RE: DCPromo Error

---

• From: v-robeli@xxxxxxxxxxxxxxxxxxxx (Robert Li [MSFT])
• Date: Tue, 06 Mar 2007 08:27:17 GMT

---

Hi Luke,

Thanks for posting in our newsgroup.

From your description, I know that when you run dcpromo, you get the

massage: The operation failed because: Failed to modify the necessary
properties for the machine account NETSERVER011$. If I am off-base, please
don¡¯t hesitate to let me know.

Please let me know the following to make the situation more clearly:

What the topology of your network? Are all the computers in the same LAN?

Please take the following steps to narrow down this issue:

Step 1: This problem can occur if the account that is used for the
promotion operation has not been assigned the "Delegation Privilege" right.
Or, if this right has been assigned, the policy has not propagated yet,
possibly because of replication latency. By default, only members in
the Administrators group have the "Delegation Privilege" right.

To resolve this problem, use an account in the Administrators group, or add
the appropriate account to the Administrators group. To grant this right to
another user or group, set the delegation privilege on the Group Policy
object:

1. In the Active Directory Users and Computers snap-in, edit the Default
Domain Controllers Policy on the Domain Controllers Organizational Unit.
2. Double-click Computer Configuration, click Windows Settings, click
Security Settings, click Local Policies, and then click User Rights
Assignment.
3. Under Enable Computer and User Accounts to be trusted for Delegation,
add the appropriate account or group.
4. Apply the policy using one of the following methods:

- At a command prompt, type secedit /refreshpolicy machine_policy /enforce.
- In the Sites and Services snap-in (Dssite.msc), use the Replicate Now
feature to force replication from the domain controller on which the policy
was changed to the other domain controllers in the domain.

For more information, please refer to:

When you run Dcpromo.exe to create a replica domain controller, you receive
the "Failed to modify the necessary properties for the machine account.
Access is denied." error message
http://support.microsoft.com/?id=232070

Step 2: Do you use NAT to connect to Internet? If so, you need to run the
command "netsh routing ip nat delete h323" to disable the H.323/LDAP proxy
service. For more information, please refer to:

270152 The DC Promo Program Does Not Work When Using Network Address
Translation
http://support.microsoft.com/?id=270152

If the problem still exists, please help me collect the following for
further research:

1. Please collect the Dcpromo.log and DcpromoUI.log in %SystemRoot%\Debug
folder and zip them, then send it to me

2. MPS Report

MPS Report

1) Download MPS report tool from:
http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd9
15706/MPSRPT_SETUPPerf.EXE
2) Run the MPSRPT_SETUPPerf.exe on the server box.
3) Wait for 10~15 minutes.
4) Open Windows explorer, navigate to
%SYSTEMROOT%\MPSReports\Setup\Reports\cab\
5) Send the .cab file to us.

Please send the information to v-robeli@xxxxxxxxxxxxx with subject:
38190308-DCPromo Error.

If you need further assistance, please don¡¯t hesitate to let me know.



Best regards,

Robert Li(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================

This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
<From: "Luke Sheldrick" <Luke.Sheldrick(REMOVE)@an0key.co.uk>
<Newsgroups: microsoft.public.windows.server.sbs
<Subject: DCPromo Error
<Lines: 13
<X-Priority: 3
<X-MSMail-Priority: Normal
<X-Newsreader: Microsoft Outlook Express 6.00.2900.3028
<X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
<X-RFC2646: Format=Flowed; Original
<Message-ID: <7nZGh.13294$I46.6819@xxxxxxxxxxxxxxxxxxxxxxxxxx>
<Date: Mon, 05 Mar 2007 18:32:35 GMT
<NNTP-Posting-Host: 82.45.116.136
<X-Complaints-To: abuse@xxxxxxxxxxxxxxxx
<X-Trace: text.news.blueyonder.co.uk 1173119555 82.45.116.136 (Mon, 05 Mar
2007 18:32:35 GMT)
<NNTP-Posting-Date: Mon, 05 Mar 2007 18:32:35 GMT
<Path:
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS01.phx.gbl!newsfeed.
cw.net!cw.net!news-FFM2.ecrc.de!newsfeed00.sul.t-online.de!t-online.de!tisca
li!newsfeed1.ip.tiscali.net!proxad.net!proxad.net!news.clara.net!wagner.news
clara.net!pe1.news.blueyonder.co.uk!blueyonder!text.news.blueyonder.co.uk!5
3ab2750!not-for-mail
<Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:21081
<X-Tomcat-NG: microsoft.public.windows.server.sbs
<
<Hiya,
<
<I'm trying to add an additional server to my domain as an extra domain
<controller, however when I run through DCPromo I get the following
error...
<does anyone know what this could be..
<
<Have tried it with the this with both 2003 and 2000 standard.
<
<Let me know if you need anymore info
<
<http://luke.sheldrick.co.uk/images/dcpromo.bmp
<
<
<

.

---

• Follow-Ups:
  • Re: DCPromo Error
    • From: Luke Sheldrick

• References:
  • DCPromo Error
    • From: Luke Sheldrick

• Prev by Date: Re: SBS2000 / DST / Shared calendars
• Next by Date: Re: best way forward
• Previous by thread: DCPromo Error
• Next by thread: Re: DCPromo Error
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: DCPromo Error ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... This problem can occur if the account that is used for the ... Domain Controllers Policy on the Domain Controllers Organizational Unit. ... (microsoft.public.windows.server.sbs) RE: Account Lockout Policy ... he didn't say that the policy would be *linked* at ... the Domain Controllers OU, just that the domain password policy would apply ... the Domain Controllers OU will still use the password policy that is defined ... they still utilize the domain-level account settings, because, again, the ... (Focus-Microsoft) Re: When will password policy take effect ... thank you for using Microsoft newsgroup. ... | password didn't meet the new policy was forced to change their password ... Check the user account: ... (microsoft.public.windows.server.sbs) RE: IIS & SQL, dedicated user account & GPO ... Thank you for posting in the SBS newsgroup. ... Domain Password Policy to a dedicated user account in the SBS 2003 network. ... Microsoft CSS Online Newsgroup Support ... (microsoft.public.windows.server.sbs) Re: Domain Admin account and lockout Policy ... The Account Policy in the Default Domain Policy is applied to all domain user accounts by the Domain Controllers. ... There is no way to have different account policies for different domain user accounts, since the Domain Controllers can apply only one set of account policies. ... (microsoft.public.windows.group_policy)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)