DCPROMO Problem

[mattg1000]

I am having a problem adding a new Win2k server to my existing domain. I have a PDC and one other Win2k server currently on the domain. Both are replicating just fine.

Here is the error message I get when I run DCPROMO and it gets to the end where it starts to add the computer to the domain.

The operation failed because: Failed to modify the necessary properties for the machine account MAIL$
"Access is denied."

I have tried the resolutions in this MS Support document, but it didn't correct the problem:

<a href="http://support.microsoft.com/support/kb/articles/Q250/8/74.ASP" target="_blank">http://support.microsoft.com/support/kb/articles/Q250/8/74.ASP</a>

Any other suggestions?

Thanks,
Matt

[Ron Prestenback]

Hmm..a new one for me. You'll have to be a lot more specific, though. You say that the suggested resolution didn't work. Please explain a little more detail. For example:


First, MS suggests checking all present domain controllers for replication and application of the security policy stating the new domain controller is trusted for delegation. - Did this, all computers showed the new settings, so I manually refreshed them all with secedit /refreshpolicy machine_policy, and received no errors

Also verified that the source DC was in the OU, and double-checked that the netlogon service was running and that the security settings were the same for the domain policy and domain controller policy....


I don't know; something like that. You get the idea. This amount of information helps us help you. Especially with something as complicated as promoting DC's, you want to be sure to not leave out any details...

Ron

[mattg1000]

Ok, here is a more detailed explaination:

Background on the network:

The domain is irvingbible.org for Irving Bible Church. I have two DCs - IBCSERVER and IBCFS1.
IBCSERVER created the domain and now serves as a DHCP, WINS, and DNS server. IBCFS1 was added a few months ago to act as the file server. It provides a backup DNS server.

In September, I had to restore IBCSERVER from a backup because the system would hang at boot.

The system that I am trying to add is MAIL which will become my Exchange server.

Here is what happens:

1. I run DCPROMO to add MAIL to the irvingbible.org domain.
2. I run through the setup and at the end get the "Access is Denied" error message.
3. I quit out of the setup and look at the Network Identification tab under My Computer and notice that the computer was successfully added to the domain as mail.irvingbible.org
4. I can also confirm this by looking at the AD on both DCs and see MAIL under the COMPUTERS OU.
5. I check the group policy to see if the "Enable computer and users accounts to be trusted for delegation" user right is enabled and find that it isn't. I enable it and add the Administrator and the IRVINGBIBLE/Administrators group. I apply the secedit /refreshpolicy machine_policy on both DCs and see the Event ID 1704 on both DCs confirming that the group policy was refreshed and applied on both servers.
6. I run the DCPROMO again on the MAIL computer and receive the same error "Access is Denied".
7. I try to disable the NETLOGON service on IBCFS1 to force promotion on the IBCSERVER and still receive the same error.
8. I try to disable the NETLOGON service on IBCSERVER to force promotion on the IBCFS1 and still receive the same error.
9. I try removing the MAIL computer from the domain, putting it on a workgroup and also deleting the account from both DCs.
10. I then run DCPROMO again and receive the same error.
11. Both DCs are in the Domain Controler OU and have been since the beginning of the process.


Here is the DCPROMO.log from MAIL:

------------------------------------------------
11/06 10:47:45 [INFO] The attempted domain controller operation has completed

