Cannot access Default Domain Conrollers Policy -- DCPROMO error

S

SHPainter3

I am trying to promote a member server to be a DC and get
the following error message:

The operation failed because: Failed to modify the
necessary properties for the machine account SC300$
[member server]
"Access is denied. "

I have read and followed KB 232070 which addresses this
error message. However, the Active Directory Users and
Computer snap-in does not give me access to the Default
Domain Controllers Policy.

This notwithstanding, I have tried to set the Enable
Computer and User Accounts to be trusted for Delegation
via the Domain Policy management snap-in. I am not sure
this worked.

First question: Where can I set the Default Domain
Controllers Policy to Enable Computer and User Accounts
to be trusted for Delegation?
How can I determine this setting definitively?

Second question: If I did manage to enable the policy,
can anyone suggest other reasons why I receive this error
when I try to promote a server to DC?
Are there any other causes?

Some other notes

Current solitary DC is Win 2K SP3 (we're afraid to patch
it)
Server to be promoted is Win 2K SP4

I have been following KB 216498 to remove the
failed/partially promoted DC from the current DC.

Thanks and regards,
Steve
 
S

Steven L Umbach

What do you mean you can not access Domain Controller Security Policy? What
message do you get? Did you try dcpol.msc in the run box. To see what the
policy actually is, you can view Local Security Policy on the domain
controller for "effective settings" but it needs to be configured at the
Domain Controller Security policy level. --- Steve
 
G

Guest

I am really trying to solve the problem addressed by KB
232070. It directs me to set the Default Domain Controler
policy via the Active Directory Users and Computers MMC,
but I cannot access it there. That led to this posting.
Sorry to be so obtuse, but I do not understand where/how
to grant Administators/Enterprise Administrators the right
to add a second DC. To answer your questions directly:

Running dcpol.msc via Start | Run shows me MMC titled
Domain Controler Security Policy.

I have set Security Settings | Local Policies | User
Rights Assignment | Enable computer and user accounts to
trusted for delegation to include the Administrator group
and a specific user account(testing the change).

Local Setting is correct. Effective setting is blank.

I have restarted the computer. I have run
secedit /refreshpolicy.

Loged in as a user, member of Enterprise Administrators
and Domain Administrators groups.

What am I missing?

-----Original Message-----
What do you mean you can not access Domain Controller Security Policy? What
message do you get? Did you try dcpol.msc in the run box. To see what the
policy actually is, you can view Local Security Policy on the domain
controller for "effective settings" but it needs to be configured at the
Domain Controller Security policy level. --- Steve


I am trying to promote a member server to be a DC and get
the following error message:

The operation failed because: Failed to modify the
necessary properties for the machine account SC300$
[member server]
"Access is denied. "

I have read and followed KB 232070 which addresses this
error message. However, the Active Directory Users and
Computer snap-in does not give me access to the Default
Domain Controllers Policy.

This notwithstanding, I have tried to set the Enable
Computer and User Accounts to be trusted for Delegation
via the Domain Policy management snap-in. I am not sure
this worked.

First question: Where can I set the Default Domain
Controllers Policy to Enable Computer and User Accounts
to be trusted for Delegation?
How can I determine this setting definitively?

Second question: If I did manage to enable the policy,
can anyone suggest other reasons why I receive this error
when I try to promote a server to DC?
Are there any other causes?

Some other notes

Current solitary DC is Win 2K SP3 (we're afraid to patch
it)
Server to be promoted is Win 2K SP4

I have been following KB 216498 to remove the
failed/partially promoted DC from the current DC.

Thanks and regards,
Steve
Click to expand...


.
Click to expand...
 
S

Steven L Umbach

So you added the administrators group to the Domain Controler Security
Policy for that user right and it still does not show as the effective
setting in Local Security policy even after a reboot?? Are there any other
GPO's in the domain controller container?? To find them and access
group/security policy, use AD Users and Computers and then select the domain
controller container, right click, select properties, then Group Policy and
edit to view or configure the GPO's there.

If there is more than one GPO, the one a the top of the list would take
precedence assuming default GPO settings. I would also run the gpresult tool
on the domain controller to see where machine policy is being applied from
and the last time the policy was applied. In a default setup it woul be
receiving computer configuration from the domain and domain controller
default GPO's. Gpresult and other important tools such as dcdiag and
netdiag or on the install cd in the support/tools folder where you would
need to run the setup there. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;321709

I am really trying to solve the problem addressed by KB
232070. It directs me to set the Default Domain Controler
policy via the Active Directory Users and Computers MMC,
but I cannot access it there. That led to this posting.
Sorry to be so obtuse, but I do not understand where/how
to grant Administators/Enterprise Administrators the right
to add a second DC. To answer your questions directly:

Running dcpol.msc via Start | Run shows me MMC titled
Domain Controler Security Policy.

I have set Security Settings | Local Policies | User
Rights Assignment | Enable computer and user accounts to
trusted for delegation to include the Administrator group
and a specific user account(testing the change).

