Promote Server to DC in Active Directory, error... 6

[bence8810]

Hi

I have a setup of two servers, one is Exchange and the other is Data. Both runs W2k3 server.

Both has to be Domain Controllers, so that if one fails, other takes over, etc... This setup worked very fine in the past. I came aboard, and I realized that one HDD is failing from the RAID 5 on the Data server. So I decided to upgrade them. I wanted to Demote the Server from being a DC, do the reinstall and then promote again. The Demote failed, so I did a force demote, and I replaced the drives, etc, reinstalled the server, and now I am trying to Promote it to be a DC, but it fails, with the same error as it failed with when I tried to demote it. The error is as follows,

The operation failed because: The Active Directory Installation Wizard was unable to convert the computer account DATASERVER$ to a domain controller account. "Access is denied."

What may I be doing wrong? I did a clean on the AD to remove the junk the old DC left behind, due to a not clean Demoting. i used the ntdsutil command to clean the AD from the DC's leftovers. All seemed fine. But, just to be certain, I tried to change the name of the server, and make it a DC with the new name, but it failed as well, so it isnt because the old one left junk there, as even new name wont go through. I think it is a permission issue, but i am not able to determine why and where is the problem. Please help if you can.

thanks

Benedek

 

[bence8810]

Take all the time you need. This is quite a problem over here. I am a new system admin, and this is what I inherited. Also OWA wont work, Access denied there also, when clients try to connect from the network or from home. I exchausted all webforums, and all the TechNet documents, but still no solution to that either. I think something must be messed up over here, just I dont know what.

Anyways, I really appreciate your help..

Benedek

 

[NetIntruder]

http://support.microsoft.com/?kbid=265090

Check out the How to Troubleshoot section.

~Intruder~
CEH, MCSA/MCSE 2000/2003

"The Less You Do, The Less Can Go Wrong"

 

[bence8810]

Hi

Wow, this sure gave me a hard time. However it didnt go well. Either I did something bad, or this wouldnt work for me, this is what happened. I got to the point, where I changed the registry on the DC, and imported into that section of the registry to the server to become a DC. Then, I ran the DCPROMO thing again, and I got the errors, I mean events that the article described. At this point, I wasnt able to find the GUID. I found a similar or same number that the article refered to, but it wasnt a GUID at all. And when I ran the LDP.exe, and wanted to delete the GUID, it gave me a syntax error. Could this be the outcome of the fact that the article was written for 2000 and I am using 2003 Server?

The event that I have to find the GUID in, is this

nternal event: This domain controller was prompted by the domain controller at the following network address with a request for retrieval of changes for the following directory partition with these options.

Directory partition:
CN=Configuration,DC=synovate,DC=local
Network address:
6afab99c-6e26-464a-975f-f58f105218bc
Update sequence number:
27702
Flags:
0x10200870
Sensitivity:
0

Or this

nternal event: This domain controller returned changes with the following information.

Total number of objects:
156
Total bytes:
431560
Update sequence number:
157957
Extended return:
0

For more information, see Help and Support Center at

The only thing I found that is similar is the Network ID, so I used that, but it gave me the following syntax error in LDP

ldap_delete_s(ld, "<GUID=6afab99c-6e26-464a-975f-f58f105218bc>");
Error: Delete: No Such Object. <32>
Server error: 0000208D: NameErr: DSID-031001A8, problem 2001 (NO_OBJECT), data 0, best match of:
''

-----------

Any clues?

I am leaving for today, but will be here in the morning to keep troubleshooting. Of course I can log in from home if you leave any messages today.

Thanks for all your help.

Be

 

[NetIntruder]

wow... the next step is to take your working DC and run the Microsoft Reporting suite against it.

http://www.microsoft.com/downloads/...7c-7ca5-408f-88b7-f9c79b7306c0&displaylang=en

Download and run the Directory Services tool on your DC... the problem is that this gives a LOT of info that would be too difficult and large to post. This may need to be taken off of the forum for analysis and when we find the problem put the resolution up here...

~Intruder~
CEH, MCSA/MCSE 2000/2003

"The Less You Do, The Less Can Go Wrong"

 

[bence8810]

Hi

I am in the office at the moment, so I can carry out anything from now on. I downloaded what you told me, and here is what it says at the bottom of the README:

Reports generated by either copying the files, using the type command, or NET.EXE
=================================================================================
%ComputerName%_DCPROMO.LOG Both: Debug log of the Domain Controller promotion progress
%ComputerName%_DCPROMOUI.LOG Both: Debug log of the Domain Controller promotion progress

So how can I generate the dcpromo.log?

