AD installation wizard fails "access denied"

[tmckeown]

I'm trying to add another domain controller to our domain, but it keeps failing. All the DCs have 2003 with SP1 running on them. When I run the wizard to install AD on the new server, it goes along fine for a while but then I get an error:

The operation failed because the active directory installation wizard was unable to convert the computer account MAIL$ to a domain controller account. "access is denied"

It then give me a prompt to type in a user name and password with sufficient priviledges. I used the admin account, so I'm sure it has enough priviledges. I've had no trouble with this in the past. Is this related to SP1?

I could use some help.
Thanks,
Tom

 

[PScottC]

Sounds like there is a name conflict in the "Domain Controllers" OU. Also, try using an account with Enterprise Admin rights.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[tmckeown]

When I check the OU, I don't see anything different than normal. I have six other DCs. I've never run into this odd problem before. The admin account I setup for the new machine is the same as I used on all the other DCs. Could it be confused as to which account it needs to use to authenticate; since both the local and the domain admin have the same name and password?

 

[PScottC]

Hmm... When prompted for password, I would make sure to use domain\username to ensure that the credentials are correct. Also make sure that your new DC is pointing to an existing DC for primary DNS before promoting.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[tmckeown]

I watched it a bit more closely this time. It seems to fail while it is doing the "replicating the configuration container".

 

[tmckeown]

I'll try again with domain\username.

Thanks for the help. I've been pulling my hair out on this one.

 

[PScottC]

Are any of your DC's offline or unreachable by the new DC? It sounds like it's not able to reach one of the FSMO role holders (like domain naming master).

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[tmckeown]

Same results. It goes through all the steps and when it starts the replication of the configuration container, it prompts for a user name anbd password.

All our DCs are online and functioning fine. We have two that are at remote sites, but they are accessible.

Got any ideas of what I should try?

 

[PScottC]

I would suggest installing the Support tools on one of your existing DC's and running a DCDIAG. Use the following switches (Could take about 30-40 minutes to run)

dcdiag /s:<yourpdc> /q /v /c /e > C:\DCDiag.txt

After the "/s:" insert the name of your PDC FSMO role holder.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[tmckeown]

Thanks,
I'm trying to figure out the correct syntax for dcdiag now.

 

[tmckeown]

Sorry to sound so stupid, but sometimes I am. What should I be looking for in the log from DCDIAG? I'm not sure what to look for, so the tool may be pointless. I have it running now.

Thanks,

 

[PScottC]

You're going to have to search it for errors. When you find errors, if they are consistent across all or most DC's, then post the error up here. Here's an example...

Starting test: VerifyEnterpriseReferences
The following problems were found while verifying various important DN

references. Note, that these problems can be reported because of

latency in replication. So follow up to resolve the following

problems, only if the same problem is reported on all DCs for a given

domain or if the problem persists after replication has had

reasonable time to replicate changes.
[1] Problem: Missing Expected Value

Base Object:

CN=LostAndFoundConfig,CN=Configuration,DC=vineyardbank,DC=vineyardbank,DC=com

Base Object Description: "Server Object"

Value Object Attribute: serverReference

Value Object Description: "DC Account Object"

Recommended Action: This could hamper authentication (and thus

replication, etc). Check if this server is deleted, and if so

clean up this DCs Account Object. If the problem persists and

this is not a deleted DC, authoratively restore the DSA object from

a good copy, for example the DSA on the DSA's home server.


......................... V093005 failed test VerifyEnterpriseReferences

The keyword I searched for is "failed".

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[tmckeown]

I'll post again in the morning after I have had time to review the file.

Thanks for the help.

 

[tmckeown]

OK, I ran dcdiag. Here are the only "fails" that were listed. We have 6 DC's: Master, Files, NTServer, Email, Park-Ave, NTServer-LA.

Below is the list of errors. Most of them are due to w32time be disabled. I have all the servers sync to Master. That is the schema master DC.
_______________________________________
Starting test: Advertising
The DC NTSERVER is advertising itself as a DC and having a DS.
The DC NTSERVER is advertising as an LDAP server
The DC NTSERVER is advertising as having a writeable directory
The DC NTSERVER is advertising as a Key Distribution Center
Warning: NTSERVER is not advertising as a time server.
......................... NTSERVER failed test Advertising

Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
w32time Service is stopped on [NTSERVER]
* Checking Service: NETLOGON
......................... NTSERVER failed test Services

Starting test: frssysvol
* The File Replication Service SYSVOL ready test
The registry lookup failed to determine the state of the SYSVOL. The error returned was 53 (The network path was

not found.). Check the FRS event log to see if the SYSVOL has successfully been shared.
......................... NTSERVER failed test frssysvol
________________________________________________________________________________
Starting test: Advertising
The DC NTSERVER-LA is advertising itself as a DC and having a DS.
The DC NTSERVER-LA is advertising as an LDAP server
The DC NTSERVER-LA is advertising as having a writeable directory
The DC NTSERVER-LA is advertising as a Key Distribution Center
Warning: NTSERVER-LA is not advertising as a time server.
......................... NTSERVER-LA failed test Advertising

Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
w32time Service is stopped on [NTSERVER-LA]
* Checking Service: NETLOGON
......................... NTSERVER-LA failed test Services
_________________________________________________________________________________


Starting test: Advertising
The DC EMAIL is advertising itself as a DC and having a DS.
The DC EMAIL is advertising as an LDAP server
The DC EMAIL is advertising as having a writeable directory
The DC EMAIL is advertising as a Key Distribution Center
Warning: EMAIL is not advertising as a time server.
The DS EMAIL is advertising as a GC.
......................... EMAIL failed test Advertising

Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
w32time Service is stopped on
* Checking Service: NETLOGON
......................... EMAIL failed test Services

Starting test: frssysvol
* The File Replication Service SYSVOL ready test
The registry lookup failed to determine the state of the SYSVOL. The error returned was 53 (The network path was

not found.). Check the FRS event log to see if the SYSVOL has successfully been shared.
......................... EMAIL failed test frssysvol

______________________________________________________________________

Starting test: Advertising
The DC FILES is advertising itself as a DC and having a DS.
The DC FILES is advertising as an LDAP server
The DC FILES is advertising as having a writeable directory
The DC FILES is advertising as a Key Distribution Center
Warning: FILES is not advertising as a time server.
The DS FILES is advertising as a GC.
......................... FILES failed test Advertising

Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
w32time Service is stopped on [FILES]
* Checking Service: NETLOGON
......................... FILES failed test Services

Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x40011006
Time Generated: 07/12/2005 16:58:03
Event String: The connection was aborted by the remote WINS.Remote WINS may not be configured to replicatewith the

server.
An Error Event occured. EventID: 0x40011006
Time Generated: 07/12/2005 17:28:01
Event String: The connection was aborted by the remote WINS.Remote WINS may not be configured to replicatewith the

server.
......................... FILES failed test systemlog

_______________________________________________________________________

Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
w32time Service is stopped on [PARK-AVE]
* Checking Service: NETLOGON
......................... PARK-AVE failed test Services

**********************************************************
See anything that could prevent a new server from becoming a DC?

Thanks for the help.

 

[tmckeown]

I checked the FRS log on the two servers that showed failed frssysvol tests. I don't find any errors. There were some warnings about difficulty replicationg to some of our remote DCs, but those were all resolved.

I'm thinking that there must be some other reason that I can't promote a server to a DC. I'll bet it has something to do with SP1 for Server2003 or some security update.

I'm baffled.

 

[nobberirl]

Make sure that 'Digitally sign server communication' is disabled under security Settings/local policies/security options in both Domain Security Policy and Local Security Policy on all your domain controllers and potential domain controllers.

There are four Digitally Sign policy settings in both policies which I make sure are disabled at all times to make my life easier.

Hope it helps I had the same problem today and it fixed it.

regards

 

[tmckeown]

When I check the domain security settings/local policy/security options, I see these on our schema master:

Domain Member: Digitally encrypt or sign secure channel data (always)
Domain Member: Digitally encrypt secure channel data (when possible)
Domain Member: Digitally sign secure channel data (when possible)
Microsoft network client: Digitally sign communications (always)
Microsoft network client: Digitally sign communications (if server agrees)
Microsoft network server: Digitally sign communications (always)
Microsoft network server: Digitally sign communications (if client agrees)

All of the above are set to "Not Defined" in domain security settings, but are enabled in local security settings.

Can you shed a bit more light on this?

Thanks,
Tom

 

[PScottC]

Looking at the DCDiag, you have the time services shut down on several servers. If time is off by even a few minutes on the DC's you can have serious problems with AD replication.

Get the time service started on all the DC's and make sure that they are all within a few seconds of each other.

On the system settings, check the Default Domain Controllers Policy. You will find these settings enabled there (most likely).

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[nobberirl]

2003 server has this thing about secure communication, I first came accross this problem when I was creating a drive map from a pc loaded up in DOS connecting to a 2003 server share.

For all the policies you listed above I have them set to disabled. The real one that is causing you the problem is 'Domain Member: Digitally sign server communication'.

The Domain security Policy affects all machines on the domain, but as far as I know the servers will look to their local security Policies before going to the domain policies. Just make sure both are set the same. Also after making changes to the policies restart the netlogin service to force the changes on the server and then double check the policies have not changed back to their previous settings. This worked for me not an hour ago.

Regards

John

 

[tmckeown]

Case solved. I found a link on a Microsoft forum:

http://support.microsoft.com/Default.aspx?kbid=232070

Under "enable computer and user accounts to be trusted for delegation"; there were no accounts assigned to that. How bizarre! This will be DC #7 for us and we never had that problem before. I think that setting got messed up when we installed SP1.

Thanks to everyone for the help. It was a good learning experience, though i now have less hair (pulled out).

Tom