Sorry, thank you Myles _and_ thank you Jan!!! > -----Original Message----- > From: Elmer St�wer > Sent: Thursday, June 06, 2002 2:07 PM > To: NT 2000 Discussions > Subject: RE: replication issue in 2k network > > > I fixed the replication issue with reapplying basicdc.inf and > granting the Enterprise Domain Controllers rights to > Replicating Directory Changes > Replication Syncronization > Manage Replication Topology > to the domain. > > Then I followed Q250874. > > And now... > > It works! The machine is now domain controller of our > organisation. Thank you Myles, thank you very much! > > Regards > > Elmer > > > -----Original Message----- > > From: Jan Gustavsson (GIS) [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, June 06, 2002 10:23 AM > > To: NT 2000 Discussions > > Subject: RE: replication issue in 2k network > > > > > > Could this be some help? > > > > > > PSS ID Number: Q250874 > > Article last modified on 11-24-2000 > > > > :2000 > > > > > ====================================================================== > > -------------------------------------------------------------- > > ----------------- > > The information in this article applies to: > > > > - Microsoft Windows 2000 Server > > - Microsoft Windows 2000 Advanced Server > > - Microsoft Windows 2000 Datacenter Server > > -------------------------------------------------------------- > > ----------------- > > > > SYMPTOMS > > ======== > > > > During Active Directory promotion of a replica domain > > controller, you may > > receive the following error message: > > > > The operation failed because: Failed to modify the > > necessary properties for > > the machine account %computername%$ "Access Denied". > > > > The %SystemRoot%\Debug\Dcpromo.log folder contains entries > > similar to the > > following example: > > > > MM/DD HH:MM:SS [INFO] Configuring the server account > > MM/DD HH:MM:SS [INFO] NtdsSetReplicaMachineAccount returned 5 > > MM/DD HH:MM:SS [INFO] DsRolepSetMachineAccountType returned 5 > > MM/DD HH:MM:SS [INFO] Error - Failed to modify the > > necessary properties for > > the machine account %computername%$(5) > > > > A network trace shows that the ModifyReponse frame to the > > LDAP ModifyRequest > > frame to the UserAccountControl attribute is unsuccessful > > with an "insufficient > > access" error message. > > > > CAUSE > > ===== > > > > One of the operations that takes place during the promotion > > of a replica domain > > controller is the modification of the UserAccountControl > > attribute for the > > computer you are promoting. The UserAccountControl attribute > > is important for > > defining the role of the computer as a member server or > > domain controller. > > Specifically, the computer you are promoting performs the > > following tasks: > > > > 1. Performs a Lightweight Directory Access Protocol (LDAP) > > search against an > > existing domain controller in the domain for its computer account > > > > (ObjectClass=user,ObjectClass=computer,SamAccountName=%Compute > > rName%$). > > > > 2. Attempts to update the UserAccountControl attribute, > > indicating a change from > > a member server to a domain controller. > > > > 3. Attempts to move the computer account object from the > > current container or > > organizational unit, to the domain controller's > > organizational unit of the > > domain. > > > > 4. Sources the schema, configuration, and domain naming > > contexts for replication > > from domain controllers that already exist. > > > > For steps 2 and 3 to succeed, the source domain controller > > used by the new > > replica must have successfully replicated and applied the > > security policy. > > Application of policy is identified by Event ID 1704 in the > > application log > > after Active Directory promotion (Dcpromo) has run (look for > > Event 1704 being > > logged after the last entry in Dcpromo.log). > > > > The specific right required to update the UserAccountControl > > attribute is the > > "Enable computer and users accounts to be trusted for > > delegation" user right, > > granted to the Administrators group in default domain > > controllers policy. > > > > RESOLUTION > > ========== > > > > To resolve this problem, use the appropriate method: > > > > - Verify that the current domain controllers in the domain > > have applied > > security policy and the "Enable computer and users accounts > > to be trusted for > > delegation" user right granted to the Administrators Group > > (click Computer > > Configuration, click Windows Settings, click Security > > Settings, click Local > > Policies, and then click User Rights Assignment). > > > > For computers that do not have this right, confirm that > > group policy objects > > in the directory service and file system have replicated, > > and then manually > > apply the policy by typing the following command: > > > > secedit /refreshpolicy machine_policy > > > > NOTE: Look for the following message in the application log > > to confirm the > > application of the policy: > > > > Event ID 1704: Security Policy in the Group policy objects > > are applied > > successfully. > > > > - Stop the Netlogon service on the source domain controllers > > that do not have > > this right applied to discover another domain controller in > > the domain that > > applied this right. > > > > - Verify that the source domain controller is in the > > organization unit. The > > name of the source domain controller can be found in the > > hidden file called > > Dcpromo.log in the %Systemroot%\debug folder on the Windows > > 2000 server that > > you are trying to promote. > > > > - Open a command prompt on the source domain controller, > and run the > > Gpresult.exe Resource Kit utility to verify that the domain > > controllers > > policy is being applied to the source domain controller. > > > > STATUS > > ====== > > > > Microsoft has confirmed this to be a problem in Microsoft > > Windows 2000. > > > > Additional query words: fail fails failing > > > > > ====================================================================== > > Keywords : kberrmsg kbnetwork > > Technology : kbwin2000AdvServ kbwin2000AdvServSearch > > kbwin2000DataServ kbwin2000DataServSearch kbwin2000Serv > > kbwin2000ServSearch kbwin2000Search kbWinAdvServSearch > > kbWinDataServSearch > > Version : :2000 > > Issue type : kbprb > > ============================================================== > > =============== > > Copyright Microsoft Corporation 2000. > > > > > > > > > > > > Regards > > Jan Gustavsson > > > > -----Original Message----- > > From: Elmer St�wer [mailto:[EMAIL PROTECTED]] > > Sent: den 5 juni 2002 20:08 > > To: NT 2000 Discussions > > Subject: RE: replication issue in 2k network > > > > > > Ok checking dcpromo.log. I deleted all entries which looked > > ok or were doubled. > > > > --- > > 06/05 19:56:45 [INFO] F�r die Dom�ne cyberconsult.lan mit dem > > Konto SOKRATES$ wird ein Dom�nencontroller gesucht. 06/05 > > 19:56:46 [INFO] Der Dom�nencontroller platon.cyberconsult.lan > > f�r die Dom�ne cyberconsult.lan wurde gefunden. 06/05 > > 19:56:46 [INFO] Der Standort Alt-Moabit wird f�r den Server > > \\platon.cyberconsult.lan verwendet. 06/05 19:56:46 [INFO] > > Forcing time sync > > 06/05 19:56:46 [INFO] Zeitsynchronisierung mit > > \\platon.cyberconsult.lan wird erzwungen. 06/05 19:56:46 > > [ERROR] Failed to get the current time on > \\platon.cyberconsult.lan: 5 > > 06/05 19:56:46 [ERROR] NON-FATAL error forcing a time sync > > (5). Ignoring > > 06/05 19:56:46 [INFO] Setting machine account to be DC > > 06/05 19:56:46 [INFO] Das Serverkonto wird konfiguriert. > > 06/05 19:56:46 [INFO] Searching for the machine account for > > SOKRATES$ on \\platon.cyberconsult.lan... > > 06/05 19:56:46 [INFO] Das Serverkonto wird konfiguriert. > > 06/05 19:56:46 [INFO] NtdsSetReplicaMachineAccount returned 5 > > 06/05 19:56:46 [INFO] DsRolepSetMachineAccountType returned 5 > > 06/05 19:56:46 [INFO] Error - Die erforderlichen > > Eigenschaften f�r das Computerkonto SOKRATES$ wurden nicht ge�ndert. > > (5) > > 06/05 19:56:46 [INFO] Der Dom�nencontrollervorgang wurde > > abgeschlossen. 