Thanks

Benedek

 

[bence8810]

Hi

I ran the thing, and I see one suspicious thing in the servername_userrights.txt

Add workstations to domain
==========================
0 account(s) with the SeMachineAccountPrivilege user right:
All accounts enumerated

I dont have rights to add a WS to the Domain? This is exactly what errors out when I run the DCPROMO. It says, Error Access Denied when trying to add Dataserver to the Domain.

And how about this?

Enable computer and user accounts to be trusted for delegation
==============================================================
0 account(s) with the SeEnableDelegationPrivilege user right:
All accounts enumerated

Seems suspicious.

And this that I just found? It has a reference to the old server.....

Default-First-Site-Name\HUBUD1EX01
DSA Options : IS_GC
objectGuid : 5fb52c10-a0c5-441a-8b2f-99750a9008a8
invocationID: 5fb52c10-a0c5-441a-8b2f-99750a9008a8

==== INBOUND NEIGHBORS ======================================

==== OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS ============

CN=Schema,CN=Configuration,DC=synovate,DC=local
Default-First-Site-Name\DATASERVER\0ADEL:035a8ced-dba9-4f9a-9d7e-aca606856ffc via RPC
objectGuid: 1f7aaa03-5492-4d72-b439-c6768c8bb2f3

It says Dataserver....


This looks OK..

Schema owner hubud1ex01.synovate.local

Domain role owner hubud1ex01.synovate.local

PDC role hubud1ex01.synovate.local

RID pool manager hubud1ex01.synovate.local

Infrastructure owner hubud1ex01.synovate.local

The command completed successfully.


Well, as you said, I dont really want to flood the forum. Please let me know how to communicate from this point on.

Thanks

Benedek

 

[NetIntruder]

no, this is terrific! Start by looking at your policies for Default Domain Controller and Default Domain... check under Computer | Windows Settings | Security Settings | User Rights Assignments.

If possible, export the sections on "User Rights Assignments" and "Security Options" into this forum... your problem may lie in GPO. Please keep in mind what you are posting though - this data is rather sensitive, so you may want to mock up some of the accounts or take this piece offline.

~Intruder~
CEH, MCSA/MCSE 2000/2003

"The Less You Do, The Less Can Go Wrong"

 

[NetIntruder]

One more thing, if you prefer, my address is in my profile, so if you click on NetIntruder above, you should see some of my info. If you want to take this part offline, drop me the info there and we'll just post the resolution when we get that far.

~Intruder~
CEH, MCSA/MCSE 2000/2003

"The Less You Do, The Less Can Go Wrong"

 

[bence8810]

Hi

Having some trouble locate the things you request. I will drop you a mail.

Sure, lets post back here when we got the resolution. I really appreciate your help.

Benedek

 

[NetIntruder]

The issue is resolved. We examined the log files and policies closer and it turns out that the Domain Controller Policy needed to be adjusted. There were several keys in there, specifically "Enable Computer and user accounts to be trusted for delegation" that the old admin defined and didn't populate, therefore crippling anyone from using the privilege.

Bence can post to confirm success and follow up w/ anything i missed here

~Intruder~
CEH, MCSA/MCSE 2000/2003

"The Less You Do, The Less Can Go Wrong"

 

[bence8810]

Hi

Thanks NetIntruder, you were terrific. My problem is gone, with all the help you provided me with.

Basically the scenarrio was as follows:

I inherited this sytem, and the previous admin did something wrong, and the permissions were crippled. This is why I wasnt able to demote the old domain controller, and same with promoting the new server. Access Denied.

I had to change the policies that Netintruder mentioned above. Once I changed them such that Domain Admin was added to those policies, and I forced a Group Policy refresh (gpupdate /force), I could promote the Server to be a DC.

This is what I had to change

In Default Domain Controller Security Setting, under Local Policies - User Rights Assignment I set Add Workstations to Domain to include the Domain Admins group. Also in the same area to Enable Computers and User Accounts to be Trusted for Delegation I added Domain Admins Administrators and Enterprise Admins. At this point I forced the GP update, and did the promotion, and went right trough..

Now, please note, that I had a messed up Group Policy. It is very unlikely that you will have this, but of course it never hurst to check. However, before you go this far, check the more ordinary fixes to this problem.

Thanks again to Netintruder for the fix, I have googled my brains out before he prompted me with the solution in just a few exchanged emails. He is great.

Thanks again,

Benedek