RE: Error by making a additional domain controller
- From: v-crinal@xxxxxxxxxxxxxxxxxxxx ("Crina Li")
- Date: Tue, 04 Apr 2006 04:11:15 GMT
Hi Nico,
Thank you for posting in SBS newsgroup.
According to your post, I understand that the DCPROMO failed to convert the
computer account and reported Access is Denied error message. If I have
misunderstood your concerns, please do not hesitate to let me know.
This problem can occur if the account that is used for the promotion
operation has not been assigned the "Delegation Privilege" right. Or, if
this right has been assigned, the policy has not propagated yet, possibly
because of replication latency. By default, only members in the
Administrators group have the "Delegation Privilege" right. I suggest that
we check this setting as following:
1. Click Start -> Run, type GPMC.MSC and click OK. Expand Forest:
[domain.com]\domains\[domain.com]\Default Domain Controllers Policy, right
click it and select Edit.
2. Double-click Computer Configuration, click Windows Settings, click
Security Settings, click Local Policies, and then click User Rights
Assignment.
3. Under "Enable Computer and User Accounts to be trusted for Delegation",
add the appropriate account or group.
4. Apply the policy using the following method:
At a command prompt, type "gpupdate /force".
5. Restart the domain controller.
Then, please try again to see if the DCPORMO works.
You can take a look at the following URLs for more information:
http://www.microsoft.com/technet/prodtechnol/sbs/2000/maintain/addsrvrs.mspx
#XSLTsection131121120120
(refer to the paragraph: Configuring an Additional Domain Controller)
Through this article is for SBS 2000, but it is same in the SBS 2003
domain. You only need to make sure that you had choose "Additional domain
controller for an existing domain" in the promting process.
Deploying Windows Server 2003 Regional Domains
http://technet2.microsoft.com/WindowsServer/en/Library/c283b699-6124-4c3a-87
ef-865443d7ea4b1033.mspx
Please note the SBS 2003 server only have the following restrictions, you
can add an additional DC without any problems.
Only one computer in a domain can be running Windows Server 2003 for Small
Business Server.
Windows Server 2003 for Small Business Server must be the root of the
Active Directory forest.
Windows Server 2003 for Small Business Server cannot trust any other
domains.
A Windows Server 2003 for Small Business Server domain cannot have any
child domains.
Each additional server must have a Windows Server 2003 for Small Business
Server client access license (CAL). You can use CALs for each user or for
each device.
You can take a look at the following URL for more information of the SBS
2003:
http://www.microsoft.com/windowsserver2003/sbs/techinfo/overview/generalfaq.
mspx
I apprecaite your time and look forward to hearing from you.
Best regards,
Crina Li (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: Error by making a additional domain controller
|| From: =?Utf-8?B?bmljbw==?= <nico@xxxxxxxxxxxxxxxxxxxxxxxxx>
| Subject: Error by making a additional domain controller
| Date: Mon, 3 Apr 2006 07:26:01 -0700
| | Newsgroups: microsoft.public.windows.server.sbs
| |
| Hello,
|
| We have a problem by making a additional domain controller in our
network.
| In our network stand a Small Business Server 2003 Premium en 3 Windows
Server
| 2003 on other locations. These locations are connected by means of IP-VPN
| connection. We get by maked a additional domaincontroller with DCPROMO,
the
| following error to replication:
|
| The Active Directory Installation Wizard was unable to convert the
computer
| account <servername>$ to a domain controller account. "Access is
denied."
|
| Firstly we thinks the IP-VPN connection was making the error, hence that
we
| bought an additional server and these has tried on the location where the
SBS
| server stand, as arrange to additional domain controller. This resulted
in
| the same error.
|
| We have one and the other research, and we are ended up at the next
document:
| http://support.microsoft.com/?id=232070
| To our idea this must be the solution, only the commando what becomes in
| point 4 mentioned: secedit /refreshpolicy machine_policy /enforce are we
not
| able carry out, here at he gives that the string /refreshpolicy not
| recognised.
|
| We hope that you can help us with our problem? Sorry, for my bad english,
| the english language isn't my best.
|
| Kind regards,
|
| Nico
|
|
.
- Prev by Date: Re: TrendMicro's CMS for SMB's Security Settings is a centipede
- Next by Date: Re: Partitioning strategy
- Previous by thread: Sufficient Permissions
- Next by thread: RE: Corrupt Recurring Appointments?
- Index(es):
Relevant Pages
|
