DCpromo is access denied...(reposted)

[Guest]

I'm still having a problem whenever running a DCpromo. I
got access denied Failed to modify the properties of
computer account...
Is there any other workaround to resolve this from MVP.?

*********************

I tried to ping from my member server that I'm trying to
promote and I can resolve it.
my Forest root is eng.brain.com
my child domain is region.eng.brain.com

From one of my member server
(serverdc1.region.eng.brain.com)
I can resolve all the way to the forest and I can even get
the time source.

Is there any other workaround please...

-----Original Message-----

IT HAS SOMEHTING TO DO WITH CREDENTIALS BUT WHERE? MY
ADMINISTRATOR ACCOUNT IS ALREADY TRUSTED FOR DELEGATION!
WHERE IS THE PROBLEM?!!!!!!!!!!

Authentication (credentials) and replication (including DCPromo) is
almost always a DNS issue.

You seem to indicate that the machine is NOT currently in the
domain. Add it as a server to the domain, but the most likely
problem is DNS....

DNS must be dynamic.
All clients -- this includes ALL DCs -- must use the internal
DYNAMIC dns server (set) ONLY. (restart netlogon on
each affected DC if you change either of these.)

AND in a true internal tree, all of the DNS servers must be
able to resolve from the COMMON root down -- and if you
have multiple tree roots this includes a common parent of all
of them.

(You can hold cross secondaries to satisfy the previous
requirement but the key is that EVERY internal DNS name
must be resolvable from all internal clients.)


--
Herb Martin

I've been trying to fix this problem for almost two weeks
now and I decided to post it here.

I'm trying to add a DC in my existing AD W2k Advanced,
Native mode in a child domain modeL and i'm getting this
error whenever I'm running DCpromo!
"Failed to modify the properties of the computer account
mydc$ "Access is denied."

I have done the following to find a solution:
-I went to all my event viewer for all my three existing
DCs to look for any error None..
-I ensure that all my GPO are fine! All Policies are
applying no problme! and replicating!, check my DNS all
correct with all srv etc etc.

-I tried the following workarounds from MS ; restart all
my DCs but no luck after performing these KBID from MS
http://support.microsoft.com/?kbid=232070 and
http://support.microsoft.com/?kbid=250874

-I tried to rename the machine, put it into workgroup and
then rejoin in the domain using DCPROMO again, same!

-I verified my GPO are all replicating and double check my
DNS, FSMOholders, AD health using DCdiag.. all working
fine. but same problem.

-I rebuild the server come up with new name, Sp4, run a
diagnostics etc etc.I run DCPromo again same problem!
What are the cause for this?, Any workaround?

IT HAS SOMEHTING TO DO WITH CREDENTIALS BUT WHERE? MY
ADMINISTRATOR ACCOUNT IS ALREADY TRUSTED FOR DELEGATION!
WHERE IS THE PROBLEM?!!!!!!!!!!
I still have a trust still exist between my legacy
Domain Nt4 and my AD as I'm still doing migration. I
noticed that when when I set the trust and migration some
default policies are changed. But still the rights I
needed for delegation is still there. Any idea guys.

Appreciate your help since I have done everything to fix
this problem but no luck!


Part of the meessage that I copied from
WINNT\DEBUG\dcpromo.log is below
04/05 15:10:05 [INFO] Forcing time sync
04/05 15:10:05 [INFO] Forcing a time synch with \\xyz-
dc1.xyz.do.u.org

04/05 15:10:05 [INFO] Setting machine account to be DC
04/05 15:10:05 [INFO] Configuring the server account

04/05 15:10:05 [INFO] Searching for the machine account
for xyz-DC$ on \\xyzk-dc1.xyz.do.u.org...
04/05 15:10:05 [INFO] Configuring the server account

04/05 15:10:05 [INFO] NtdsSetReplicaMachineAccount
returned 5
04/05 15:10:05 [INFO] DsRolepSetMachineAccountType
returned 5
04/05 15:10:05 [INFO] Error - Failed to modify the
necessary properties for the machine account myDC$


More power guys!!

.

..

