Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DCPROMO fails with LDAP bind errors 2

Status
Not open for further replies.
jkupski

jkupski

MIS
Jul 29, 2003
698
US
I'm running into problems trying to build a replica DC for an existing domain at a new site.

After supplying credentials (which is the administrator account for the forest root) I come to the "select a domain" screen. After picking the domain and hitting next, "Examining Active Directory Forest fails with,

Code: 
Failed to examine the Active Directory forest.  The error was: The operation cannot continue because LDAP connect/bind operation failed: error: 1326 (Logon failure: unknown user name or bad password.).

dcpromoui.log shows:

Code: 
dcpromoui 110.B6C 02D5 08:52:52.578 Enter ValidateForestConfig
dcpromoui 110.B6C 02D6 08:52:52.593   Enter DS::ExamineForest
dcpromoui 110.B6C 02D7 08:52:52.593     Enter State::GetOperation REPLICA
dcpromoui 110.B6C 02D8 08:52:52.593     Enter State::GetForestName example.local
dcpromoui 110.B6C 02D9 08:52:52.593     Enter State::GetReplicationPartnerDomainName
dcpromoui 110.B6C 02DA 08:52:52.593       Enter State::GetOperation REPLICA
dcpromoui 110.B6C 02DB 08:52:52.593       Enter State::GetReplicaDomainDNSName example.local
dcpromoui 110.B6C 02DC 08:52:52.593     ldapUserName <- "administrator"
dcpromoui 110.B6C 02DD 08:52:52.593     ldapPassword <- "<password>"
dcpromoui 110.B6C 02DE 08:52:52.593     ldapDomain <- "example.local"
dcpromoui 110.B6C 02DF 08:52:52.593     domainDnsName <- "example.local"
dcpromoui 110.B6C 02E0 08:52:52.593     forestDnsName <- "example.local"
dcpromoui 110.B6C 02E1 08:52:52.593     operationType <- "replica"
dcpromoui 110.B6C 02E2 08:52:52.593     Enter CLdapContext::ExecuteScript opMode=run-read-only
dcpromoui 110.B6C 02E3 08:52:52.593       Enter CLdapOperationBlock::Execute
dcpromoui 110.B6C 02E4 08:52:52.593         Enter CLdapOperationIf::Execute
dcpromoui 110.B6C 02E5 08:52:52.593           Enter CLdapExpressionNot::Compute
dcpromoui 110.B6C 02E6 08:52:52.593             Enter CLdapExpressionPresent::Compute pattern=domainDnsName
dcpromoui 110.B6C 02E7 08:52:52.593               ==> true (example.local)
dcpromoui 110.B6C 02E8 08:52:52.593             ==> false
dcpromoui 110.B6C 02E9 08:52:52.593           Condition == false
dcpromoui 110.B6C 02EA 08:52:52.593         Enter CLdapOperationIf::Execute
dcpromoui 110.B6C 02EB 08:52:52.593           Enter CLdapExpressionNot::Compute
dcpromoui 110.B6C 02EC 08:52:52.593             Enter CLdapExpressionPresent::Compute pattern=forestDnsName
dcpromoui 110.B6C 02ED 08:52:52.593               ==> true (example.local)
dcpromoui 110.B6C 02EE 08:52:52.593             ==> false
dcpromoui 110.B6C 02EF 08:52:52.593           Condition == false
dcpromoui 110.B6C 02F0 08:52:52.593         Enter CLdapOperationIf::Execute
dcpromoui 110.B6C 02F1 08:52:52.593           Enter CLdapExpressionNot::Compute
dcpromoui 110.B6C 02F2 08:52:52.593             Enter CLdapExpressionPresent::Compute pattern=operationType
dcpromoui 110.B6C 02F3 08:52:52.593               ==> true (replica)
dcpromoui 110.B6C 02F4 08:52:52.593             ==> false
dcpromoui 110.B6C 02F5 08:52:52.593           Condition == false
dcpromoui 110.B6C 02F6 08:52:52.593         Enter CLdapOperationConnect::Execute target=$(domainDnsName), options=0x10
dcpromoui 110.B6C 02F7 08:52:52.593           DsGetDcNameW() returned SERVER.example.local
dcpromoui 110.B6C 02F8 08:52:52.750           Calling ldap_bind_sW(ld, NULL, pCreds, 1158)
dcpromoui 110.B6C 02F9 08:52:56.609           _lastLdapError_ <- "1326"
dcpromoui 110.B6C 02FA 08:52:56.609           ldap_bind() failed, err=53

dcpromoui 110.B6C 02FB 08:52:56.609           Enter GetErrorMessage 8007052E
dcpromoui 110.B6C 02FC 08:52:56.609       ***** EXCEPTION: 8007052e The operation cannot continue because LDAP connect/bind operation failed: error: 1326 (Logon failure: unknown user name or bad password.).
dcpromoui 110.B6C 02FD 08:52:56.609     ExecuteScript() failed:
The operation cannot continue because LDAP connect/bind operation failed: error: 1326 (Logon failure: unknown user name or bad password.).