Local Setting is correct. Effective setting is blank.

I have restarted the computer. I have run
secedit /refreshpolicy.

Loged in as a user, member of Enterprise Administrators
and Domain Administrators groups.

What am I missing?

-----Original Message-----
What do you mean you can not access Domain Controller Security Policy? What
message do you get? Did you try dcpol.msc in the run box. To see what the
policy actually is, you can view Local Security Policy on the domain
controller for "effective settings" but it needs to be configured at the
Domain Controller Security policy level. --- Steve


I am trying to promote a member server to be a DC and get
the following error message:

The operation failed because: Failed to modify the
necessary properties for the machine account SC300$
[member server]
"Access is denied. "

I have read and followed KB 232070 which addresses this
error message. However, the Active Directory Users and
Computer snap-in does not give me access to the Default
Domain Controllers Policy.

This notwithstanding, I have tried to set the Enable
Computer and User Accounts to be trusted for Delegation
via the Domain Policy management snap-in. I am not sure
this worked.

First question: Where can I set the Default Domain
Controllers Policy to Enable Computer and User Accounts
to be trusted for Delegation?
How can I determine this setting definitively?

Second question: If I did manage to enable the policy,
can anyone suggest other reasons why I receive this error
when I try to promote a server to DC?
Are there any other causes?

Some other notes

Current solitary DC is Win 2K SP3 (we're afraid to patch
it)
Server to be promoted is Win 2K SP4

I have been following KB 216498 to remove the
failed/partially promoted DC from the current DC.

Thanks and regards,
Steve
Click to expand...


.
Click to expand...
Click to expand...
 
G

Guest

Yes, the policy does not show as being effected, even
after a restart.

There are NO GPOS showing on the Active Directory Users
and Computers MMC. I am starting to think the guy who set
this up did not set it up completely or, perhaps, deleted
some of the tools.

One suggestion was to reinstall the adminpack which I
will try tomorrow.

I'm still working on this, if you have any other
suggestions.

Thanks,
Steve


-----Original Message-----
So you added the administrators group to the Domain Controler Security
Policy for that user right and it still does not show as the effective
setting in Local Security policy even after a reboot?? Are there any other
GPO's in the domain controller container?? To find them and access
group/security policy, use AD Users and Computers and then select the domain
controller container, right click, select properties, then Group Policy and
edit to view or configure the GPO's there.

If there is more than one GPO, the one a the top of the list would take
precedence assuming default GPO settings. I would also run the gpresult tool
on the domain controller to see where machine policy is being applied from
and the last time the policy was applied. In a default setup it woul be
receiving computer configuration from the domain and domain controller
default GPO's. Gpresult and other important tools such as dcdiag and
netdiag or on the install cd in the support/tools folder where you would
need to run the setup there. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en- us;321709

I am really trying to solve the problem addressed by KB
232070. It directs me to set the Default Domain Controler
policy via the Active Directory Users and Computers MMC,
but I cannot access it there. That led to this posting.
Sorry to be so obtuse, but I do not understand where/how
to grant Administators/Enterprise Administrators the right
to add a second DC. To answer your questions directly:

Running dcpol.msc via Start | Run shows me MMC titled
Domain Controler Security Policy.

I have set Security Settings | Local Policies | User
Rights Assignment | Enable computer and user accounts to
trusted for delegation to include the Administrator group
and a specific user account(testing the change).

Local Setting is correct. Effective setting is blank.

I have restarted the computer. I have run
secedit /refreshpolicy.

Loged in as a user, member of Enterprise Administrators
and Domain Administrators groups.

What am I missing?

-----Original Message-----
What do you mean you can not access Domain Controller Security Policy? What
message do you get? Did you try dcpol.msc in the run
Click to expand...
box.
To see what the
policy actually is, you can view Local Security
Click to expand...
Policy on
the domain
controller for "effective settings" but it needs to be configured at the
Domain Controller Security policy level. --- Steve


"SHPainter3" <[email protected]>
Click to expand...
wrote
in message
I am trying to promote a member server to be a DC
Click to expand...
and
get
the following error message:

The operation failed because: Failed to modify the
necessary properties for the machine account SC300$
[member server]
"Access is denied. "

I have read and followed KB 232070 which addresses this
error message. However, the Active Directory Users and
Computer snap-in does not give me access to the Default
Domain Controllers Policy.

This notwithstanding, I have tried to set the Enable
Computer and User Accounts to be trusted for Delegation
via the Domain Policy management snap-in. I am not sure
this worked.

First question: Where can I set the Default Domain
Controllers Policy to Enable Computer and User Accounts
to be trusted for Delegation?
How can I determine this setting definitively?

Second question: If I did manage to enable the policy,
can anyone suggest other reasons why I receive this error
when I try to promote a server to DC?
Are there any other causes?

Some other notes

Current solitary DC is Win 2K SP3 (we're afraid to patch
it)
Server to be promoted is Win 2K SP4

I have been following KB 216498 to remove the
failed/partially promoted DC from the current DC.

