Re: dcpromo without domain admin rights
- From: "Paul Bergson" <pbergson@xxxxxxxxxxxxxxxxx>
- Date: Wed, 9 Aug 2006 08:06:54 -0500
This is a Domain Admin responsibility. You are playing with fire, I
wouldn't even consider doing this. You could end up getting it to
work -sort of- and not know of failures that occured. Some creation that
the Microsoft developers didn't take into account, so it never let you know.
Six months down the line craxy things start happening and you attribute it
to anything but the dcpromo.
I highly suggest you not consider doing this in any type of production
environment.
--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"fb" <f.blaesen@xxxxxxxxxxxxx> wrote in message
news:%23dCRUY5uGHA.1436@xxxxxxxxxxxxxxxxxxxxxxx
I am trying dcpromo for a windows 2003 member server in a 2003 domain for
an user without domain admin rights. I found some tips on the net, but
finally it doesn't work.
I tried this:
- I created a security group called "JCNS_Admins". Then I created an user
calles "jcns_admin" and added it to the group "JCNS_Admins"
- Then I installed Windows 2003 on the computer, named it "jcnsdc01" and
put it into the active directory ou called "jcns". This ou is managed by
the group "JCNS_Admins". The flag "trust for delegation" is set for this
computer account.
- The default domain controller policy is modified to grant the rights
"enable computer and users accounts to be trusted for delegation" and "add
workstations to domain" to the group "JCNS_Admins" followed by gpupdate
and checking on the domain controller for correct settings.
- I modified some active directory acl settings based on information in
active_directory newsgroups
CN=System,DC=rootdomain,dc=com
This object only - Read, Create Child Objects
Trusted Domain Objects - Full Control
CN=Configuration,DC=rootdomain,dc=com
This object Only - Read all properties, read
permissions, manage replication topology, replicating
directory changes, replication synchronisation
CN=Schema,CN=Configuration,DC=rootdomain,DC=com
This object only - Read, Manage Replication
Topology,Replicating Directory changes, Replication
Synchronisation
CN=<appropriate site>,CN=sites,CN=configuration,DC=rootdomain,dc=com
This object and All Child Objects - Read, Creat all
child objects
Server Objects - Full Control
- At last I ran dcpromo on "jcnsdc01" using the account "jcns_admin".
dcpromo failed with error message:
The operation failed because:
Active Directory could not create the NTDS Settings object for this domain
controller
CN=NTDS
Settings,CN=JCNSDC01,CN=Servers,CN=JCNS,CN=Sites,CN=Configuration,DC=iffw2k,DC=kfa-juelich,dc=de
on the remote domain controller jcnsdc02.iffw2k.kfa-juelich.de
Ensure the provided network credentials have sufficient permissions.
- When I look at the configuration container with ADSIEdit, I can see an
entry for
CN=jcnsdc01,CN_Servers,CN=Sites,CN=Configuration,DC=iffw2k,DC=kfa-juelich,DC=de.
The group "JCNS_Admins" has full control (acl). I can't understand, why
dcpromo is unable to create the entry for "NTDS Settings".
- By the way, I tried dcpromo on jcnsdc01 with a domain admin account and
it works fine. Then I demoted it. With ldp.exe I checked for some rrests
of jcdnsdc01, but jcnsdc01 was completely removed.
What's wrong? Any help would be appreciated.
Franz
.
- Follow-Ups:
- Re: dcpromo without domain admin rights
- From: Jorge de Almeida Pinto [MVP]
- Re: dcpromo without domain admin rights
- References:
- dcpromo without domain admin rights
- From: fb
- dcpromo without domain admin rights
- Prev by Date: Re: GPOs cannot be saved because files being used by another process
- Next by Date: Re: Security Group Keeps getting removed???
- Previous by thread: dcpromo without domain admin rights
- Next by thread: Re: dcpromo without domain admin rights
- Index(es):
Relevant Pages
|