06/05 19:56:46 [INFO] DsRolepSetOperationDone > > returned 0 > > --- > > > > At this time I have no entries in the event log. > > > > So, What do I learn? > > > > Regards > > > > > > > -----Original Message----- > > > From: Jan Gustavsson (GIS) [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, June 05, 2002 7:40 AM > > > To: NT 2000 Discussions > > > Subject: RE: replication issue in 2k network > > > > > > > > > Hi! > > > Have you looked in the %SystemRoot%\Debug\Dcpromo.log file > > for errors? > > > Do you have any errors in the eventlog on the old DC? > > > > > > Regards, > > > Jan Gustavsson > > > > > > > > > -----Original Message----- > > > From: Elmer St�wer [mailto:[EMAIL PROTECTED]] > > > Sent: den 4 juni 2002 17:31 > > > To: NT 2000 Discussions > > > Subject: replication issue in 2k network > > > > > > > > > Hi List! > > > > > > I have an AD Replication issue here. I can not upgrade a new > > > DC to the domain with dcpromo. I get an error message access > > > denied for upgrading the machine ... to a DC. > > > > > > Single local domain, single site two servers. Using > > > replmon.exe to determine the status of replication I get the > > > following: > > > > > > Directory Partition: DC=cyberconsult,DC=lan > > > > > > Partner Name: Alt-Moabit\PLATON > > > Partner GUID: FFF5003A-7832-48CD-A5E0-9D8227C95EC0 > > > Last Attempted Replication: 6/4/2002 4:31:46 > > PM (local) > > > Last Successful Replication: 5/23/2002 5:02:11 > > > PM (local) > > > Number of Failures: 3077 > > > Failure Reason Error Code: 8453 > > > Failure Description: Der Replikationszugriff > > > wurde verweigert. > > > Synchronization Flags: > > > DRS_WRIT_REP,DRS_INIT_SYNC,DRS_PER_SYNC > > > USN of Last Property Updated: 337656 > > > USN of Last Object Updated: 337656 > > > Transport: Intra-Site RPC > > > > > > Change Notifications for this Directory Partition > > > ------------------------------------------------- > > > Server Name: Alt-Moabit\PLATON > > > Object GUID: > > DBE24D70-EE08-479C-9129-D048C1A6CD91 > > > Time Added: 12.02.2002 15:20:29 > > > Flags: DRS_WRIT_REP > > > Transport: RPC > > > > > > "Der Replikationszugriff wurde verweigert" means "replication > > > access was denied". There are no errors for other partitions > > > or into the other direction. > > > > > > What also confuses me: > > > under .\sysvol I have the shared .\sysvol\sysvol directory > > > including the .\sysvol\sysvol\'domain_name' directory in it > > > (last change 5/23/2002). > > > > > > But I also have an .\sysvol\domain directory with the same > > > content as .\sysvol\sysvol\'domain_name'. I found a registry > > > key from frs which is pointing there. > > > > > > I have no idea what is going wrong... Any hints? > > > > > > Thank you > > > > > > Elmer > > > > > > P. S. > > > Sorry for my bad english... > > > -- > > > Elmer St�wer > > > System- und Netzwerkadministration > > > CyberConsult GmbH > > > mailto:[EMAIL PROTECTED] > > > www.cyberconsult.de > > > > > > ------ > > > You are subscribed as [EMAIL PROTECTED] > > > Archives: http://www.swynk.com/sitesearch/search.asp > > > To unsubscribe send a blank email to %%email.unsub%% > > > > > > ------ > > > You are subscribed as [EMAIL PROTECTED] > > > Archives: http://www.swynk.com/sitesearch/search.asp > > > To unsubscribe send a blank email to %%email.unsub%% > > > > > > > ------ > > You are subscribed as [EMAIL PROTECTED] > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe send a blank email to %%email.unsub%% > > > > ------ > > You are subscribed as [EMAIL PROTECTED] > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe send a blank email to %%email.unsub%% > > > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to %%email.unsub%% >
------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
