Page 1 of 2 12 LastLast
Results 1 to 15 of 28

Thread: "Access Denied" message when adding member server in existing AD

  1. #1
    Amey Abhyankar. Guest

    "Access Denied" message when adding member server in existing AD

    Hello,

    I am unable to add new member sever i.e. Windows server 2003 to my existing
    AD by performing DCPROMO command.

    It shows "Access Denied" message even if I log in as Domain admin
    credentials.
    The member server is already added to my domain and I logged in as domain
    admin.

    What could the problem?

  2. #2
    Meinolf Weber Guest

    Re: "Access Denied" message when adding member server in existing AD

    Hello Amey Abhyankar.,

    Please post the c:\windows\debug\dcpromo.log here.

  3. #3
    Florian Frommherz [MVP] Guest

    Re: "Access Denied" message when adding member server in existingAD

    Are you sure you're performing dcpromo with a privileged account and not
    with the local administrator account? Have you tried a different account
    that's member of the domain admins group?

  4. #4
    Amey Abhyankar. Guest
    Yes I am sure that the admin account had privilege.
    It was a domain admin account.
    I havent tried any other account by assigining domain admin privilege.
    Shall I try out that?

    Yes, please. And give us the relevant snipped of the dcpromo.log file as
    Meinolf asked for - so we can look into it.

  5. #5
    Amey Guest

    Re: "Access Denied" message when adding member server in existing

    I am getting same error as when trying to add member server as additional
    dc.
    Error as follows >

    The operation failed because: The Active Directory Installation Wizard was
    unable to convert the computer account SIP-DC$ to a domain controller
    account. "Access is denied."

    I see following events under "Directory Service" event tab > 1168,1137,1153
    & 103 .

    Source > NTDS database, NTDS General

    Descriptions of errors as follows >
    -----------------------------------------------------------
    error A description >>
    Event ID: 1168
    Type: Error
    User: NT AUTHORITY\ANONYMOUS LOGON
    Computer: my pc name

    Description:
    Additional Data
    Error value (decimal):
    -1073741823
    Error value (hex):
    c0000001
    Internal ID:
    3000e5a
    ------------------------------------------------------

    error B description >>>

    Event ID: 1137
    type: Information
    User: NT AUTHORITY\ANONYMOUS LOGON

    description:
    Active Directory successfully created an index for the following attribute.

    Attribute identifier:
    978583599
    Attribute name:
    msExchHomeServerName
    ------------------------------------------------------------------------

    Error C

    Event ID: 1153
    Type: Warning
    User: NT AUTHORITY\ANONYMOUS LOGON

    description:
    Internal event: The following schema class has a superclass that is not
    valid.

    Class identifier:
    808517671
    Class name:
    msExchOmaConnector
    Superclass identifier:
    1620389604
    ----------------------------------------------------------------------

    Any hint why this happening?

  6. #6
    Amey Guest
    I have sent DCPROMO.log file at your e-mail address.
    Please check it.

    Do you have an exchange server in the domain, if yes which version?

    Did you check this one before:
    http://support.microsoft.com/?id=314649

  7. #7
    Amey Guest

    Re: "Access Denied" message when adding member server in existing

    Yes I do have Exchange 2003 running on Win2k3 server.
    Earlier I was running Exchange 5.5 on Win2k server
    I bought new server hardware, installed win2k3 and used dcpromo, then done
    installation of Exchange, transferred all e-mail accounts to new exchange,
    established connector. Once everything became stable i turned off old
    exchange.

    How ever I did not demote old exchange from my domain environment.
    So obviously I am using other name to my exchange server than the name which
    I given to old exchange.

    I upgraded my domain server afterwards which is also a primaryDNS.
    And later on 1 by 1 upgraded remaining 2 DC's .
    Domain server running Schema master,
    1 DC running Infrastructure master,Domain naming master, RID master & PDC
    Emulator roles
    3rd DC is secondary DNS server and a Global Catalog.
    I have deployed gpo's.
    I am getting ntfrs errors in my event logs as well. ok lets dont make it
    complicated now.
    Very imp for me at this stage to be able to add new DC so that I can shift
    all roles to new DC and demote old dc's.

    I went through the link you mentioned. I found no scenario on Microsoft site
    where they have upgraded exchange 5.5 to exchange 2003.

    I hope above information is helpful.

