Promote Server to DC in Active Directory, error... 6

[bence8810]

Hi

I have a setup of two servers, one is Exchange and the other is Data. Both runs W2k3 server.

Both has to be Domain Controllers, so that if one fails, other takes over, etc... This setup worked very fine in the past. I came aboard, and I realized that one HDD is failing from the RAID 5 on the Data server. So I decided to upgrade them. I wanted to Demote the Server from being a DC, do the reinstall and then promote again. The Demote failed, so I did a force demote, and I replaced the drives, etc, reinstalled the server, and now I am trying to Promote it to be a DC, but it fails, with the same error as it failed with when I tried to demote it. The error is as follows,

The operation failed because: The Active Directory Installation Wizard was unable to convert the computer account DATASERVER$ to a domain controller account. "Access is denied."

What may I be doing wrong? I did a clean on the AD to remove the junk the old DC left behind, due to a not clean Demoting. i used the ntdsutil command to clean the AD from the DC's leftovers. All seemed fine. But, just to be certain, I tried to change the name of the server, and make it a DC with the new name, but it failed as well, so it isnt because the old one left junk there, as even new name wont go through. I think it is a permission issue, but i am not able to determine why and where is the problem. Please help if you can.

thanks

Benedek

 

[adcfaq]

it's not permisso issue, it is a security channel issue, say, the dataserver lost SC with AD DC.

what u can do:
net stop kdc
netdom resetpwd /server:the_other_dc /userd:domain/administrator /passwordd:*

since you've already forcefully demote this DC, you need metadata cleanup in AD first, following this link

http://www.petri.co.il/delete_failed_dcs_from_ad.htm

---------------------------------------
Sr. Directory Services/Exchange Consultant

http://adcfaq.8m.com/

 

[bence8810]

Hi

Thanks for picking up the issue.

I already cleaned the AD with that tool, and I also used the same exact link you just gave me now. So that step I can eliminate I guess.

What you said about the SC resotre, I understand and also I dont understand.

It happened even before I took down the Dataserver. When I wanted to Demote it, it was already problematic, with the same Access Denied error. It lost the SC before that, and even reinstalling didnt fix it? I cleaned the AD prior to reinstalling.

Anyways, i would like to try what you said. Can you explain a bit more? Sorry if i am slow compare to your pace..Still a beginner.

I go to the new dataservers console, and type in

net stop kdc

netdom resetpwd /server:exchangeserver /userd:mydomain/administrator /passwordd:newpassword

Did I get what you meant? If not, please explain again. Thanks.

Also, can I do it while users access files on it, and printers? I am asking, because I am not familiar with the process you explained to me. Should I do a backup just in case, or it is harmless? And finally, after I did this, i need to run DCPROMO and try to attach to the AD as a DC again?

Thanks a bunch again...

Benedek

 

[ecunupe]

Another thing to take a look at to could be the local security policy on the machine. Is the machine able to join the domain as a member server? You would not need to worry about the net stop kdc command because you are currently a member server. I would check using ADSI edit to see if the old computer account is still present. If so I would remove the computer also make sure there are no other references listed for it in AD sites and services too. If this is a clean install I would look to see if the security template is corrupted and try to repair the security template with the secedit command. Here is a link for the default settings.

http://support.microsoft.com/?kbid=313222.

This also works on Win2k3 and Win2k. You will need to reboot the machine after this and then try the promotion process

 

[bence8810]

Hi

I checked the ADSI and there are no leftover things from the old DC in the Active Directory.

Yes, the machine is able to join the domain, and it is a member server now, and able to share its folders with the Domain Users, and I can set permissions, so it is Fully Functional as is, just isnt safe, as if the other server goes down, the domain is down.

Do you think resetting the security settings on the machine would help? It seems the Active Directory wont accept this machine to be a DC. Would you think it depends on the Local Machine? When it used to be a DC with the old setup, I also couldnt Demote it, for the same reason. Access Denied. And now I try to Promote it, and same error, Access Denied.

Is there a way I can initiate this promotion from the DC toward the local machine that is to be a DC as well?

Also, the first reply I got, I didnt perform that yet. Should I go ahead with that?

As I said, I also tried to rename the machine, and make it a DC with a new name, but it wouldnt do it.

Thanks

Benedek

 

[NetIntruder]

just curious... what level of permissions do you have on the domain? Are you running DCPromo as a domain admin or enterprise admin?

~Intruder~
CEH, MCSA/MCSE 2000/2003

"The Less You Do, The Less Can Go Wrong"

 

[bence8810]

Hi

I am logged in as administrator (built-in) and administrator has Enterprise and Domain admin rights both. And on top of that, it has Exchange Admin, DnsAdmin, Schema admin rights as well.

Do I do something wrong?

Thanks

Benedek

 

[NetIntruder]

ok, next... the server that you forcibly removed... was this by chance a holder of any of the FSMO roles?

