RE: DCPROMO demote failed (Acess Denied)
From: S.J.Haribabu (sjhari_at_microsoft.com)
Date: 10/25/04
- Next message: Pat Coghlan: "Re: Importing AD - Add error on line 1: Referral"
- Previous message: HenryB: "Re: GPO Object Question"
- In reply to: jvaldry_at_gmail.com: "DCPROMO demote failed (Acess Denied)"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 25 Oct 2004 15:09:20 GMT
Hi Jvaldry,
Since you have already gone thru few articles, Please go thru the general
document on Active directory Access denied errors.
Troubleshooting "Access Denied" Error Messages in Active Directory
Installation Wizard
There are several reasons why you might receive an "Access Denied" error
message while using the Active Directory Installation Wizard. All have to
do with permissions on the files or file structures that are necessary for
the installation and service of a domain controller.
Procedures for Troubleshooting "Access Denied" Error Messages in Active
Directory Installation Wizard
1. Verify file permissions to make sure they are correct. Verify that the
default Ntds.dit file permissions in the System32 folder are:
System32\Ntds.dit
BUILTIN\Users: Read [RX]
BUILTIN\Power Users: Read [RX]
BUILTIN\Administrators: Full Control [ALL]
NT AUTHORITY\SYSTEM: Full Control [ALL]
Everyone: Read [RX]
2. Verify folder permissions. If Active Directory was previously removed
and now you are installing it again, the %SystemRoot%\Ntds and
%SystemRoot%\Ntds\Drop folders will still exist. If permissions were
changed, the error message might be caused by the folder permissions. The
simplest resolution is to delete the original Ntds folder structure before
running the Active Directory Installation Wizard. Or, you can change the
folder permissions to match the following:
%SystemRoot%\Ntds
BUILTIN\Users: Special Access [RX]
BUILTIN\Power Users: Special Access [RWXD]
BUILTIN\Administrators: Special Access [A]
NT AUTHORITY\SYSTEM: Special Access [A]
CREATOR OWNER: Special Access [A]
%SystemRoot%\Ntds\Drop
BUILTIN\Users: Special Access [RX]
BUILTIN\Power Users: Special Access [RWXD]
BUILTIN\Administrators: Special Access [A]
NT AUTHORITY\SYSTEM: Special Access [A]
CREATOR OWNER: Special Access [A]
3. Verify that the current domain controllers in the domain have applied
security policy and the Enable computer and users accounts to be trusted
for delegation user right is granted to the Administrators Group.
1.
In the Group Policy snap-in, click Computer Configuration, click Windows
Settings, click Security Settings, click Local Policies, and then click
User Rights Assignment.
2. For computers that do not have this right, confirm that Group Policy
objects in the directory service and file system have replicated by looking
for event ID 1704 in the application event log, and then manually apply the
policy by typing the following command:
secedit /refreshpolicy machine_policy
4. Use a Dcpromo answer file to source the promotion from a deterministic
domain controller. Search the Microsoft Knowledge Base for article 223757:
"Unattended Promotion and Demotion of Windows 2000 Domain Controllers." Use
the ReplicationSourceDC paramater in the answer file.
5. Verify that the source domain controller is in the domain controllers
OU. The name of the source domain controller can be found in the
Dcpromo.log file in the %Systemroot%\debug folder on the Windows 2000
server that you are trying to promote.
6. Open a command prompt on the source domain controller, and run the
Gpresult.exe Resource Kit tool to verify that the Default Domain
Controllers policy is being applied to the source domain controller
Thanks,
sjhari@online.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights.
- Next message: Pat Coghlan: "Re: Importing AD - Add error on line 1: Referral"
- Previous message: HenryB: "Re: GPO Object Question"
- In reply to: jvaldry_at_gmail.com: "DCPROMO demote failed (Acess Denied)"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
