support.microsoft.com/?id=833783
Q267553 How to Reset User Rights in the Default Domain Controllers GPO
http://support.microsoft.com/support/kb/articles/Q267/5/53.ASP
Hope this helps!
Ada Pan [MSFT]
The previous reply is actually for another issue. Sorry for the mistake.
Below is the update for this issue:
====================== Start ======================
After re-checking the files, I noticed the Default Domain Controller policy
has been modified with the following user rights assignments removed:
-Enable Computer and User Accounts to be trusted for Delegation
- Add workstations to domain
You may grant the permissions to the built-in Administrators user group and
then reboot the DC to see if you can join the addition server into this
domain. For more information, please refer to the following MS KB article:
232070 When you run Dcpromo.exe to create a replica domain controller, you
receive the "Failed to modify the necessary properties for the machine
account. Access is denied." error message
http://support.microsoft.com/default.aspx?scid=kb;EN-US;232070
If this problem persists after applying the suggestion above, I would like
to recommend that you utilize Windows Server 2003 Default Group Policy
Restore Utility (Dcgpofix.exe) to reset the Default Domain Controller
policy.
NOTE: If you are using GPMC, it is recommended that you use GPMC to backup
all GPOs in your environment. The Dcgpofix tool is a disaster-recovery tool
that will restore your environment to an initial state only. If you use the
Dcgpofix tool, Microsoft recommends that as soon as you run it, you review
the security settings in these GPOs and manually adjust the security
settings to suit your requirements.
For detailed instructions on how to use the Dcgpofix tool, please refer to
the following MS article:
Default Group Policy objects become corrupted: disaster recovery
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Opera
tions/b9db0ae7-3d25-4e5e-9320-e5db0b0c9f8a.mspx
More Information:
--------------------------
833783 The Dcgpofix tool does not restore security settings in the Default
http://support.microsoft.com/?id=833783
Q267553 How to Reset User Rights in the Default Domain Controllers GPO
http://support.microsoft.com/support/kb/articles/Q267/5/53.ASP
====================== End ======================
Jorge de Almeida Pinto [MVP - DS]
http://blogs.dirteam.com/blogs/jorge/archive/2006/08/27/Incorrect-_2600_quot_3B00_userAccountControl_2600_quot_3B00_-Attribute-value-causes-error-when-running-DCDIAG-or-during-promotion-of-a-server-to-a-DC.aspx
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Quo Vadis" <quov...@news.postalias> wrote in message
news:27805190-1220-4C55...@microsoft.com...
Quo Vadis
Thanks VERY much.
Joseph
Ada Pan [MSFT]
I am so glad to know you have resolved the issue. I appreciate your putting
your time and efforts in this troubleshooting process. It's been a pleasant
experience working with you.
If you need further assistance on this issue or encounter any new break/fix
issue, please feel free to post your questions in the newsgroups. We are
glad to be of assistance.