DCPromo error of Access Denied when trying to make 2008 server a Backup DC of a 2003 Server

Эта переписка в форуме Microsoft мне показалась интересной.

• Monday, February 11, 2008 5:31 AM AlphaMic
Hello All,
I have apparently ran up against a problem tha I am not able to solve. The problem is, is that when I attempt to make a new Windows Server 2008 machine a Backup Domain Controller of a Windows Server 2003 Primary Domain Controller, I recieve the following message from DCPROMO:
The Operation Failed Because:
A domain controller could not be contacted for the domain that contained an account name for this computer. Make the computer a member of a workgroup then rejpin the domain before retrying the promotion.
"Access Denied."
I am not exactly sure why this message is coming up, as I am using the bultin Administrator account, and I am able to ping the PDC.
Any suggesstions, ideas, or fixes is greatly appreciated.
Thanks!
Answers
• Tuesday, November 04, 2008 5:28 PM Miroslav Dvořák
Hi, we had the same problem and I found a solution at the end of this web site:
http://www.minasi.com/forum/topic.asp?TOPIC_ID=20461 (extract bellow)
It worked fine
___________________________________________________________
Posted - 11/20/2006 : 10:46:59 AM
________________________________________
Hello all - i see there has been 20+ reads and only replies by me.
I wanted to write this to show that I have finally resolved this issue. Since the kb250874 did not work for me I decided to take a break then dive deeper into it. As I was driving home from soemthign it popped into my head to check the Win2k DC domain security Policy.
This is what I did and I was able to promote my win2k3r2 servers to DC's
On the Win2k DC in the Domain Controller Security policy clicked local policies then selected user rights assignment and selected the
enable computer and user accounts to be trusted for delegation I added domain admins to that and replicated the policy and I was good to go..
Anyhow thats what I had to do.
I have the FSMO's moved over... no issues guess what is next?
o Marked As Answer by David Shen - MSFTMSFT, ModeratorWednesday, November 05, 2008 1:41 AM
• Wednesday, February 13, 2008 8:53 AM David Shen - MSFTMSFT, Moderator
Hi JZican,
1. Please verify that the DNS configuration of the Windows Server 2008 based computer has been pointed to the DNS server in current domain.
2. Try to join the Windows server 2008 computer to the current Windows 2003 domain first.
3. Run "adprep /forestprep" on the windows server 2003 domain controller which holds the schema operation master of the current domain to extend the schema.
4. Run "adprep /domainprep" on the windows server 2003 domain controller which holds the infrastructure master of current domain to prepare the domain.
5. To verify the schema changes, please try the following ways:
You may verify the level of the schema by using the "Adsiedit.exe" utility to view the "objectVersion" attribute in the properties of the "CN=schema, CN=configuration, DC= partition"
ObjectVersion = 44 (44 means that the schema is already for Microsoft Windows Server 2008)
6. After verifying the Schema version, you may run "dcpromo" on the Windows 2008 member server to promote it to be an additional domain controller of the current Windows 2003 domain.
7. If the dcpromo operation is not successful, please check the two log file on the problematic computer. Check if there are any error messages in them.
"%SystemRoot%\Debug\Dcpromo.log" and "%SystemRoot%\Debug\Dcpromoui.log"
Hope all the information helps.
David Shen
• Thursday, February 14, 2008 2:33 AM AlphaMic
Dear David,
Thank you for such a fast response. I actually just finished joining the Windows Server 2008 DC to the Windows Server 2003 Forest. It was actually a bad image that was given to me from Technet Direct. I Re-Downloaded the image and now it works. However the steps you have given me in your last post have helped solve other problems. Thank you so much for your help.
JZican
• Thursday, August 28, 2008 6:00 AM David Shen - MSFTMSFT, Moderator
Hi ninja6o4,
For this problem, there are several possible causes and also suggested action plan.
1. Network connectivity issue: please check if you can ping through from the problematic Windows Server 2008 computer to the Windows Server 2003 R2 PDC. If not, please verify there is no problem with the network device including routers, switches and cable between the 2 sites.
2. Windows Firewall issue: disable Windows Firewall service with all the profile by running the following command on the problematic computer.
Netsh advfirewall set allprofiles state off
3. DNS name resolution issue: please point the DNS of the Windows Server 2008 box to the Windows Server 2003 R2 box (it is possible a DNS serve in the scenario), and then run "ipconfig /flushdns", then run "nslookup" on the problematic server to check if you can resolve the FQDN name of the existing Windows Server 2003 R2 DC.
4. Duplicated computer name issue: Please verify that the computer name of the problematic server and the current domain controller is different.
5. Forest schema issue: please verify that the forest schema has been extended. You may refer to my previous replies.
6. NIC sequence issue :please check if there are several NICs on the problematic Windows Server 2008 computer. If so, please verify that the active NIC is on the top of the "Adaptors and Bindings" list.
Network and Sharing Center -> Manage network connections -> Advanced -> Advanced Settings -> Adaptors and Bindings -> Connections.
Afterwards, please first Add "Active Directory Domain Services" role via Server Manager on the problematic Windows Server 2008, and then run "dcpromo" to check if the issue still exists.
Hope this can be helpful.