  8. #8
    Meinolf Weber Guest

    Re: "Access Denied" message when adding member server in existing

    Seems that there are more problems. Please run diagnostic tools, "dcdiag
    /v", "netdiag /v" and "repadmin /showrepl" form the command prompt and post
    the result here. If needed change the domain names but with the same structure,
    mydomain.com or mydomain, just to make sure that we have the basic complete
    output.
    If not done you have to install the support\tools\suptools.msi from the server
    installation disk on the DC's.

  9. #9
    Meinolf Weber Guest
    You should not start removing/adding any DC before the domain is running
    properly. This will not fix any existing problems.

    Above is dcdiag /v output. remaining outputs I am sending soon.

    Regards

  10. #10
    Amey Guest

    Re: "Access Denied" message when adding member server in existing

    netdiag putput as follows >

    Microsoft Windows [Version 5.2.3790]
    (C) Copyright 1985-2003 Microsoft Corp.

    C:\Documents and Settings\Administrator.SIGMA>netdiag

    .........................................

    Computer Name: SILICON
    DNS Host Name: silicon.sigma.com
    System info : Microsoft Windows Server 2003 (Build 3790)
    Processor : x86 Family 15 Model 4 Stepping 1, GenuineIntel
    List of installed hotfixes :
    KB911564
    KB925398_WMP64
    KB925902
    KB926122
    KB927891
    KB929969
    KB930178
    KB931768-IE7
    KB931784
    KB931836
    KB932168
    KB933566-IE7
    KB935839
    KB935840
    KB935966
    KB936357
    Q147222


    Netcard queries test . . . . . . . : Passed



    Per interface results:

    Adapter : Local Area Connection 4

    Netcard queries test . . . : Passed

    Host Name. . . . . . . . . : silicon
    IP Address . . . . . . . . : 193.168.1.105
    Subnet Mask. . . . . . . . : 255.255.255.0
    Default Gateway. . . . . . : 193.168.1.100
    Primary WINS Server. . . . : 193.168.1.105
    Dns Servers. . . . . . . . : 193.168.1.105
    193.168.1.7
    127.0.0.1


    AutoConfiguration results. . . . . . : Passed

    Default gateway test . . . : Passed

    NetBT name test. . . . . . : Passed
    [WARNING] At least one of the <00> 'WorkStation Service', <03>
    'Messenge
    r Service', <20> 'WINS' names is missing.

    WINS service test. . . . . : Passed


    Global results:

    Domain membership test . . . . . . : Passed

    NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
    NetBT_Tcpip_{DAD8F571-E727-4636-BA90-611AA3E414C5}
    1 NetBt transport currently configured.

    Autonet address test . . . . . . . : Passed

    IP loopback ping test. . . . . . . : Passed

    Default gateway test . . . . . . . : Passed

    NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation
    Servi
    ce', <03> 'Messenger Service', <20> 'WINS' names defined.

    Winsock test . . . . . . . . . . . : Passed

    DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server
    '193.168.1.10
    5' and other DCs also have some of the names registered.
    PASS - All the DNS entries for DC are registered on DNS server
    '193.168.1.7'
    and other DCs also have some of the names registered.
    PASS - All the DNS entries for DC are registered on DNS server
    '127.0.0.1' a
    nd other DCs also have some of the names registered.

    Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
    NetBT_Tcpip_{DAD8F571-E727-4636-BA90-611AA3E414C5}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
    NetBT_Tcpip_{DAD8F571-E727-4636-BA90-611AA3E414C5}
    The browser is bound to 1 NetBt transport.

    DC discovery test. . . . . . . . . : Passed


    DC list test . . . . . . . . . . . : Passed


    Trust relationship test. . . . . . : Skipped


    Kerberos test. . . . . . . . . . . : Passed


    LDAP test. . . . . . . . . . . . . : Passed
    [WARNING] The default SPN registration for 'HOST/silicon.sigma.com' is
    missi
    ng on DC 'congo.sigma.com'.
    [WARNING] The default SPN registration for 'HOST/SILICON' is missing on
    DC '
    congo.sigma.com'.


    Bindings test. . . . . . . . . . . : Passed


    WAN configuration test . . . . . . : Skipped
    No active remote access connections.


