Re: Cannot a DC, HOPELESS Case
From: Herb Martin (news_at_LearnQuick.com)
Date: 04/26/04
- Next message: Gabriel: "Re: Help - Modify User Objects in AD"
- Previous message: Herb Martin: "Re: Cannot a DC, HOPELESS Case"
- In reply to: anonymous_at_discussions.microsoft.com: "Re: Cannot a DC, HOPELESS Case"
- Next in thread: Enkidu: "Re: Cannot a DC, HOPELESS Case"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 26 Apr 2004 10:22:24 -0500
<anonymous@discussions.microsoft.com> wrote in message
news:445c01c42b90$baade4e0$a301280a@phx.gbl...
> I tried to ping from my member server that I'm trying to
> promote and I can resolve it.
> my Forest root is eng.brain.com
> my child domain is region.eng.brain.com
Simple resolution is not always sufficient for authentication.
If the DC is not fully registered in DNS then it won't resolve
the "DC records" in DNS.
If this is the case, then the problem lies with failing to make sure
the DCs NIC properties specify the correct DNS server (set).
> From one of my member server
> (serverdc1.region.eng.brain.com)
> I can resolve all the way to the forest and I can even get
> the time source.
Run DCDiag on each DC and save the output to a file; search
the file for FAIL, WARN, ERROR and fix those.
> Is there any other workaround please...
No, you must fix it as described above.
-- Herb Martin > > > > > > > > > > >-----Original Message----- > >> IT HAS SOMEHTING TO DO WITH CREDENTIALS BUT WHERE? MY > >> ADMINISTRATOR ACCOUNT IS ALREADY TRUSTED FOR DELEGATION! > >> WHERE IS THE PROBLEM?!!!!!!!!!! > > > >Authentication (credentials) and replication (including > DCPromo) is > >almost always a DNS issue. > > > >You seem to indicate that the machine is NOT currently in > the > >domain. Add it as a server to the domain, but the most > likely > >problem is DNS.... > > > >DNS must be dynamic. > >All clients -- this includes ALL DCs -- must use the > internal > >DYNAMIC dns server (set) ONLY. (restart netlogon on > >each affected DC if you change either of these.) > > > >AND in a true internal tree, all of the DNS servers must > be > >able to resolve from the COMMON root down -- and if you > >have multiple tree roots this includes a common parent of > all > >of them. > > > >(You can hold cross secondaries to satisfy the previous > >requirement but the key is that EVERY internal DNS name > >must be resolvable from all internal clients.) > > > > > >-- > >Herb Martin > ><anonymous@discussions.microsoft.com> wrote in message > >news:424401c42b63$853a6590$a301280a@phx.gbl... > >> I've been trying to fix this problem for almost two > weeks > >> now and I decided to post it here. > >> > >> I'm trying to add a DC in my existing AD W2k Advanced, > >> Native mode in a child domain modeL and i'm getting this > >> error whenever I'm running DCpromo! > >> "Failed to modify the properties of the computer account > >> mydc$ "Access is denied." > >> > >> I have done the following to find a solution: > >> -I went to all my event viewer for all my three existing > >> DCs to look for any error None.. > >> -I ensure that all my GPO are fine! All Policies are > >> applying no problme! and replicating!, check my DNS all > >> correct with all srv etc etc. > >> > >> -I tried the following workarounds from MS ; restart all > >> my DCs but no luck after performing these KBID from MS > >> http://support.microsoft.com/?kbid=232070 and > >> http://support.microsoft.com/?kbid=250874 > >> > >> -I tried to rename the machine, put it into workgroup > and > >> then rejoin in the domain using DCPROMO again, same! > >> > >> -I verified my GPO are all replicating and double check > my > >> DNS, FSMOholders, AD health using DCdiag.. all working > >> fine. but same problem. > >> > >> -I rebuild the server come up with new name, Sp4, run a > >> diagnostics etc etc.I run DCPromo again same problem! > >> What are the cause for this?, Any workaround? > >> > >> IT HAS SOMEHTING TO DO WITH CREDENTIALS BUT WHERE? MY > >> ADMINISTRATOR ACCOUNT IS ALREADY TRUSTED FOR DELEGATION! > >> WHERE IS THE PROBLEM?!!!!!!!!!! > >> I still have a trust still exist between my legacy > >> Domain Nt4 and my AD as I'm still doing migration. I > >> noticed that when when I set the trust and migration > some > >> default policies are changed. But still the rights I > >> needed for delegation is still there. Any idea guys. > >> > >> Appreciate your help since I have done everything to fix > >> this problem but no luck! > >> > >> > >> Part of the meessage that I copied from > >> WINNT\DEBUG\dcpromo.log is below > >> 04/05 15:10:05 [INFO] Forcing time sync > >> 04/05 15:10:05 [INFO] Forcing a time synch with \\xyz- > >> dc1.xyz.do.u.org > >> > >> 04/05 15:10:05 [INFO] Setting machine account to be DC > >> 04/05 15:10:05 [INFO] Configuring the server account > >> > >> 04/05 15:10:05 [INFO] Searching for the machine account > >> for xyz-DC$ on \\xyzk-dc1.xyz.do.u.org... > >> 04/05 15:10:05 [INFO] Configuring the server account > >> > >> 04/05 15:10:05 [INFO] NtdsSetReplicaMachineAccount > >> returned 5 > >> 04/05 15:10:05 [INFO] DsRolepSetMachineAccountType > >> returned 5 > >> 04/05 15:10:05 [INFO] Error - Failed to modify the > >> necessary properties for the machine account myDC$ > >> > >> > >> More power guys!! > > > > > >. > >
- Next message: Gabriel: "Re: Help - Modify User Objects in AD"
- Previous message: Herb Martin: "Re: Cannot a DC, HOPELESS Case"
- In reply to: anonymous_at_discussions.microsoft.com: "Re: Cannot a DC, HOPELESS Case"
- Next in thread: Enkidu: "Re: Cannot a DC, HOPELESS Case"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
