not authorised to create an additional domain controller

[Mike Hunt]

Hi,

I've got a win2k server DC that I want to retire and I've put up another
win2k server and have tried to install AD on it and have it as an additional
DC but when it goes through the process of creating new credentials for the
new server Im given an error:

The operation failed because: Failed to modify the necessary properties for
the machine account TRAIONPDC$
"Access is denied. "

This is very very wierd because my account has all the neccessary
permissions. Or is there something Im missing... My account belongs to
these groups :

- server operators
- domain admins
- administrators
- enterprise admins
- domain users

Please help... this is very wierd indeed...

Cheers
Mike

 

[Nathan]

Did you add the new win2k server to AD and reboot before
trying to make it a new DC?

Not rebooting after adding to the domain could cause the
problem you are having. Though I'm not sure the exact
error syntax you wuold get without failing it on purpose.

 

[Cary Shultz [A.D. MVP]]

Nathan,

Joining the WIN2000 server that you are trying to promote to the domain
before running dcpromo is not really necessary. Granted, I do that just
about everytime that I create a domain controller, but it is really not
necessary.

The error indicated by Mike is most probably caused by the 'trusted for
delegation' issue. Please take a look at the following MSKB article:

http://support.microsoft.com/?id=250874

Also, and please do not misunderstand me here, a simple search on the MS
website ( http://support.microsoft.com ) would have lead you to the above
MSKB. Simply enter in the error message and you will be given a list of
applicable articles.

HTH,

Cary

 

[Nathan]

Joining the WIN2000 server that you are trying to promote
to the domain

before running dcpromo is not really necessary. Granted, I do that just
about everytime that I create a domain controller, but it is really not
necessary.

I know we had problems with authentication in NT 4.0
domains if we tried to use privliges over multiple domain
trusts if we did so before adding the server/workstation
to the domain. I figured it was worth a mention, but
you've probably identified his true problem.

Thanks for the heads up on this, keep them coming. I'm
diving head first into AD with a strong NDS and NT 4.0
background. Why I've been so active here recently

vrrmm vrrooom, getting up to speed...

Nathan

 

[Cary Shultz [A.D. MVP]]

Nathan,

Keep on going! Post all the questions that you have. This is a really good
place to learn about AD. I started just looking at the questions and trying
to figure out the answer myself without looking at the posted replies. I
then started asking questions and then finally started answering questions.

Another really good place is the lab. Take any three computers, load
WIN2000 Server on two of them and load WIN2000 Pro ( or WINXP PRo ) on the
third. Play around there.

Have fun!

Cary

 

[Mike Hunt]

Thank you very much indeed. It worked and is fixed. I will bare that in
mind too in future posts as well

thank you

 

[Cary Shultz [A.D. MVP]]

Mike,

Glad that everything worked for you. You can always post your questions to
any NG. No one will ever tell you, "Hey, nimrod. Why don't you take a look
on your own" - or anything in that vain. If they do send them my way! ;-)
However, people might suggest that you take a look at all of the available
tools IN ADDITION TO posting a question. However, if you are not aware of
the tools available then it might be a bit difficult...

I usually take a look at http://www.google.com, at http://www.eventid.net
and http://support.microsoft.com. Hope that these links help you!

Cary