Thanks and regards,
Steve



.
Click to expand...
Click to expand...


.
Click to expand...
 
S

Steven L Umbach

If there are no GPO's in the "domain controller" container then you can create a new
one, configure that user right and try again. Did gpresult show any policies being
applied to the domain controller other that local?? If you can, paste your gpresult
for the domain controller while logged on as the administrator in a reply. Below is
a partial paste from mine to give you an idea of what info gpresult will display. ---
Steve

###############################################################
Last time Group Policy was applied: Monday, April 19, 2004 at 7:45:00 PM
Group Policy was applied from: server1-2000.umbach1.com
===============================================================
The computer received "Registry" settings from these GPOs:

Local Group Policy
Default Domain Policy
Default Domain Controllers Policy
===============================================================
The computer received "Scripts" settings from these GPOs:

Local Group Policy
===============================================================
The computer received "Security" settings from these GPOs:

Local Group Policy
Domain Main 1
Default Domain Policy
Default Domain Controllers Policy
===============================================================
The computer received "EFS recovery" settings from these GPOs:

Local Group Policy
Default Domain Policy
Default Domain Controllers Policy

Yes, the policy does not show as being effected, even
after a restart.

There are NO GPOS showing on the Active Directory Users
and Computers MMC. I am starting to think the guy who set
this up did not set it up completely or, perhaps, deleted
some of the tools.

One suggestion was to reinstall the adminpack which I
will try tomorrow.

I'm still working on this, if you have any other
suggestions.

Thanks,
Steve


-----Original Message-----
So you added the administrators group to the Domain Controler Security
Policy for that user right and it still does not show as the effective
setting in Local Security policy even after a reboot?? Are there any other
GPO's in the domain controller container?? To find them and access
group/security policy, use AD Users and Computers and then select the domain
controller container, right click, select properties, then Group Policy and
edit to view or configure the GPO's there.

If there is more than one GPO, the one a the top of the list would take
precedence assuming default GPO settings. I would also run the gpresult tool
on the domain controller to see where machine policy is being applied from
and the last time the policy was applied. In a default setup it woul be
receiving computer configuration from the domain and domain controller
default GPO's. Gpresult and other important tools such as dcdiag and
netdiag or on the install cd in the support/tools folder where you would
need to run the setup there. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en- us;321709

I am really trying to solve the problem addressed by KB
232070. It directs me to set the Default Domain Controler
policy via the Active Directory Users and Computers MMC,
but I cannot access it there. That led to this posting.
Sorry to be so obtuse, but I do not understand where/how
to grant Administators/Enterprise Administrators the right
to add a second DC. To answer your questions directly:

Running dcpol.msc via Start | Run shows me MMC titled
Domain Controler Security Policy.

I have set Security Settings | Local Policies | User
Rights Assignment | Enable computer and user accounts to
trusted for delegation to include the Administrator group
and a specific user account(testing the change).

Local Setting is correct. Effective setting is blank.

I have restarted the computer. I have run
secedit /refreshpolicy.

Loged in as a user, member of Enterprise Administrators
and Domain Administrators groups.

What am I missing?


-----Original Message-----
What do you mean you can not access Domain Controller
Security Policy? What
message do you get? Did you try dcpol.msc in the run box.
To see what the
policy actually is, you can view Local Security Policy on
the domain
controller for "effective settings" but it needs to be
configured at the
Domain Controller Security policy level. --- Steve


in message
I am trying to promote a member server to be a DC and
get
the following error message:

The operation failed because: Failed to modify the
necessary properties for the machine account SC300$
[member server]
"Access is denied. "

I have read and followed KB 232070 which addresses this
error message. However, the Active Directory Users and
Computer snap-in does not give me access to the Default
Domain Controllers Policy.

This notwithstanding, I have tried to set the Enable
Computer and User Accounts to be trusted for Delegation
via the Domain Policy management snap-in. I am not sure
this worked.

First question: Where can I set the Default Domain
Controllers Policy to Enable Computer and User Accounts
to be trusted for Delegation?
How can I determine this setting definitively?

Second question: If I did manage to enable the policy,
can anyone suggest other reasons why I receive this
error
when I try to promote a server to DC?
Are there any other causes?

Some other notes

Current solitary DC is Win 2K SP3 (we're afraid to patch
it)
Server to be promoted is Win 2K SP4

I have been following KB 216498 to remove the
failed/partially promoted DC from the current DC.

Thanks and regards,
Steve



.
Click to expand...


.
Click to expand...
Click to expand...
 
S

Solution Statement from SHPainter3

This problem was solved by reinstalling the adminpak.msi
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Cannot DCPROMO server to DC -- KB232070 insufficient 3
Cannot set TRUSTED_FOR_DELEGATION flag in userAccountControl for A 2
GPO Error on Default Domain Policy 5
domain security policy 6
Domain vs Domain Controller Security Policy 2
dcpromo 1
DCpromo failed! Access Denied 3
Local Security Policy on a DC 6

Top