RE: [ActiveDir] Weird thing with DCPROMO (SOLVED! - FEEDBACK FOR THOSE INTERESTED)

[Almeida Pinto, Jorge de]

Title: Weird thing with DCPROMO

Hi,

 

For those interested I experienced it and also solved it. It took a while but it finally got solved, although the WHY is still not clear...

 

To troubleshoot this I almost did everything like reinstalling AD, DNS, other DNS configuration, using another domain name. Even reinstalling the OS from scratch did not help and i was able to reproduce it time after time. It still would not work.

 

I started thinking about the error as it was described: "The wizard cannot gain access to the list of domains in the forest. This condition may be caused by a DNS lookup problem"... but NSLOOUPs were working OK. So it had to be something like permissions or corrupt data or whatever, but not nameresolution because that prooved to work. Imagine a Enterprise Admin not having enough permissions to do stuff in AD. Well..

 

In addition to what is mentioned below I will add other info...

I created the VM by installing W2K3 with SP1 slipstreamed (EVAL) and after that I installed R2 (RC0). The password of this VM was simply password

I cloned the VM once and changed the servername to ROOTDC01 and changed the SID (first DC for forest root domain) After rebooting the server I changed the password to corp (the same as the netbios name of the domain)

I cloned the VM again and changed the servername to CHUBDC01 and changed the SID (first DC for child domain) After rebooting the server I changed the password to branch (the same as the netbios name of the domain)

 

To test permissions and credentials and created a mapping (to the ADMIN$ share) from the stand alone server to the forest root dc and used username administrator and password corp. result = OK

To test permissions and credentials and started LDP on the stand alone server and connected to the forest root dc and used username administrator and password corp. result = OK. I was able to anything in the directory.

To test permissions and credentials and joined the stand alone server and made it a member server of the forest root domain using the username administrator and password corp. result = OK.

 

I logged on to the stand alone server with administrator and password branch, which is obvious.

I started DCPROMO to install a DC for a child domain in an existing tree and as credentials I entered the credentials of the forest root domain administrator being administrator with password corp. no go!

 

Finally last night I decided to do a network trace, but at first I did not believe it would give any hint as name resolution was working OK and authentication was also working OK as prooed by the mapping and LDP. OK, lets see...

I started the trace, started DCPROMO and after entering the credentials it gave me the error. Did the same with a custom enterprise admin I created in AD.

The error mentioned by the sniffer was/is:

 

SMB (Server Message Block Protocol)
     SMB Header
          Server Component: SMB
          SMB Command: Session Setup AndX (0x73)
          NT Status: STATUS_LOGON_FAILURE (0xc000006d)        <<<<<---------------------------------???????

 

How could there be an auth failure when authentication prooved OK? Suddently I changed the password from the stand alone server administrator to match the password of the forest root domain administrator. Started DCPROMO again AND IT WORKED!. Stopped DCPROMO. Started it again and tried it with the custom enterprise admin and THAT ALSO WORKED! Changed the password for stand alone server administrator back to branch, started DCPROMO again and that ALSO WORKED!

 

The fun part: it never gave an access denied error!

What I'm still trying to understand is: WHAT AND WHY? For those who have anything to say about this concerning the what, why or whatever, don't hesitate and give your thoughts!

 

LESSON LEARNED: if everything else fails get that network sniffer working as soon as possible!

Cheers,

Jorge

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de
Sent: Wednesday, September 14, 2005 18:13
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Weird thing with DCPROMO

Hi,

I was wondering if someone experienced something similar and found a solution to this one.

My intention is to build a similar branch office scenario in Vmware Workstation but than with W2K3SP1R2-RC0.

The forest root domain contains:
* Forest Root Domain: CORP.NET (DFL and FFL = W2k3)
* 1 DC = GC = DNS = FSMOs
* Name of DC = ROOTDC01
* DC points only to itself as prim. Server
* DNS server hosts zones: CORP.NET (in domain app part), _MSDCS.CORP.NET (in forest app part), .(root) (in custom app part called 'ROOTDNSZONE.CORP.NET' - the only enlisted DC = ROOTDC01), 0.10.in-addr.arpa (in forest app part)

* All zones are AD-I and secure DDNS is enabled
* NO WINS used!
* On DNS server a delegation has been created for the zone BRANCH.CORP.NET to CHUBDC01.BRANCH.CORP.NET

I want the forest to contain an additional domain with the following characteristics (BUT DCPROMO FAILS!):
* Domain: BRANCH.CORP.NET
* 1 DC = GC = DNS = FSMOs
* Name of DC = CHUBDC01
* DC points only to itself as prim. Server and point to ROOTDC01.CORP.NET as an alternate
* DNS server hosts zones: BRANCH.CORP.NET (in domain app part), _MSDCS.CORP.NET (in forest app part), 0.10.in-addr.arpa (in forest app part)
* NO WINS used!
* On DNS server forwarding has been configured to ROOTDC01.CORP.NET

The troubleshooting part:
* On ROOTDC01.CORP.NET if I run NETDIAG /V -> all tests passed except for default gateway because it is not defined
* On ROOTDC01.CORP.NET if I run DCDIAG /V -> all tests passed!
* On CHUBDC01.BRANCH.CORP.NET if I run: dcdiag /test:dcpromo /dnsdomain:branch.corp.net /childdomain it says: CHUBDC01 passed test DcPromo

* Pinging between both servers is OK!
* NSLOOKUP from both servers querying different type of records works OK
* No errors in event log
* Adding CHUBDC01 to the domain CORP.NET as a member server works OK
* No firewalls used

DCPROMO'ING CHUBDC01 to a DC for an additional child domain in the forest FAILS…(when the server is a member server or a stand alone… neither works)

(or to whatever DC in whatever domain)

DCPROMO fails at the moment I click OK after entering credentials and pops up with:
The wizard cannot gain access to the list of domains in the forest
This condition may be caused by a DNS lookup problem. For info… blababla….
The error 'The RPC server is unavailable'

I have searched the internet for this and found something similar but then with Vmware ESX, among other situations, but still no solution. I have provided the links I have seen with this:

http://www.vmware.com/community/thread.jspa?threadID=18782&messageID=211853
http://forums.techarena.in/archive/index.php/t-65328.html
http://www.vmware.com/community/thread.jspa?threadID=18782&messageID=213146

WTF is this? Has anyone experienced this before?

Met vriendelijke groet / Kind regards,

Jorge de Almeida Pinto
Infrastructure Consultant
__________________________________________

LogicaCMG Nederland B.V. (BU SD/AT)
Division Industry, Distribution and Transport (ID&T)
Kennedyplein 248, 5611 ZT, Eindhoven
.       Postbus 7089
        5605 JB Eindhoven
(       Tel             : +31-(0)40-29.57.777
2       Fax     : +31-(0)40-29.57.709
(       Mobile  : +31-(0)6-26.26.62.80

*       E-mail  : [EMAIL PROTECTED]

"       <http://www.logicacmg.com/> - Solutions that matter -

This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.