dcpromo without domain admin rights
- From: "fb" <f.blaesen@xxxxxxxxxxxxx>
- Date: Wed, 9 Aug 2006 11:28:23 +0200
I am trying dcpromo for a windows 2003 member server in a 2003 domain for
an user without domain admin rights. I found some tips on the net, but
finally it doesn't work.
I tried this:
- I created a security group called "JCNS_Admins". Then I created an user
calles "jcns_admin" and added it to the group "JCNS_Admins"
- Then I installed Windows 2003 on the computer, named it "jcnsdc01" and put
it into the active directory ou called "jcns". This ou is managed by the
group "JCNS_Admins". The flag "trust for delegation" is set for this
computer account.
- The default domain controller policy is modified to grant the rights
"enable computer and users accounts to be trusted for delegation" and "add
workstations to domain" to the group "JCNS_Admins" followed by gpupdate and
checking on the domain controller for correct settings.
- I modified some active directory acl settings based on information in
active_directory newsgroups
CN=System,DC=rootdomain,dc=com
This object only - Read, Create Child Objects
Trusted Domain Objects - Full Control
CN=Configuration,DC=rootdomain,dc=com
This object Only - Read all properties, read
permissions, manage replication topology, replicating
directory changes, replication synchronisation
CN=Schema,CN=Configuration,DC=rootdomain,DC=com
This object only - Read, Manage Replication
Topology,Replicating Directory changes, Replication
Synchronisation
CN=<appropriate site>,CN=sites,CN=configuration,DC=rootdomain,dc=com
This object and All Child Objects - Read, Creat all
child objects
Server Objects - Full Control
- At last I ran dcpromo on "jcnsdc01" using the account "jcns_admin".
dcpromo failed with error message:
The operation failed because:
Active Directory could not create the NTDS Settings object for this domain
controller
CN=NTDS
Settings,CN=JCNSDC01,CN=Servers,CN=JCNS,CN=Sites,CN=Configuration,DC=iffw2k,DC=kfa-juelich,dc=de
on the remote domain controller jcnsdc02.iffw2k.kfa-juelich.de
Ensure the provided network credentials have sufficient permissions.
- When I look at the configuration container with ADSIEdit, I can see an
entry for
CN=jcnsdc01,CN_Servers,CN=Sites,CN=Configuration,DC=iffw2k,DC=kfa-juelich,DC=de.
The group "JCNS_Admins" has full control (acl). I can't understand, why
dcpromo is unable to create the entry for "NTDS Settings".
- By the way, I tried dcpromo on jcnsdc01 with a domain admin account and
it works fine. Then I demoted it. With ldp.exe I checked for some rrests of
jcdnsdc01, but jcnsdc01 was completely removed.
What's wrong? Any help would be appreciated.
Franz
.
- Follow-Ups:
- Re: dcpromo without domain admin rights
- From: Paul Bergson
- Re: dcpromo without domain admin rights
- Prev by Date: 1815 error code
- Next by Date: Add User To Group Issue
- Previous by thread: 1815 error code
- Next by thread: Re: dcpromo without domain admin rights
- Index(es):
Relevant Pages
|