dcpromoui 110.B6C 02FE 08:52:56.609   ExamineForest failed.  The error is The operation cannot continue because LDAP connect/bind operation failed: error: 1326 (Logon failure: unknown user name or bad password.).
dcpromoui 110.0EC 02FF 08:52:56.609             Enter Popup::Error
dcpromoui 110.0EC 0300 08:52:56.609               MessageBox: Active Directory Domain Services Installation Wizard : Failed to examine the Active Directory forest. The error was: The operation cannot continue because LDAP connect/bind operation failed: error: 1326 (Logon failure: unknown user name or bad password.).
dcpromoui 110.0EC 0301 08:53:27.343           Enter Wizard::SetNextPageID id = -1
My credentials are fine (you can't even get this far in dcpromo without having them validated, and I can use these credentials in ADSIedit to bind to the domain from this site.) I haven't been able to find anything related to the errors that are being thrown.

Anyone have any ideas?
 
Sort by date Sort by votes
I know your well versed...
Have not come across this before.

Any errors on DcDiag or NetDiag with the /v switch on the original DC server?
By any chance is the new server multi-homed?

Perhaps this might give you a lead
under heading LDAP Diagnostic Tools



If no one else answers this, there are a few AD people over on Minasi.com who have likely hit this.




........................................
Chernobyl disaster..a must see pictorial
 
Upvote 0 Downvote
technome,

I'd been through some of those links already, none of them really gave me anything toward resolving the problem. I do have access to the DCs at the other site, but the home office doesn't speak english as its first language, and the DCs are installed in the native tongue (making a task like running netdiag an utterly incomprehensible experience.)

My solution was to rebuild the OS on the local candidate DC, and start from scratch. I didn't have any problems--not so much as a hiccup. We had some transient network problems yesterday, and I'm wondering if this somehow contributed to the problem.
 
Upvote 0 Downvote
We had some transient network problems yesterday".
Sounded like the new server was not communicating with DCs. Must be tough talking IT with the home office. Wonder what would output from one of the Web's translating sites given a DcDiag log?

Curious did you try multiple DcPromos before a complete rebuild?
Glad it worked out.

........................................
Chernobyl disaster..a must see pictorial
 
Upvote 0 Downvote
Yes, we ran dcpromo half a dozen times over the course of the day. One of our initial thoughts was this might be a kerberos issue causing problems with the LDAP bind,. That led to the idea that one of the intervening firewall, IPS, or VPN devices might be dropping related packets, so we started sniffing the traffic and watched a dcpromo, domain join, etc, without seeing any problems in the traffic. My best guess is that "something" happened during the initial join attempt and hosed the machine. The process we followed for the reload was the same one we used for the initial load, so there's no other reason why that should have solved the issue.

As for dealing with the home office, I've gotta say I feel pretty lucky in that regard... they all speak/read english and are pretty easy to work with. My organization here has a lot of credibility with the home office IT/corporate management in general (AD is something that we've been using here for six years with a lot of success, and the home office is following our lead... we're just decommissioning our existing domain and migrating into the new corporate one) so that really helps. Our base culture has historically NOT been very open to this kind of thing, so it's pretty cool to be in this position.


 
Upvote 0 Downvote
The process we followed for the reload was the same one we used for the initial load, so there's no other reason why that should have solved the issue."

Interesting, as one of the reasons I love 2008 is that it gracefully backs itself out of issues without leaving leaving configurations/reggies to hamper retries..obviously the original DcPromo left some entries behind.
Just finished up a complete network revamp from W2000 to 2008, I rest easier since, but expect VERY few service calls.



........................................
Chernobyl disaster..a must see pictorial
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ravalos
  • Locked
  • Question
Problem with PDFs in IIS
Replies
1
Views
880
gbaughma
gbaughma
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
506
DrB0b
DrB0b
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
248
DrB0b
DrB0b
Scparks
  • Locked
  • Question
Trouble with setting up a SMTP Relay to Office 365
Replies
0
Views
160
Scparks
Scparks
lacked
  • Locked
  • Question
problem with windows update on windows server 2016
Replies
1
Views
171
maybeimaleo
maybeimaleo

Part and Inventory Search

Sponsor

Back
Top