Trouble installing active directory

[farakh]

I am trying to add a domain controller to our domain.
Already have to domain controllers running. When I go
through dcpromo, I get an error "the operation failed
because: failed to modify the necessary properties for
the machine account $servername, access is denied".
I have checked dns settings and I am logging in as the
administrator of the domain.
Please help.
P.s A couple of months ago our PDC crashed and I had to
sieze the roles and assign them to another domain
controller. when I run dcdiag and netdiag, everything
looks good. Please help.

 

[Rich]

Is this server a member server right now? I have had
problems promoting a member Server to a DC. I have always
removed the server from the domain and then promoted it
into the domain as a DC.

The other thing to ensure is that you are pointing the DNS
settings to the internal DNS server of the domain.

HTH
Rich

 

[farakh]

Yes it is a member server right now. I have already
removed the server from the domain and tried to promote it
as a dc, but to no avail. this server is a secondary dns
server. I have the server pointing to itself as primary
dns and to the primary dns server as the secondary dns.

 

[Rich]

Do you get any errors when you do a Netdiag on the server
and a DCdiag on the domain controllers?
when the PDC failed did you do a FSMO move to one of the
other DCs? Did you do a metadata clean up on that server
after the PDC failure? Also ensure that the server you
are promoting isn't already listed in Active Directory.

Rich

 

[farakh]

I had to seize the fsmo roles and transfer to different
server. dcdiag and netdiag all pass. the server is listed
under computers in active directory but it is not listed
under domain controllers. I would like it to be a domain
controller.
I start dcpromo.exe enter the domain info, set the
settings, put in pw, click next it contacts the pdc then
it gives me the error "failed to modify the necessary
properties for the machine accout. access is denied" Why
is access denied? I am the administrator. I am in the
administrators group. I am using my credentials to log in.

Please help

 

[Rich]

Earlier you said that you had removed the server from the
domain. Meaning that it was nolonger a member server.?
If this is the case then you shouldn't see the computer
listed in active directory computers. You will need to
delete that account before you can use the same computer
name for a domain controler.

Rich

 

[farakh]

I have done that also. Removed it from computers in
Active directory and then tried to promote to a dc. still
didn't work.

 

[Rich]

Try putting the DNS Primary to the current Domain
Controllers DNS IP. Ping that server to ensure that you
are getting a FQDN (example: server1.domain.msft)
The only other thing I can recommend is to do a Metadata
cleanup and ensure that the name you have on that server
isn't listed anywhere in Active Directory. If it is then
remove it. You could also change the name of the server
then try to promote it.

Rich

 

[farakh]

did all of the above. why is access denied?

-----Original Message-----
Try putting the DNS Primary to the current Domain
Controllers DNS IP. Ping that server to ensure that you
are getting a FQDN (example: server1.domain.msft)
The only other thing I can recommend is to do a Metadata
cleanup and ensure that the name you have on that server
isn't listed anywhere in Active Directory. If it is then
remove it. You could also change the name of the server
then try to promote it.

Rich
.

 

[Rich]

From the original error message you gave it is having a
problem modifying the Computer account within Active
Directory. This tells me that you still have the name as
well as the GUID for that server listed in Active
Directory. Until you active directory with respects to
that member server you will not be able to promote it.
Active Directory thinks it is doing something else.

Rich

 

[farakh]

I removed the server. Renamed it. tried dcpromo. and
still doesn't work.
when I run dcpromo i get the error "failed to modify the
necessary properties for the machine acount, access is
denied"
the initial part of the promotion was successful, this is
verified because the computer becomes a member server in
the domain, but the promotion to domain controller did not
succeed because dcpromo could not modify the machine
account.
I did some research and found that the this problem can
occur if the account that is used to promote has not been
assigned the "delegation privilege".
I am promoting using the administrator account. I don't
know what else to do. I don't have a "default domain
controllers policy". So I can't modify that. Is something
wrong with active directory?