"Access Denied" message when adding member server in existing AD

[Amey]

Domain was not upgraded from Windows NT.
Fresh 2000 domain was configured earlier.

About replication >
Currently I see total 8 server's under "Default First site name and under
servers.
3 out of them are my domain servers located in my site, 1 mail server and +
3 more server's which are located in another city including 1 mail server and
2 dc's.

I do replication between all dc's within my site once every week to make
sure all server's are in sync.

I observed, some times GPO's doesn't work properly. I run gpupdate on dc
once every 15 days.

[Amey]

My DNS is running with no problem I can say.
I can ping all servers using FQDN etc.
Forward and reverse look up zones are showing correct entries of all dc's etc.

In short network is like this >

2 offices located in 2 different cities connected via IPSec VPN tunnel.

in 1 office we have sigma.com domain
and in another site we have child domain i.e. BLR.sigma.com
We have mail server in Bangalore city ie BLR site but mails from that server
goes via our main mail server in my Pune city site where we have hosted
sigma.com domain.

[Meinolf Weber]

What connections have you between the sites, really slow links? Why do you
not replicate them by default, once a week and GPO all 15 days is really
long from my point of view?

If i count correct you have in your site 3 DC's one of them is Exchange and
a second site with 2 DC's and a member server?

Did you configure in AD sites and services the subnets for the second site
and also yours? Did you also create a site to which you have to assign a
subnet and move the servers there?
http://technet.microsoft.com/en-us/l.../cc730868.aspx

[Amey]

VPN connection is preshared key based IPSec site t o site connection. [
Preshared key based ]
in 1 office we have 2 mbps 1:1 leased line and in Bangalore office we have
1 MBPS 1:1 leased line. [ 1:1 means not shared. upload and download
asynchronous ]

Replication between all d

In Pune office we have 200 AD user's
In Bangalore office we have around 50 user's.
Users from Bangalore user local dc to log in to i.e. blr.sigma.com

In my Pune office as I mentioned earlier I have 1 exchange server and 3
dc's, 1 windows based DHCP server which displays as a member server
In Bangalore office 2 dc's and 1 exchange server.

I have 3rd site where we have same type of VPN i.e. Canada but there
infrastructure is totally different. We are not child domain or anything.
Totally different set up they have there. To authenticate users from my AD to
Canada site we use work around i.e. create a user name in there AD and keep
same password as in Pune AD. But no explicite or external trust is there
between our AD's.

I have Cisco 1841 router and 515e PIX at my Pune office
In Bangalore office I have SonicWall box which acts as a router and firewall.
at my Pune office where I sit having terminated link from ISP on serial port
on my router from ISP v.35 modem. and from router to PIX connectivity is
there. I have fixed 8 port switch between router and PIX so in case I want to
perform some tests from outside PIX i can attach a PC to that 8 port switch
and can assign a public IP for temp purpose. I don't use DMZ zone.

Subnetting for other site is done by admin who sit's there. They using
172.16 range.

[Amey]

http://rapidshare.com/files/164560959/DCPROMO.LOG.html

Hello,

Please download dcpromo.log from above link.
Microsoft news group not allowing me to post that much big log file.

[Meinolf Weber]

In the output i can see that the machine will not get in time sync with the
SILICON.
11/12 17:54:07 [INFO] Forcing a time synch with \\silicon.sigma.com11/12
17:54:07 [ERROR] Failed to get the current time on \\silicon.sigma.com: 5

For:
11/12 17:56:48 [INFO] Error - The Active Directory Installation Wizard was
unable to convert the computer account SIP-DC$ to a domain controller account.
(5)

see here:
http://support.microsoft.com/kb/232070

Also as said before, make sure your DC's have connectivity all the time ,
not sometimes as your manuel replication. Your bandwith should be ok for
that.
Also make sure NO firewall is blocking traffic, if you need it, configure
the firewall according to this one:
http://support.microsoft.com/kb/555381

[Amey]

I had some urgent project on solaris servers so I was away from this Windows
repairy work. Ok now I am back.

