I fixed the replication issue with reapplying basicdc.inf and granting the Enterprise Domain Controllers rights to Replicating Directory Changes Replication Syncronization Manage Replication Topology to the domain.
Then I followed Q250874. And now... It works! The machine is now domain controller of our organisation. Thank you Myles, thank you very much! Regards Elmer > -----Original Message----- > From: Jan Gustavsson (GIS) [mailto:[EMAIL PROTECTED]] > Sent: Thursday, June 06, 2002 10:23 AM > To: NT 2000 Discussions > Subject: RE: replication issue in 2k network > > > Could this be some help? > > > PSS ID Number: Q250874 > Article last modified on 11-24-2000 > > :2000 > > ====================================================================== > -------------------------------------------------------------- > ----------------- > The information in this article applies to: > > - Microsoft Windows 2000 Server > - Microsoft Windows 2000 Advanced Server > - Microsoft Windows 2000 Datacenter Server > -------------------------------------------------------------- > ----------------- > > SYMPTOMS > ======== > > During Active Directory promotion of a replica domain > controller, you may > receive the following error message: > > The operation failed because: Failed to modify the > necessary properties for > the machine account %computername%$ "Access Denied". > > The %SystemRoot%\Debug\Dcpromo.log folder contains entries > similar to the > following example: > > MM/DD HH:MM:SS [INFO] Configuring the server account > MM/DD HH:MM:SS [INFO] NtdsSetReplicaMachineAccount returned 5 > MM/DD HH:MM:SS [INFO] DsRolepSetMachineAccountType returned 5 > MM/DD HH:MM:SS [INFO] Error - Failed to modify the > necessary properties for > the machine account %computername%$(5) > > A network trace shows that the ModifyReponse frame to the > LDAP ModifyRequest > frame to the UserAccountControl attribute is unsuccessful > with an "insufficient > access" error message. > > CAUSE > ===== > > One of the operations that takes place during the promotion > of a replica domain > controller is the modification of the UserAccountControl > attribute for the > computer you are promoting. The UserAccountControl attribute > is important for > defining the role of the computer as a member server or > domain controller. > Specifically, the computer you are promoting performs the > following tasks: > > 1. Performs a Lightweight Directory Access Protocol (LDAP) > search against an > existing domain controller in the domain for its computer account > > (ObjectClass=user,ObjectClass=computer,SamAccountName=%Compute > rName%$). > > 2. Attempts to update the UserAccountControl attribute, > indicating a change from > a member server to a domain controller. > > 3. Attempts to move the computer account object from the > current container or > organizational unit, to the domain controller's > organizational unit of the > domain. > > 4. Sources the schema, configuration, and domain naming > contexts for replication > from domain controllers that already exist. > > For steps 2 and 3 to succeed, the source domain controller > used by the new > replica must have successfully replicated and applied the > security policy. > Application of policy is identified by Event ID 1704 in the > application log > after Active Directory promotion (Dcpromo) has run (look for > Event 1704 being > logged after the last entry in Dcpromo.log). > > The specific right required to update the UserAccountControl > attribute is the > "Enable computer and users accounts to be trusted for > delegation" user right, > granted to the Administrators group in default domain > controllers policy. > > RESOLUTION > ========== > > To resolve this problem, use the appropriate method: > > - Verify that the current domain controllers in the domain > have applied > security policy and the "Enable computer and users accounts > to be trusted for > delegation" user right granted to the Administrators Group > (click Computer > Configuration, click Windows Settings, click Security > Settings, click Local > Policies, and then click User Rights Assignment). > > For computers that do not have this right, confirm that > group policy objects > in the directory service and file system have replicated, > and then manually > apply the policy by typing the following command: > > secedit /refreshpolicy machine_policy > > NOTE: Look for the following message in the application log > to confirm the > application of the policy: > > Event ID 1704: Security Policy in the Group policy objects > are applied > successfully. > > - Stop the Netlogon service on the source domain controllers > that do not have > this right applied to discover another domain controller in > the domain that > applied this right. > > - Verify that the source domain controller is in the > organization unit. The > name of the source domain controller can be found in the > hidden file called > Dcpromo.log in the %Systemroot%\debug folder on the Windows > 2000 server that > you are trying to promote. > > - Open a command prompt on the source domain controller, and run the > Gpresult.exe Resource Kit utility to verify that the domain > controllers > policy is being applied to the source domain controller. > > STATUS > ====== > > Microsoft has confirmed this to be a problem in Microsoft > Windows 2000. > > Additional