    Modem diagnostics test . . . . . . : Passed

    IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information


    The command completed successfully

    C:\Documents and Settings\Administrator.SIGMA>

  11. #11
    Amey Guest

    Re: "Access Denied" message when adding member server in existing

    Following is > repadmin /showrepl result

    C:\Documents and Settings\Administrator.SIGMA>repadmin /showrepl

    repadmin running command /showrepl against server localhost

    Default-First-Site-Name\SILICON
    DC Options: IS_GC
    Site Options: (none)
    DC object GUID: 16f18b78-0c9b-485b-b15e-8d5e434620cd
    DC invocationID: 8f578fc0-aae8-46b0-b9b7-bc620da7044e

    ==== INBOUND NEIGHBORS ======================================

    DC=sigma,DC=com
    Default-First-Site-Name\ARAVALI via RPC
    DC object GUID: a8ca30fc-fe27-4957-b4b6-bb1afeb4cb0c
    Last attempt @ 2008-11-13 15:27:03 was successful.
    Default-First-Site-Name\CONGO via RPC
    DC object GUID: ac9eb1d9-5d13-4681-8c66-c4d9198bd1e2
    Last attempt @ 2008-11-13 15:34:56 was successful.

    CN=Configuration,DC=sigma,DC=com
    Default-First-Site-Name\BLRDC1 via RPC
    DC object GUID: 933cc71b-5886-42a1-bc35-b139f4cc53aa
    Last attempt @ 2008-11-13 15:22:29 was successful.
    Default-First-Site-Name\BLRDC via RPC
    DC object GUID: e38eda98-dd26-45e2-b1ef-0b4804d77af9
    Last attempt @ 2008-11-13 15:22:42 was successful.
    Default-First-Site-Name\ARAVALI via RPC
    DC object GUID: a8ca30fc-fe27-4957-b4b6-bb1afeb4cb0c
    Last attempt @ 2008-11-13 15:28:35 was successful.
    Default-First-Site-Name\CONGO via RPC
    DC object GUID: ac9eb1d9-5d13-4681-8c66-c4d9198bd1e2
    Last attempt @ 2008-11-13 15:29:06 was successful.

    CN=Schema,CN=Configuration,DC=sigma,DC=com
    Default-First-Site-Name\BLRDC1 via RPC
    DC object GUID: 933cc71b-5886-42a1-bc35-b139f4cc53aa
    Last attempt @ 2008-11-13 15:17:14 was successful.
    Default-First-Site-Name\BLRDC via RPC
    DC object GUID: e38eda98-dd26-45e2-b1ef-0b4804d77af9
    Last attempt @ 2008-11-13 15:17:14 was successful.
    Default-First-Site-Name\ARAVALI via RPC
    DC object GUID: a8ca30fc-fe27-4957-b4b6-bb1afeb4cb0c
    Last attempt @ 2008-11-13 15:17:14 was successful.
    Default-First-Site-Name\CONGO via RPC
    DC object GUID: ac9eb1d9-5d13-4681-8c66-c4d9198bd1e2
    Last attempt @ 2008-11-13 15:17:14 was successful.

    DC=DomainDnsZones,DC=sigma,DC=com
    Default-First-Site-Name\CONGO via RPC
    DC object GUID: ac9eb1d9-5d13-4681-8c66-c4d9198bd1e2
    Last attempt @ 2008-11-13 15:17:14 was successful.
    Default-First-Site-Name\ARAVALI via RPC
    DC object GUID: a8ca30fc-fe27-4957-b4b6-bb1afeb4cb0c
    Last attempt @ 2008-11-13 15:17:14 was successful.

    DC=ForestDnsZones,DC=sigma,DC=com
    Default-First-Site-Name\BLRDC1 via RPC
    DC object GUID: 933cc71b-5886-42a1-bc35-b139f4cc53aa
    Last attempt @ 2008-11-13 15:17:14 was successful.
    Default-First-Site-Name\BLRDC via RPC
    DC object GUID: e38eda98-dd26-45e2-b1ef-0b4804d77af9
    Last attempt @ 2008-11-13 15:17:14 was successful.
    Default-First-Site-Name\ARAVALI via RPC
    DC object GUID: a8ca30fc-fe27-4957-b4b6-bb1afeb4cb0c
    Last attempt @ 2008-11-13 15:17:14 was successful.
    Default-First-Site-Name\CONGO via RPC
    DC object GUID: ac9eb1d9-5d13-4681-8c66-c4d9198bd1e2
    Last attempt @ 2008-11-13 15:17:14 was successful.

