When you run Dcpromo.exe on Windows 2008 to create a replica domain controller, you receive a message "The operation failed because: A domain controller could not be contacted ... "Access is denied."

In my attempts to create a replicadc on Windows 2008 server, I keep getting
the same error message - "Access is denied". The member server has no
problem joining the domain. And I've removed and re-joined several times.
Dynamic Updates are working and a host record is created on AD Integrated
DNS.

I also ran the DCDIAG test with dcpromo, and everything comes back clean.

==============

C:\Windows\system32>hostname
vrwcprddc4

C:\Windows\system32>
C:\Windows\system32>dcdiag /dnsdomain:mylabcheck.com /test:dcpromo
/replicadc
Starting test: DcPromo
The DNS configuration is sufficient to allow this computer to be
promoted
as a replica domain controller in the mylabcheck.com domain.

Messages logged below this line indicate whether this domain
controller
will be able to dynamically register DNS records required for the
location of this DC by other devices on the network. If any
misconfiguration is detected, it might prevent dynamic DNS
registration
of some records, but does not prevent successful completion of the
Active
Directory Domain Services Installation Wizard. However, we recommend
fixing the reported problems now, unless you plan to manually update
the
DNS database.

DNS configuration is sufficient to allow this domain controller to
dynamically register the domain controller Locator records in DNS.

The DNS configuration is sufficient to allow this computer to
dynamically
register the A record corresponding to its DNS name.

......................... vrwcprddc4 passed test DcPromo

C:\Windows\system32>


====================


I found a KB article that makes reference to this issue, but I couldn't
follow it, since the steps were not clear with the group policy mmc.
http://support.microsoft.com/kb/232070

Any other ideas?

thanks,
John

Hello John,

before running dcpromo please check the time offset between the new server
an the other existing dcs. Is it greater than five minutes?

--
Viele Grüße

Frank Röder
MVP - Directory Services

Hello John,

Please post an unedited ipconfig /all from the existing and the new DC, so
we can exclude DNS as a problem. What account are you suing to promote the
new server?

Best regards

thanks for your reply.

I found a work-around. I was attempting to do this on my LAN and the other
DC was in the DMZ. I moved the machine to the DMZ and it worked.

Some FW port rules not letting all the traffic through. I have to figure out
what that port is, because I could join the domain, but why DCPromo not
working? is a mystery.

Hello John,

A DC should not be located in a DMZ. A DMZ is used for servers that are accessed
from the outside world with public ip addresses. Please describe more detailed
your network setup.

If you still will do it that way you have to open ports according to this
articles for AD replication:
http://support.microsoft.com/kb/179442/

http://support.microsoft.com/kb/555381

http://technet.microsoft.com/en-us/l.../bb727063.aspx

http://technet.microsoft.com/en-us/l.../bb125069.aspx

At least check this article about using RODC's in a DMZ:
http://technet.microsoft.com/en-us/l.../dd728034.aspx

Best regards