query words: fail fails failing > > ====================================================================== > Keywords : kberrmsg kbnetwork > Technology : kbwin2000AdvServ kbwin2000AdvServSearch > kbwin2000DataServ kbwin2000DataServSearch kbwin2000Serv > kbwin2000ServSearch kbwin2000Search kbWinAdvServSearch > kbWinDataServSearch > Version : :2000 > Issue type : kbprb > ============================================================== > =============== > Copyright Microsoft Corporation 2000. > > > > > > Regards > Jan Gustavsson > > -----Original Message----- > From: Elmer St�wer [mailto:[EMAIL PROTECTED]] > Sent: den 5 juni 2002 20:08 > To: NT 2000 Discussions > Subject: RE: replication issue in 2k network > > > Ok checking dcpromo.log. I deleted all entries which looked > ok or were doubled. > > --- > 06/05 19:56:45 [INFO] F�r die Dom�ne cyberconsult.lan mit dem > Konto SOKRATES$ wird ein Dom�nencontroller gesucht. 06/05 > 19:56:46 [INFO] Der Dom�nencontroller platon.cyberconsult.lan > f�r die Dom�ne cyberconsult.lan wurde gefunden. 06/05 > 19:56:46 [INFO] Der Standort Alt-Moabit wird f�r den Server > \\platon.cyberconsult.lan verwendet. 06/05 19:56:46 [INFO] > Forcing time sync > 06/05 19:56:46 [INFO] Zeitsynchronisierung mit > \\platon.cyberconsult.lan wird erzwungen. 06/05 19:56:46 > [ERROR] Failed to get the current time on \\platon.cyberconsult.lan: 5 > 06/05 19:56:46 [ERROR] NON-FATAL error forcing a time sync > (5). Ignoring > 06/05 19:56:46 [INFO] Setting machine account to be DC > 06/05 19:56:46 [INFO] Das Serverkonto wird konfiguriert. > 06/05 19:56:46 [INFO] Searching for the machine account for > SOKRATES$ on \\platon.cyberconsult.lan... > 06/05 19:56:46 [INFO] Das Serverkonto wird konfiguriert. > 06/05 19:56:46 [INFO] NtdsSetReplicaMachineAccount returned 5 > 06/05 19:56:46 [INFO] DsRolepSetMachineAccountType returned 5 > 06/05 19:56:46 [INFO] Error - Die erforderlichen > Eigenschaften f�r das Computerkonto SOKRATES$ wurden nicht ge�ndert. > (5) > 06/05 19:56:46 [INFO] Der Dom�nencontrollervorgang wurde > abgeschlossen. 06/05 19:56:46 [INFO] DsRolepSetOperationDone > returned 0 > --- > > At this time I have no entries in the event log. > > So, What do I learn? > > Regards > > > > -----Original Message----- > > From: Jan Gustavsson (GIS) [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, June 05, 2002 7:40 AM > > To: NT 2000 Discussions > > Subject: RE: replication issue in 2k network > > > > > > Hi! > > Have you looked in the %SystemRoot%\Debug\Dcpromo.log file > for errors? > > Do you have any errors in the eventlog on the old DC? > > > > Regards, > > Jan Gustavsson > > > > > > -----Original Message----- > > From: Elmer St�wer [mailto:[EMAIL PROTECTED]] > > Sent: den 4 juni 2002 17:31 > > To: NT 2000 Discussions > > Subject: replication issue in 2k network > > > > > > Hi List! > > > > I have an AD Replication issue here. I can not upgrade a new > > DC to the domain with dcpromo. I get an error message access > > denied for upgrading the machine ... to a DC. > > > > Single local domain, single site two servers. Using > > replmon.exe to determine the status of replication I get the > > following: > > > > Directory Partition: DC=cyberconsult,DC=lan > > > > Partner Name: Alt-Moabit\PLATON > > Partner GUID: FFF5003A-7832-48CD-A5E0-9D8227C95EC0 > > Last Attempted Replication: 6/4/2002 4:31:46 > PM (local) > > Last Successful Replication: 5/23/2002 5:02:11 > > PM (local) > > Number of Failures: 3077 > > Failure Reason Error Code: 8453 > > Failure Description: Der Replikationszugriff > > wurde verweigert. > > Synchronization Flags: > > DRS_WRIT_REP,DRS_INIT_SYNC,DRS_PER_SYNC > > USN of Last Property Updated: 337656 > > USN of Last Object Updated: 337656 > > Transport: Intra-Site RPC > > > > Change Notifications for this Directory Partition > > ------------------------------------------------- > > Server Name: Alt-Moabit\PLATON > > Object GUID: > DBE24D70-EE08-479C-9129-D048C1A6CD91 > > Time Added: 12.02.2002 15:20:29 > > Flags: DRS_WRIT_REP > > Transport: RPC > > > > "Der Replikationszugriff wurde verweigert" means "replication > > access was denied". There are no errors for other partitions > > or into the other direction. > > > > What also confuses me: > > under .\sysvol I have the shared .\sysvol\sysvol directory > > including the .\sysvol\sysvol\'domain_name' directory in it > > (last change 5/23/2002). > > > > But I also have an .\sysvol\domain directory with the same > > content as .\sysvol\sysvol\'domain_name'. I found a registry > > key from frs which is pointing there. > > > > I have no idea what is going wrong... Any hints? > > > > Thank you > > > > Elmer > > > > P. S. > > Sorry for my bad english... > > -- > > Elmer St�wer > > System- und Netzwerkadministration > > CyberConsult GmbH > > mailto:[EMAIL PROTECTED] > > www.cyberconsult.de > > > > ------ > > You are subscribed as [EMAIL PROTECTED] > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe send a blank email to %%email.unsub%% > > > > ------ > > You are subscribed as [EMAIL PROTECTED] > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe send a blank email to %%email.unsub%% > > > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to %%email.unsub%% > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to %%email.unsub%% > ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