 

[Cary Shultz [A.D. MVP]]

Based on your error, I would say that this is the trusted for delegation
problem. Have you taken a look at the following MSKB Articles:

http://support.microsoft.com/?id=232070
http://support.microsoft.com/?id=250874

HTH,

Cary

I'm still having a problem whenever running a DCpromo. I
got access denied Failed to modify the properties of
computer account...
Is there any other workaround to resolve this from MVP.?

*********************

I tried to ping from my member server that I'm trying to
promote and I can resolve it.
my Forest root is eng.brain.com
my child domain is region.eng.brain.com

From one of my member server
(serverdc1.region.eng.brain.com)
I can resolve all the way to the forest and I can even get
the time source.

Is there any other workaround please...

-----Original Message-----

IT HAS SOMEHTING TO DO WITH CREDENTIALS BUT WHERE? MY
ADMINISTRATOR ACCOUNT IS ALREADY TRUSTED FOR DELEGATION!
WHERE IS THE PROBLEM?!!!!!!!!!!

Authentication (credentials) and replication (including DCPromo) is
almost always a DNS issue.

You seem to indicate that the machine is NOT currently in the
domain. Add it as a server to the domain, but the most likely
problem is DNS....

DNS must be dynamic.
All clients -- this includes ALL DCs -- must use the internal
DYNAMIC dns server (set) ONLY. (restart netlogon on
each affected DC if you change either of these.)

AND in a true internal tree, all of the DNS servers must be
able to resolve from the COMMON root down -- and if you
have multiple tree roots this includes a common parent of all
of them.

(You can hold cross secondaries to satisfy the previous
requirement but the key is that EVERY internal DNS name
must be resolvable from all internal clients.)


--
Herb Martin

I've been trying to fix this problem for almost two weeks
now and I decided to post it here.

I'm trying to add a DC in my existing AD W2k Advanced,
Native mode in a child domain modeL and i'm getting this
error whenever I'm running DCpromo!
"Failed to modify the properties of the computer account
mydc$ "Access is denied."

I have done the following to find a solution:
-I went to all my event viewer for all my three existing
DCs to look for any error None..
-I ensure that all my GPO are fine! All Policies are
applying no problme! and replicating!, check my DNS all
correct with all srv etc etc.

-I tried the following workarounds from MS ; restart all
my DCs but no luck after performing these KBID from MS
http://support.microsoft.com/?kbid=232070 and
http://support.microsoft.com/?kbid=250874

-I tried to rename the machine, put it into workgroup and
then rejoin in the domain using DCPROMO again, same!

-I verified my GPO are all replicating and double check my
DNS, FSMOholders, AD health using DCdiag.. all working
fine. but same problem.

-I rebuild the server come up with new name, Sp4, run a
diagnostics etc etc.I run DCPromo again same problem!
What are the cause for this?, Any workaround?

IT HAS SOMEHTING TO DO WITH CREDENTIALS BUT WHERE? MY
ADMINISTRATOR ACCOUNT IS ALREADY TRUSTED FOR DELEGATION!
WHERE IS THE PROBLEM?!!!!!!!!!!
I still have a trust still exist between my legacy
Domain Nt4 and my AD as I'm still doing migration. I
noticed that when when I set the trust and migration some
default policies are changed. But still the rights I
needed for delegation is still there. Any idea guys.

Appreciate your help since I have done everything to fix
this problem but no luck!


Part of the meessage that I copied from
WINNT\DEBUG\dcpromo.log is below
04/05 15:10:05 [INFO] Forcing time sync
04/05 15:10:05 [INFO] Forcing a time synch with \\xyz-
dc1.xyz.do.u.org

04/05 15:10:05 [INFO] Setting machine account to be DC
04/05 15:10:05 [INFO] Configuring the server account

04/05 15:10:05 [INFO] Searching for the machine account
for xyz-DC$ on \\xyzk-dc1.xyz.do.u.org...
04/05 15:10:05 [INFO] Configuring the server account

04/05 15:10:05 [INFO] NtdsSetReplicaMachineAccount
returned 5
04/05 15:10:05 [INFO] DsRolepSetMachineAccountType
returned 5
04/05 15:10:05 [INFO] Error - Failed to modify the
necessary properties for the machine account myDC$


More power guys!!

.

.