"Access Denied" when adding a new DC

[Eddiefdz]

I am in the process of adding a new domain controller to my AD Domain. I ran DCPROMO and it did find the correct domain etc. When it gets to the point where it starts adding it to the AD it tells me that access is denied. Then it tells me to enter the username and password of a user with the correct administrative priviliges to add a domain controller. The username and password that i am using is my domain administrator account. I have also tried to create other administrator accounts to see if it works but it does not. Let me know what you guys think. Eddie Fernandez
CCNA, Network+, A+, MCP

 

[trimelater]

Add the enterprise administrator and schema admin to the administrator.

Trimelater

 

[Eddiefdz]

I have already checked that and they are added. Anything else???? Thanks, Eddie Fernandez
CCNA, Network+, A+, MCP

 

[CoolClark]

Make sure all of your DCs are in the "Domain Controllers" security group.

 

[GlenJohnson]

Check the ms website for mention of a pre something list in a host files. We needed this to join the domain, but now it's gone from our hosts file. It was something like
ipaddress predomainname )(*#$*$) #Pre-domain

It's been so long I can't tell you for sure, but we found it buried on the ms site. Search for pre and or dom. Good luck. Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com

"What is harder than rock, or softer than water? Yet soft water hollows out hard rock. Persevere."
Ovid(43BC-17AD); Roman poet.

 

[tlcscousin]

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q308311

This problem occurs during promotion if the Active directory database is moved to a folder on which the Administrator account does not have sufficient permissions.

For example, during promotion, the database location may be moved from the default location of C:\Winnt\Ntds to C:\Ntds. The administrator has only Read permission on the Ntds folder. Administrators need to have Full Control NTFS permissions on the new location to perform this operation.
RESOLUTION
Give administrators Full Control NTFS permissions on the folder in which you intend to store Active Directory.

 

[Eddiefdz]

Futuretech204, I have already tried that. I had found that on the MS Website and looked at those settings. I have made those changes and checked it and the administrator account is on that folder. Anything else??? THanks Eddie Fernandez
CCNA, Network+, A+, MCP

 

[tlcscousin]

have you tried the domain administrators account with the domain.
administrator@domain
password

 

[tlcscousin]

Found this as well.

To resolve this problem, use the appropriate method:
Verify that the current domain controllers in the domain have applied security policy and the Enable computer and users accounts to be trusted for delegation user right granted to the Administrators Group (click Computer Configuration, click Windows Settings, click Security Settings, click Local Policies, and then click User Rights Assignment).

For computers that do not have this right, confirm that group policy objects in the directory service and file system have replicated, and then manually apply the policy by typing the following command:
secedit /refreshpolicy machine_policy
NOTE: Look for the following message in the application log to confirm the application of the policy:

Event ID 1704: Security Policy in the Group policy objects are applied successfully.
Stop the Netlogon service on the source domain controllers that do not have this right applied to discover another domain controller in the domain that applied this right.
Verify that the source domain controller is in the organization unit. The name of the source domain controller can be found in the hidden file called Dcpromo.log in the %Systemroot%\debug folder on the Windows 2000 server that you are trying to promote.
Open a command prompt on the source domain controller, and run the Gpresult.exe Resource Kit utility to verify that the domain controllers policy is being applied to the source domain controller.
Status
Microsoft has confirmed this to be a problem in Microsoft Windows 2000.

 

[tlcscousin]

Set the Delegation Privilege on the Group Policy Object
In the Active Directory Users and Computers snap-in, edit the Default Domain Controllers Policy on the Domain Controllers Organizational Unit.
Double-click Computer Configuration, then Windows Settings, then Security Settings, then, Local Policies, and then User Rights Assignment.
Under Enable Computer and User Accounts to be trusted for Delegation, add the appropriate account or group.
Apply the policy using one of the following methods:
At a command prompt, type secedit /refreshpolicy machine_policy /enforce.
In the the Sites and Services snap-in (Dssite.msc), use the Replicate Now feature to force replication from the domain controller on which the policy was changed to the other domain controllers in the domain.

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q232070