[ActiveDir] Trying to Run DCpromo on a DC Fails

[Cathy Hooper]

Title: Message

I have a domain controller which was working just fine in Calgary as a global catalog, WINS/DNS/DHCP server.  It was shutdown without running DCpromo and shipped here to Seattle.  I booted it, gave it a new IP address, added all of the requisite DNS entries for the new address, set up replication in DNS and WINS again and let it cook for a week or so.  I solved the issues with GPO and domain replication and things looked good.   When I try to run DCpromo to make it a member server, I get so far then get the error:   The operation failed because: The attempt to configure the machine account <servername>$ on server <DCname> failed.  "Access is denied. "   Then:   Specify and account with Enterprise Administrator privileges to the forest "<forestname>".   No matter what username and password I enter, it still fails here.  I have to go back and re-create SYSVOL and fix a few things.  AD, DNS, GPO, etc. replication goes fubar for a while.   I'm logged in as the root domain domain administrator (got the same error with the child domain domain admin.)   The KB has been less than helpful.   What am I missing?       Cathy Hooper Sr. NT Administrator Getty Images, Inc. 206-925-6615 (Office) www.gettyimages.com http://techweb.seattle.gettyimages.com/active_directory/ http://techweb.seattle.gettyimages.com/ts_backoffice_docs/ -----Original Message----- From: steve [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 8:45 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Trying to run DCPromo and getting error 5171   Update on my DNS problem and thanks to Rick! The problem was that I had "NO" to allow dynamic updates! Once I change this to "Yes" Everything worked like a champ! I was missing registration of the AD zones in DNS.       Can anybody think of anymore forks in the road I might run into with DNS? I'm setting up AD on 2 Compaq servers, which will share the FSMO roles?           Again, many thanks to Rick for pressing on and getting to the bottom of my issue!     -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, June 10, 2003 10:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Trying to run DCPromo and getting error 5171   Steve, Diane -   I agree that there is clearly something wrong with the DNS.  But, I'm not so sure that this is the indication.  This can also be caused (most likely) by a missing Reverse Lookup.   This was mentioned once before - have you looked into this yet, Steve?   I'm much more concerned with the missing registration for the GUID.   Steve - we (collectively) have made some suggestions.  Have you followed up on:   Checking the registration of the Active Directory Zones in DNS?  You should see 4:   _msdcs _sites _tcp _udp   Do these exist?  If not, go to the DNS applet and right click your domain fanmats.com.  Make sure that you're set for 'Yes' in Allow Dynamic Updates.  Go to Services, then stop and then start 'Netlogon'.  This will force a registration of DNS zones.   Please follow ALL STEPS on this page.  Some have been outlined here time and again by other people, but the steps need to be followed.   http://www.microsoft.com/windows2000/dns/tshoot/dns_tshoot2A.asp   This is a common problem.  DNS can be a real bear, but AD will NOT WORK without it.  You have to get this right, as you're finding.   And, if you want to bring back BOTH netdiag and dcdiag results (successful or not - many time successful results tell me a lot) please run them as follows:   dcdiag /fix   netdiag /fix   dcdiag /v /f:dcdiag.log   netdiag /debug /l  (this will automatically create a netdiag.log)   Good luck - we'll be waiting to here what you have found.   Rick Kingslan  MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone           From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Diane Ayers Sent: Tuesday, June 10, 2003 8:57 PM To: [EMAIL PROTECTED] >Can't find server name for address 172.16.0.30   If NSlookup can't connect to that IP address, something is fubar with the DNS service on 172.16.0.30.  Can you telnet to port 53 (DNS) on that box?  "telnet 172.16.0.30 53"   Diane   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve Sent: Tuesday, June 10, 2003 6:33 PM To: [EMAIL PROTECTED] Still having DNS problems!   I was able to run NLTEST and it passed. Went through both SERVERS and verified that it had 172.16.0.30 for DNS setting. "S2.fanmats.com".   NSLOOKUP fails on both servers with errors. Please refer to NSLOOKUP.txt.   DCDDIAG.EXE FAILS. Please refer to DCDDIAG2.txt   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Monday, June 09, 2003 7:40 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Trying to run DCPromo and getting error 5171   Is the second machine pointing to the first server for DNS?     -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -----Original Message----- From: steve [mailto:[EMAIL PROTECTED] Sent: Sunday, June 08, 2003 2:14 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Trying to run DCPromo and getting error 5171 Environment: 2 new servers   Servers Configuration: Windows 2000 as workgroup. Ran DcPromo on the server1. Verified that DNS was setup correctly, can ping server by name. Not using WINS.   Problem: Can't make second Server a DC.   Error message: When running DcPromo on second server, I receive the same error message. The link below explains my error message.   http://www.microsoft.com/windows2000/dns/tshoot/     Thanks, Steve       ======================================================= This email and its contents are confidential. If you are not the intended recipient, please do not disclose or use the information within this email or its attachments. If you have received this email in error, please delete it immediately. Thank you. =======================================================