Unable to promote new DC: encryption type not supported by KDC

**slt** · 17-12-2011

I have a domain with a single Windows 2008 DC. Functional level is Windows Server 2003.

I need to add a second DC, also Windows 2008, but am unable to complete dcpromo. It always fails with the error:

Active Directory Domain Services could not create the NTDS settings object....Ensure the provided credentials have sufficient network permissions... The encryption type requested is not supported by the KDC.

I also noticed that the new server was NOT automatically registered in DNS when joined to the domain, and am not sure if this is related.

I tried removing the new server from the domain, changing the computer name, then joining the domain again to see if this resolved the DNS issue but that did not help.

I also ran gpupdate on the new server and it returned this:

User Policy update has completed successfully.
Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

To diagnose the failure, review the event log or invoke gpmc.msc to access information about Group Policy results.

Any help with troubleshooting would be great....

**EINSTEIN_007** · 17-12-2011

Have you checked the permission (member of domain admin, enterprise admin) of account you are using for promoting the server as an ADC, secondly, your account have permission on domain controller OU to create AD computer object.

**ArunBalodi** · 18-12-2011

as the error message suggests, this is surely related to the user account which has been used while running dcpromo. make sure the account used have the administrative previleges

**slt** · 18-12-2011

I am using the default administrator account created when the domain was created (Domain Admin, Enterprise Admin etc.). This account should have all necessary privileges.

What setting(s) might affect this part of the error message:

The encryption type requested is not supported by the KDC.

**ArunBalodi** · 19-12-2011

try to restart the Kerberos Key Distribution Center service on your first dc and then try to add.. also make sure the your new server is able to resolve dns properly.#

**slt** · 19-12-2011

Thanks for the responses. I had tried these things earlier: restarting kdc, double check all permissions etc. but still could not get it to work.

So I decided to wipe the machine and reinstall the OS. I was then able to run dcpromo first time with no trouble.

I still don't know what the problem was. I did not build this server originally, and one possibility I am wondering about is that the OS was installed from a trial version, then activated later with a full version product key. I know this is not a supported configuration (although I'm not sure what the consequences would be).