    DC=BLR,DC=sigma,DC=com
    Default-First-Site-Name\CONGO via RPC
    DC object GUID: ac9eb1d9-5d13-4681-8c66-c4d9198bd1e2
    Last attempt @ 2008-11-13 15:17:15 was successful.
    Default-First-Site-Name\ARAVALI via RPC
    DC object GUID: a8ca30fc-fe27-4957-b4b6-bb1afeb4cb0c
    Last attempt @ 2008-11-13 15:17:15 was successful.
    Default-First-Site-Name\BLRDC1 via RPC
    DC object GUID: 933cc71b-5886-42a1-bc35-b139f4cc53aa
    Last attempt @ 2008-11-13 15:37:47 was successful.
    Default-First-Site-Name\BLRDC via RPC
    DC object GUID: e38eda98-dd26-45e2-b1ef-0b4804d77af9
    Last attempt @ 2008-11-13 15:38:17 was successful.

    Source: Default-First-Site-Name\SIP-DC
    ******* 87 CONSECUTIVE FAILURES since 2008-11-12 18:07:17
    Last error: 1753 (0x6d9):
    There are no more endpoints available from the endpoint mapper.

    Naming Context: CN=Configuration,DC=sigma,DC=com
    Source: Default-First-Site-Name\SIP-DC
    ******* WARNING: KCC could not add this REPLICA LINK due to error.

    Naming Context: CN=Schema,CN=Configuration,DC=sigma,DC=com
    Source: Default-First-Site-Name\SIP-DC
    ******* WARNING: KCC could not add this REPLICA LINK due to error.

    Naming Context: DC=sigma,DC=com
    Source: Default-First-Site-Name\SIP-DC
    ******* WARNING: KCC could not add this REPLICA LINK due to error.

    C:\Documents and Settings\Administrator.SIGMA>

  12. #12
    Meinolf Weber Guest

    Re: "Access Denied" message when adding member server in existing

    On the NIC's only use the real ip address and not the loopback. Either loopback
    or fixed on this one you use both. Please run netdiag /fix and then check
    netdiag /v again.

    Also check out this one:
    http://support.microsoft.com/default...b;en-us;297384

    for:

    [WARNING] The default SPN registration for 'HOST/silicon.sigma.com' is
    missing on DC 'congo.sigma.com'.
    [WARNING] The default SPN registration for 'HOST/SILICON' is missing on
    DC 'congo.sigma.com'.

    Do you have also Event ID 5788 and event ID 5789?
    http://support.microsoft.com/default...;en-us;q258503

  13. #13
    Meinolf Weber Guest
    The article with Exchagne was for 2000/2003 schema changes so not for 5.5/2003
    exchange.

    The server seems not having connectivity to the RID master. "Warning :There
    is less than 6% available RIDs in the current pool"

    Dcdiag states that you have 7 DC's is that correct? I assume they are not
    all in one site. Please describe your network layout.

    Can you ping between all of them with ip address, computername and FQDN?

    Are all of them registered correctly in all DNS zones, forward and reverse?

    Was the server restored from a backup/image?

    "For 1753 There are no more endpoints available from the endpoint mapper"
    see here:
    http://support.microsoft.com/kb/839880

    You talk about upgrading form NT4

  14. #14
    Meinolf Weber Guest
    Sorry, the previous was again to quick sended.

    Was the domain upgraded from NT4?
    http://support.microsoft.com/kb/840691/en-us

    Did you configure replication links in AD sites and services manuell or do
    you use the automatically generated ones?

    http://support.microsoft.com/kb/232070

    Will this help me?

  15. #15
    Meinolf Weber Guest

    Re: "Access Denied" message when adding member server in existing

    As stated in my answers, you have a replication problem according to all
    your outputs. I would solve that first before going on.

    As said before, please post the dcpromo log, so that we can have a look into.
    If you see the same messages in it like desrcribed in the article, it should
    be possible to use this as a solution for adding the new DC. But again, this
    will not solve your existing problem.

Page 1 of 2 12 LastLast

Similar Threads

  1. "Access denied" error message with local LAN connectivity in windows 7
    By neanderthal in forum Networking & Security
    Replies: 3
    Last Post: 18-01-2011, 06:51 PM
  2. "Access denied" error in SQL Server
    By Bretharm in forum Software Development
    Replies: 5
    Last Post: 01-12-2010, 07:33 AM
  3. Replies: 1
    Last Post: 19-10-2009, 09:48 AM
  4. Replies: 4
    Last Post: 15-05-2009, 11:48 AM
  5. "Cannot Install This Hardware" "Access is Denied"
    By Daigle in forum XP Hardware
    Replies: 2
    Last Post: 24-05-2007, 11:20 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 1,710,827,799.80951 seconds with 16 queries