I read the link you mentioned below.

enabling computers for trusted delegation wont harm my AD?
I mean no other user except domain admin can add computers in my domain.
Or any other will be able to add computer in a domain?

[Meinolf Weber]

No it wan't. Because You choose the account/group which you add. Check your
GPO's if there is configured:
Computer configuration, windows settings, security settings, local settings,
user rights assignments "Add workstations to domain". Here you can see it.
If nothing is set, default is used, see the description.

Any authenticated user is able to add up to 10 machines to the domain. See
here: http://support.microsoft.com/kb/243327/en-us

[Amey]

It's quit late reply. My work is like that..So many projects on different
technologies.

Glad to tell youthat the solution worked !!
I added administrator as trusted user for delegateion account.
1 new machine is now added finally. Cheers!!!
I am able top open AD user/computers etc from my new DC.

Now whats next?
I want to seize rolls from other 2 dc's and want to transfer to this DC.
How can I do that?
I also want to set this brand new DC a DNS.
I already have running 2 DNS server's.
Still I can configure 3rd DNS right?
Once this new DC successfuly sync everything I can demote old DC's.

[Meinolf Weber [MVP-DS]]

Open DNS management console and check that you are running Active directory
integrated zone (easier for replication, if you have more then one DNS server)

- install DNS on the server and just DNS give the server time for replication,
at least 15 minutes. Because you use Active directory integrated zones it
will automatically replicate the zones to the new server. Open DNS management
console to check that they appear

- Transfer, NOT seize the 5 FSMO roles to the new Domain controller (http://support.microsoft.com/kb/324801)

- make the new DC's Global catalog server (http://support.microsoft.com/?id=313994)

- do not forget to run replmon from the run line or repadmin /showrepl (only
if more then one DC exist), dcdiag and netdiag from the command prompt on
the old machine to check for errors, if you have some post the complete output
from the command here or solve them first. For this tools you have to install
the support\tools\suptools.msi from the 2000 or 2003 installation disk.

Demoting the old DC's

- reconfigure your clients/servers that they not longer point to the old
DC/DNS server on the NIC

- to be sure that everything runs fine, disconnect the old DC from the network
and check with clients and servers the connectivity, logon and also with
one client a restart to see that everything is ok

- then run dcpromo to demote the old DC, if it works fine the machine will
move from the DC's OU to the computers container, where you can delete it
by hand. Can be that you got an error during demoting at the beginning, then
uncheck the Global catalog on that DC and try again

- check the DNS management console, that all entries from the machine are
disappeared or delete them by hand if the machine is off the network for ever

- also you have to start AD sites and services and delete the old servername
under the site, this will not be done during demotion

[Amey]

DNS is configured automatically.
I can see Forward and Reverse look up zone in it.
This new server is up and running since last 5 days.

Can tell me how can I transfer zones? I dont have touch with this so can't
figure out how to do that.

Any special precautions to be taken before transferring zones to this new
server?
I doubt as I told before my domain is still running in mixed mode and Schema
is not upgraded..I already have Exchange 2003 running. I hope transfer wont
disturb AD replica on my exchange server from which I usuall
ycreate,modify,manage AD user's and groups.

[Meinolf Weber [MVP-DS]]

Think you mean transfer the FSMO roles?

You said DNS is replicated or not?

Schema update? I think the new 2003 is domain controller or isn't it?

Please describe you situation as of today, this posting is going on so long.
How many servers and what roles do they have and what you have done for the
new installation until now.

[blindsleeper]

If the access to Amazon is not allowed in the Office of yours then i will advise you to go with the Proxy Server which deals with this kind of issue. There are lots of proxy server available on internet which you can go through and open the Amazon from any where. I know about the "A tunnel" which is proxy server with which you can open the site which is banned. So if you can then go trough the same and see whether it is working for you or not.