11/06 10:47:45 [INFO] DsRolepSetOperationDone returned 0
11/06 10:48:01 [INFO] Promotion request for replica domain controller
11/06 10:48:01 [INFO] DnsDomainName irvingbible.org
11/06 10:48:01 [INFO] ReplicaPartner IBCFS1.irvingbible.org
11/06 10:48:01 [INFO] SiteName (NULL)
11/06 10:48:01 [INFO] DsDatabasePath C:\WINNT\NTDS, DsLogPath C:\WINNT\NTDS
11/06 10:48:01 [INFO] SystemVolumeRootPath C:\WINNT\SYSVOL
11/06 10:48:01 [INFO] Account irvingbible\Administrator
11/06 10:48:01 [INFO] Options 196
11/06 10:48:01 [INFO] Validate supplied paths
11/06 10:48:01 [INFO] Validating path C:\WINNT\NTDS.
11/06 10:48:01 [INFO] Path is a directory
11/06 10:48:01 [INFO] Path is on a fixed disk drive.
11/06 10:48:01 [INFO] Validating path C:\WINNT\NTDS.
11/06 10:48:01 [INFO] Path is a directory
11/06 10:48:01 [INFO] Path is on a fixed disk drive.
11/06 10:48:01 [INFO] Validating path C:\WINNT\SYSVOL.
11/06 10:48:01 [INFO] Path is on a fixed disk drive.
11/06 10:48:01 [INFO] Path is on an NTFS volume
11/06 10:48:01 [INFO] Start the worker task
11/06 10:48:01 [INFO] Request for promotion returning 0
11/06 10:48:01 [INFO] Searching for a domain controller for the domain irvingbible.org that contains the account MAIL$

11/06 10:48:01 [INFO] Located domain controller IBCFS1.irvingbible.org for domain irvingbible.org

11/06 10:48:01 [INFO] Using site Default-First-Site-Name for server IBCFS1.irvingbible.org

11/06 10:48:01 [INFO] Forcing time sync
11/06 10:48:01 [INFO] Forcing a time synch with IBCFS1.irvingbible.org

11/06 10:48:01 [INFO] Setting machine account to be DC
11/06 10:48:01 [INFO] Configuring the server account

11/06 10:48:01 [INFO] Searching for the machine account for MAIL$ on IBCFS1.irvingbible.org...
11/06 10:48:01 [INFO] Configuring the server account

11/06 10:48:01 [INFO] NtdsSetReplicaMachineAccount returned 5
11/06 10:48:01 [INFO] DsRolepSetMachineAccountType returned 5
11/06 10:48:01 [INFO] Error - Failed to modify the necessary properties for the machine account MAIL$
(5)
11/06 10:48:01 [INFO] The attempted domain controller operation has completed

11/06 10:48:01 [INFO] DsRolepSetOperationDone returned 0
-------------------------------------------------

-------------------------------------------------
Also, here is the GPRESULT.EXE from IBCSERVER:

Last time Group Policy was applied: Tuesday, November 06, 2001 at 10:52:36 AM
Group Policy was applied from: IBCSERVER.irvingbible.org


================================================== =============
The user received "Internet Explorer Branding" settings from these GPOs:

Default Domain Policy

################################################## #############

Computer Group Policy results for:

CN=IBCSERVER,OU=Domain Controllers,DC=irvingbible,DC=org

Domain Name: IRVINGBIBLE
Domain Type: Windows 2000
Site Name: Default-First-Site-Name


The computer is a member of the following security groups:

BUILTIN\Administrators
\Everyone
IRVINGBIBLE\Children
IRVINGBIBLE\DHCP Users
IRVINGBIBLE\RAS and IAS Servers
IRVINGBIBLE\DHCP Administrators
IRVINGBIBLE\WINS Users
IRVINGBIBLE\NetShow Administrators
IRVINGBIBLE\DnsAdmins
IRVINGBIBLE\ePO User Group
BUILTIN\Administrators
BUILTIN\Users
BUILTIN\Guests
BUILTIN\Backup Operators
BUILTIN\Replicator
BUILTIN\Server Operators
BUILTIN\Account Operators
BUILTIN\Print Operators
BUILTIN\Pre-Windows 2000 Compatible Access
IRVINGBIBLE\IBCSERVER$
IRVINGBIBLE\Enterprise Admins
IRVINGBIBLE\Schema Admins
IRVINGBIBLE\Young Adult
IRVINGBIBLE\Community Life
IRVINGBIBLE\Domain Users
IRVINGBIBLE\DnsUpdateProxy
IRVINGBIBLE\Cert Publishers
IRVINGBIBLE\Domain Guests
IRVINGBIBLE\Missions
IRVINGBIBLE\Domain Controllers
IRVINGBIBLE\Worship
IRVINGBIBLE\Admin
IRVINGBIBLE\Domain Admins
IRVINGBIBLE\Domain Computers
IRVINGBIBLE\Youth
IRVINGBIBLE\Arts
IRVINGBIBLE\Group Policy Creator Owners
IRVINGBIBLE\Adult
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users

