RE: adding 2003 server in a Windows 2000 AD

From: v-franhe@xxxxxxxxxxxxx (Frances [MSFT])
Date: Thu, 14 Jul 2005 07:45:19 GMT

Hello,

Good to hear from you.

According to the message, I understand that you cannot promote a win2k3
member server in a win2k domain after you successfully run adprep. The
error is "Access is denied". Is this correct?

Based on my experience, most similar issues are resolved by the KB 232070.
At this time, I would like to know the configuration of the group policy
"Enable Computer and User Accounts to be trusted for Delegation".

Please use SecPol.msc on the primary DC to check the policy. Follow the
steps below to do so.
1. Click Start and select Run.
2. In the Run box, type "secpol.msc" without quotation marks and press
Enter.
3. Expand Local Policies\User Rights Assignment
4. Check the policy "Enable Computer and User Accounts to be trusted for
Delegation".
Double click the policy and make sure that Administrators is checked under
"Effective Policy Setting".

If this is not the case, the policy may not be correctly applied. Please
repeat the steps in KB 232070, and perform a secedit /refreshpolicy machine
policy /enforce on the PDC Emulator to check the effect.

In addition, please make sure that Domain Controllers are in the Domain
Controller OU. In one similar case, the group policy is not applied due to
this. In that case, we move the DC back into the OU. Once the Domain
Controllers are in the right location, we run a secedit /refreshpolicy
machine_policy /enforce, which allows the domain controllers policy receive
the correct Group Policy and be set for delegation. We are then able to
promote the new 2003 Server as a Domain Controller.

What Richard suggests is also worth trying. Please also check the result
and tell me the information.

If the issue persists, please go to %Windir%\debug on the win2k3 server and
send the following two log files to v-franhe@xxxxxxxxxxxxx for research:
DCPROMO.log
DCPROMOUI.log

If there are any updates, please feel free to let me know.

Best regards,

Frances He

Microsoft Online Partner Support

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
Business-Critical Phone Support (BCPS) provides you with technical phone
support at no charge during critical LAN outages or "business down"
situations. This benefit is available 24 hours a day, 7 days a week to all
Microsoft technology partners in the United States and Canada.

This and other support options are available here:
BCPS:
https://partner.microsoft.com/US/technicalsupport/supportoverview/40010469
Others: https://partner.microsoft.com/US/technicalsupport/supportoverview/

If you are outside the United States, please visit our International
Support page: http://support.microsoft.com/common/international.aspx.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Newsgroup Web Interface Upgrade

Please complete a one-time registration process on your first visit to the
Partner Portal beginning July 11, 2005 at 9 A.M. PST by entering the secure
code mspp2005 when prompted. This secure code will be valid for 6 months
after which you will need to update your registration by entering the new
secure code. We will post announcements in the newsgroups prior to
expiration. Once you have entered the secure code mspp2005 , you will be
able to update your profile and access the the partner newsgroups. Please
update your Favorites link to the newsgroups web page, your current link
will redirect until November 1, 2005.

Please post any comment, questions or concerns to the
microsoft.private.directaccess.partnerfeedback newsgroup. For more
information, please go to:
https://partner.microsoft.com/global/technicalsupport/registeredsupport/4001
4662

.

Follow-Ups:
- RE: adding 2003 server in a Windows 2000 AD
  - From: dwhagerman

References:
- adding 2003 server in a Windows 2000 AD
  - From: dwhagerman

Prev by Date: RE: Running adprep
Next by Date: Re: Demoting First Domain Controller
Previous by thread: Re: adding 2003 server in a Windows 2000 AD
Next by thread: RE: adding 2003 server in a Windows 2000 AD
Index(es):
- Date
- Thread

Relevant Pages

RE: adding 2003 server in a Windows 2000 AD
... > Please use SecPol.msc on the primary DC to check the policy. ... please make sure that Domain Controllers are in the Domain ... > Microsoft Online Partner Support ... > able to update your profile and access the the partner newsgroups. ...
(microsoft.public.windows.server.migration)
Re: [fw-wiz] httport 3snf
... > Having worked in the Firewall support role at several companies, ... I had my CIO approve my security policy. ... time educating him about Internet risk. ... There's also a very good "at what point is the firewall now useless" ...
(Firewall-Wizards)
RE: Polices
... are unable to give further assistance in the Newsgroups. ... We suggest that contact Microsoft Product Support Services via telephone ... >they could nto find the gpf.ini in teh particualr policy directroy. ...
(microsoft.public.windows.server.sbs)
Re: Why Deportation?
... On second thought...a takeover of Mexico by the US would be one ... Is that the specific policy you support? ... We cannot even support the occupation in Iraq, ... time we should go to war with a country. ...
(soc.retirement)
Re: "Even if torture works."
... >>> indirectly supporting the tactics. ... watch closely what people support and what they do. ... >>> If you decide to support the policy knowing that the tactics include ... >>> torture, how can you argue with any moral strength that you didn't ...
(uk.politics.misc)