________________________________________
David Shen - MSFT
o Marked As Answer byDavid Shen - MSFTMSFT, ModeratorThursday, October 23, 2008 8:41 AM
• Thursday, October 23, 2008 8:05 AM jimbudde
David,
I've run into the same problem with exact same error logs as Ninja604. I've followed your steps above and had the following results:
(The server at this point is simply a member server of the domain)
1. Connectivity via ping request works in both directions (SBS 2008 <-> SBS 2003), using both just hostname and FQDN.
2. Ran the command to turn off firewall
3. I was able to resolve SBS 2003 server using nslookup. all of the following resolved correctly, hostname, hostname.domain.local, domain.local
4. There is no duplicate name
5. Forest shema object version is 44.
6. Only one NIC in the server but confirmed there is only one NIC and it was above the Remote network bindings
7. Since I had left the AD binaries on the machine after previous failures, I went into the Server Roles and manually removed (rebooted for final removal, rebooted again) and then manually added the Role back. Prior to adding the role back I ran a Windows Update. After manually adding the AD role I still get the same errors after running dcpromo.
-Jim
I ran WireShark and got the following basic info which I’m hoping will be of help (the x.x.x.10 address is the SBS 2008 server and x.x.x.20 is the existing SBS 2003 server):
No. Time Source Destination Protocol Info
231 47.234223 192.168.1.10 192.168.1.20 SMB Negotiate Protocol Request
233 47.234773 192.168.1.20 192.168.1.10 SMB Negotiate Protocol Response
234 47.236801 192.168.1.10 192.168.1.20 TCP [TCP segment of a reassembled PDU]
235 47.236818 192.168.1.10 192.168.1.20 TCP [TCP segment of a reassembled PDU]
236 47.236827 192.168.1.10 192.168.1.20 SMB Session Setup AndX Request
237 47.237180 192.168.1.20 192.168.1.10 TCP microsoft-ds > 21581 [ACK] Seq=184 Ack=3077 Win=65535 Len=0
238 47.239295 192.168.1.20 192.168.1.10 SMB Session Setup AndX Response
239 47.240240 192.168.1.10 192.168.1.20 SMB Tree Connect AndX Request, Path: \\HOSTNAME.DOMAIN.LOCAL\IPC$
240 47.240621 192.168.1.20 192.168.1.10 SMB Tree Connect AndX Response
241 47.242091 192.168.1.10 192.168.1.20 SMB NT Create AndX Request, FID: 0x4004, Path: \srvsvc
242 47.242591 192.168.1.20 192.168.1.10 SMB NT Create AndX Response, FID: 0x4004
243 47.243168 192.168.1.10 192.168.1.20 DCERPC Bind: call_id: 1, 3 context items, 1st SRVSVC V3.0
244 47.243463 192.168.1.20 192.168.1.10 SMB Write AndX Response, FID: 0x4004, 160 bytes
245 47.244011 192.168.1.10 192.168.1.20 SMB Read AndX Request, FID: 0x4004, 1024 bytes at offset 0
246 47.244146 192.168.1.20 192.168.1.10 DCERPC Bind_ack: call_id: 1 Unknown result (3), reason: Abstract syntax not supported
247 47.244520 192.168.1.10 192.168.1.20 SRVSVC NetRemoteTOD request
248 47.244865 192.168.1.20 192.168.1.10 SRVSVC NetRemoteTOD response
249 47.245253 192.168.1.10 192.168.1.20 SMB Close Request, FID: 0x4004
250 47.245456 192.168.1.20 192.168.1.10 SMB Close Response, FID: 0x4004
251 47.249226 192.168.1.10 192.168.1.20 TCP [TCP segment of a reassembled PDU]
252 47.249249 192.168.1.10 192.168.1.20 SMB Session Setup AndX Request
253 47.249559 192.168.1.20 192.168.1.10 TCP microsoft-ds > 21581 [ACK] Seq=1131 Ack=6477 Win=65535 Len=0
254 47.251348 192.168.1.20 192.168.1.10 SMB Session Setup AndX Response, Error: STATUS_LOGON_TYPE_NOT_GRANTED
o Proposed As Answer byjimbudde Thursday, October 23, 2008 8:36 AM
o Marked As Answer byDavid Shen - MSFTMSFT, ModeratorThursday, October 23, 2008 8:41 AM
o Edited byjimbudde Thursday, October 23, 2008 8:45 AM
• Thursday, October 23, 2008 8:44 AM jimbudde
David,
Scratch the above, I still had some extra energy and found a fix posted on the following site, http://www.pcassistathome.co.uk/Tech%20Notes/index.html?330.htm for the given ERROR code in the trace file (despite the post being rather old).
The SOLUTION entailed changing the GPO security object that grants "Everyone" User Rights Assignment -> "Access this computer from the network" permission. I suggest people run the GPO modeler to determine which policy to change.
-Jim
o Marked As Answer byDavid Shen - MSFTMSFT, ModeratorFriday, October 24, 2008 7:24 AM
Saturday, October 25, 2008 12:03 AM Jason_C
Hi Jim,
Would you mind quoting the solution here? The link you provided points to some Activesync issue unrelated to this problem.
An update for Dave/everyone - After all the servers made it to our remote sites and were set up and replicating as expected, I did follow the suggestions you provided and everything looks perfectly fine. One thing I want to add if I didn't already is that this potential DC is a VM host in a 2008 Hyper-V.
-Jason
o Marked As Answer byDavid Shen - MSFTMSFT, ModeratorMonday, October 27, 2008 7:23 AM