################################################## #############

Last time Group Policy was applied: Tuesday, November 06, 2001 at 12:07:37 PM
Group Policy was applied from: IBCSERVER.irvingbible.org


================================================== =============


The computer received "Registry" settings from these GPOs:

Local Group Policy
Default Domain Policy


================================================== =============
The computer received "Security" settings from these GPOs:

Default Domain Policy
Default Domain Controllers Policy


================================================== =============
The computer received "EFS recovery" settings from these GPOs:

Local Group Policy
Default Domain Policy


================================================== =============
The computer received "Application Management" settings from these GPOs:

Default Domain Policy
--------------------------------------------------


And here is the GPRESULT.EXE from IBCFS1:

Last time Group Policy was applied: Tuesday, November 06, 2001 at 11:49:11 AM
Group Policy was applied from: IBCFS1.irvingbible.org


================================================== =============
The user received "Internet Explorer Branding" settings from these GPOs:

Default Domain Policy

################################################## #############

Computer Group Policy results for:

CN=IBCFS1,OU=Domain Controllers,DC=irvingbible,DC=org

Domain Name: IRVINGBIBLE
Domain Type: Windows 2000
Site Name: Default-First-Site-Name


The computer is a member of the following security groups:

BUILTIN\Administrators
\Everyone
IRVINGBIBLE\Children
IRVINGBIBLE\DHCP Users
IRVINGBIBLE\RAS and IAS Servers
IRVINGBIBLE\DHCP Administrators
IRVINGBIBLE\WINS Users
IRVINGBIBLE\NetShow Administrators
IRVINGBIBLE\DnsAdmins
IRVINGBIBLE\ePO User Group
BUILTIN\Account Operators
BUILTIN\Replicator
BUILTIN\Administrators
BUILTIN\Server Operators
BUILTIN\Pre-Windows 2000 Compatible Access
BUILTIN\Backup Operators
BUILTIN\Users
BUILTIN\Guests
BUILTIN\Print Operators
IRVINGBIBLE\IBCFS1$
IRVINGBIBLE\Enterprise Admins
IRVINGBIBLE\Schema Admins
IRVINGBIBLE\Young Adult
IRVINGBIBLE\Community Life
IRVINGBIBLE\Domain Users
IRVINGBIBLE\DnsUpdateProxy
IRVINGBIBLE\Cert Publishers
IRVINGBIBLE\Domain Guests
IRVINGBIBLE\Missions
IRVINGBIBLE\Domain Controllers
IRVINGBIBLE\Worship
IRVINGBIBLE\Admin
IRVINGBIBLE\Domain Admins
IRVINGBIBLE\Domain Computers
IRVINGBIBLE\Youth
IRVINGBIBLE\Arts
IRVINGBIBLE\Group Policy Creator Owners
IRVINGBIBLE\Adult
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users

################################################## #############

Last time Group Policy was applied: Tuesday, November 06, 2001 at 12:05:33 PM
Group Policy was applied from: IBCFS1.irvingbible.org


================================================== =============


The computer received "Registry" settings from these GPOs:

Local Group Policy
Default Domain Policy


================================================== =============
The computer received "Security" settings from these GPOs:

Default Domain Policy
Default Domain Controllers Policy


================================================== =============
The computer received "EFS recovery" settings from these GPOs:

Local Group Policy
Default Domain Policy


================================================== =============
The computer received "Application Management" settings from these GPOs:

Default Domain Policy


Hope this helps.
Thanks,
Matt Green

[mattg1000]

After I wrote all of that, I re-read your first message and looked at the local domain policy for each of the DCs. I realized that the Enable computer and users accounts to be trusted for delegation wasn't enabled for the local policy. I enabled it on both DCs and I was able to add it to the domain.

Thanks,
Matt

[Ron Prestenback]

ROTFL - and I got to read it all very thouroughly before I got to your last message!

Well, I guess perhaps all that typing can be a lesson in paying attention!