~Intruder~
CEH, MCSA/MCSE 2000/2003

"The Less You Do, The Less Can Go Wrong"

 

[bence8810]

As much as I am not familiar with what you are asking, I remember seeing something like that in the logs, when I forced the removal. I will try to paste here that portion of the log. Why do I feel, that I did something wrong???

metadata cleanup: remove selected server
Transferring / Seizing FSMO roles off the selected server.
Removing FRS metadata for the selected server.
Searching for FRS members under "CN=DATASERVER,OU=Domain Controllers,DC=synovate
,DC=local".
Deleting subtree under "CN=DATASERVER,OU=Domain Controllers,DC=synovate,DC=local
".
The attempt to remove the FRS settings on CN=DATASERVER,CN=Servers,CN=Default-Fi
rst-Site-Name,CN=Sites,CN=Configuration,DC=synovate,DC=local failed because "Ele
ment not found.";
metadata cleanup is continuing.
"CN=DATASERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,D
C=synovate,DC=local" removed from server "localhost"
metadata cleanup: quit
ntdsutil: quit
Disconnecting from localhost...

C:\Documents and Settings\Administrator>

That is all I found.

I hope you see where I did something...

Thanks for helping

Benedek

 

[NetIntruder]

ok, from the DC that works... open up your AD users/computers console, right click the root domain and choose operations masters.... are they listed correctly there?

Check this article quick:

http://support.microsoft.com/default.aspx?kbid=324801&product=winsvr2003#XSLTH3130121122120121120120

Look through there to check to make sure all of your roles are in the right place and, if not, seize them to the working Domain Controller.

Let me know what happens here - we'll work through this after verifing proper FSMO placement

~Intruder~
CEH, MCSA/MCSE 2000/2003

"The Less You Do, The Less Can Go Wrong"

 

[bence8810]

Hi

This article is very interesting. When I go to AD Users and Computers, and click the Operation Masters, i see only three listed there.

RID
PDC
Infrastructure

The other two, Schema and Domain are not there. hmm... But the three that are there points to the machine that is functional at the moment, so that I dont see a problem with, but the other two are not there at all. When I go to the MMC snap in, I can ADD the Schema master as it says in the article, and after that it says, that the correct server is its Operations Master, but after saving it, I go back to AD Users and Computers, and still I can only see the three there, not more.

When I go to the AD Domains and Trusts, and I right click the Active Directory Domains and Trusts, and go to Operations Master, it says, that the correct machine is the master. So I dont know what might be wrong.

Thanks

Benedek

 

[NetIntruder]

well that's good! It sounds like your roles are in order then. Are you having any issues adding workstations to the domain by chance?

~Intruder~
CEH, MCSA/MCSE 2000/2003

"The Less You Do, The Less Can Go Wrong"

 

[bence8810]

Hi

No, not at all. I can add computers with no problem, but actually they add theirselves usually. When I install a new workstation, I can just go to Join Domain and then give appropriate password, and it will be added after reboot, and will show up in the DNS and AD Coputers list.

Thanks

Benedek

 

[NetIntruder]

sounds good. Let me do a little looking here.

~Intruder~
CEH, MCSA/MCSE 2000/2003

"The Less You Do, The Less Can Go Wrong"

 

[bence8810]

Thanks man. I appreciate your help.

Benedek

 

[NetIntruder]

No sweat. Take a look at your event logs on the 'good' domain controller, specifically in the Directory Services, DNS, and FRS logs... anything erroring out there?

~Intruder~
CEH, MCSA/MCSE 2000/2003

"The Less You Do, The Less Can Go Wrong"

 

[bence8810]

I will try to do the DCPROMO to generate the events.

Will be just a few minutes till it dumps the error,..

Thanks

Benedek

 

[bence8810]

So here is the error that shows up in the DCPROMO window

The operation failed because: The Active Directory Installation Wizard was unable to convert the computer account DATASERVER$ to a domain controller account. "Access is denied."

In the working DC there isnt any logs showing up in the Even Viewer, at all.

In the server I am trying to add I found the following events.

nternal error: An Active Directory error has occurred.

Additional Data
Error value (decimal):
-1073741823
Error value (hex):
c0000001
Internal ID:
3000e54

and..

nternal event: The following schema class has a superclass that is not valid.

Class identifier:
1027801127
Class name:
msExchOmaConnector
Superclass identifier:
518729444

and..

Internal event: The following schema class has a superclass that is not valid.

Class identifier:
518728445
Class name:
msExchPublicMDB
Superclass identifier:
518728442

and... many such Schema logs. All together 20 or so. All similar as the above two, just different numbers.

That is all I can see, which are errors, or warnings.

Thanks

Benedek

 

[NetIntruder]

cool. I need a bit to chew at this.

~Intruder~
CEH, MCSA/MCSE 2000/2003

"The Less You Do, The Less Can Go Wrong"

 

[NetIntruder]

do me a quick favor... look at the Lost and Found container in AD and see if there's anything in there...

~Intruder~
CEH, MCSA/MCSE 2000/2003

"The Less You Do, The Less Can Go Wrong"