I'm glad you were able to figure things out. I had a little trouble getting the hang of the "domain security policy/domain controller security policy" myself in the beginning.


I would like to mention however, that posting the KB article you referenced was a GREAT idea, and the only thing that caused me to give you a nice reponse instead of a nasty one . It showed that you had tried to solve the situation yourself, and had consulted troubleshooting resources available to everyone to try to get things fixed. (Many people don't even do this much before asking for help.)

Ron

[orven]

I have same problme here and I tried all workarounds no luck.
Any idea please

[freddy]

I have same problme here and I tried all workarounds no luck.
Any idea please

looks like they might of fixed it 3 years ago

[NooNoo]

I trust all the service packs are uptodate orven?

[orven]

Thats another thing Nonoo
I'm using a Sp3 because we have a standard in our enterprise and according to our forest admin dont use SP4 yet due to some issues.

Anyhow as far as I know I managed to add 1 dc last nov without any problem. I can confirm also that I'm using a domain admins rights to login and run dcrpromo.
Can you clarify this for me. According to MAtt workaround (which i repliced to this thread and has exactly same pronblem with me ) what he did is he also edit the local policy for all his DCs and add an account to be trusted for delegetion. IF u edit the domain controllers policy I think it will replicate and it will be same since it will override the local policy settings? I'm fixing this issue for a week now and becoming hopeless.

I trust all the service packs are uptodate orven?

[orven]

Can somebody out there give me a hint still waiting..
By the way I installed Sp4 but sameeeeeeeee

Thats another thing Nonoo
I'm using a Sp3 because we have a standard in our enterprise and according to our forest admin dont use SP4 yet due to some issues.

Anyhow as far as I know I managed to add 1 dc last nov without any problem. I can confirm also that I'm using a domain admins rights to login and run dcrpromo.
Can you clarify this for me. According to MAtt workaround (which i repliced to this thread and has exactly same pronblem with me ) what he did is he also edit the local policy for all his DCs and add an account to be trusted for delegetion. IF u edit the domain controllers policy I think it will replicate and it will be same since it will override the local policy settings? I'm fixing this issue for a week now and becoming hopeless.

[Green_Eyed]

Did you look at your local policy? That was Matt's problem, it (the server) wasn't trusted for delegation.

Are you having the same error as Matt was having? Or is it a different one?

You are correct about making changes to the domain controllers security policy, but each DC has a local policy as well. Also, he didn't add an account, he edited the local policy to trust that server for delegation. The account is already there.

[orven]

Thanks for being there Green_eyed

I have SAME probem with MATT.

Ok here is what I did in my mydcx that I want to promote.
->I went to all my 3 dcs individually I edited the local policy under security\local Policy\user rights assignments "Enable this user and comouter account ot be trusted for delegation" and I ticked mydcx for the local Policy settings to be applied(the server account is there but not checked).I run my refreshpol.bat to enforce the GPO to be applied and I check my event viewer and it was applied successfuly.

->I checked once more my Domain security Policy and I ensure that mydcx account is there in the list of Enable this computer to be trusted for delegation and its there and in all the rest of my DCs plus the default ADMINISTRATORS group which means my default domain controllers Policy is replicating.

-> I run once more DCpromo on mydcx but same access denied.

I asked our enterprise admins in NY to try the Enterprise account remotely and it works. But not my local domain admins account in my child domain? (This confirms that there is no problem in replication)

He mentioned about a policy not to be applied in the domain admins account but I can confirm that all my admins account are in one folder.


Do you have anymore idea please.


Thanks Green Eyed and More power to you.

[drewmaztech]

A trick I noticed that would help sometimes. It's weird but it worked. Run this on the system that doesnt want to dcpromo.

from command prompt:

ipconfig /flushdns

ipconfig /registerdns

[orven]

No luck and it doesnt help I think this is a special problem..
No solution that I can think of.


BEcomming helpless

A trick I noticed that would help sometimes. It's
weird but it worked. Run this on the system that doesnt want to dcpromo.

from command prompt:

ipconfig /flushdns

ipconfig /registerdns