General discussion

Locked

Access Denied when creating Child Domain

By redbeard ·
I am attempting to use dcpromo to create a child domain on a new machine in my root domain.

Dcpromo fails with the message 'Access Denied' and 'don't have sufficient rights'. However, I've used the ifmember tool and it shows that I am Enterprise admin.

I can't find other permissions that are off. I can re-add the machine to the domain just fine (dcpromo works enough to take the new server out of the root domain).

Is there a policy that I am missing? What could be denying me access?

(I've checked DNS through and through as well. The new machine has DNS for the new domain as standard primary, secondary for the old domain. It accepts forwards from the other DCs and they accept from it)

This conversation is currently closed to new comments.

4 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by Mikel~T In reply to Access Denied when creati ...

Make sure that your Schema Master is online.

If you go to Start/Run and type mmc

You can create a custom console...Go to File...add/remove snap in...and then hit Add. Select Active Directory Schema, and then hit close.

you should be able to right click on the Active Directory Schema Snap in and look for the operations master for the schema master.

If it's not online...then you need to start playing with NTDSUTIL to get the operation master role seized to another DC.

Hope this helps.

Mike C.

Collapse -

by redbeard In reply to Access Denied when creati ...

Thanks - but I do have a schema master online. I checked before and after running dcpromo and it was still online.

At times it is not found, but I can easily 'reload schema' and it connects and is online without using ntdsutil. But I did check it out.

Your answer certainly has helped me do some digging though. Here is the error that kills me in dcpromoui.log:
calling DsRoleGetDcOperationResults

dcpromoui t:0x870 00819 Calling DsRoleGetDcOperationResults
dcpromoui t:0x870 00820 Error 0x0 (!0 => error)
dcpromoui t:0x870 00821 Operation results:
dcpromoui t:0x870 00822 OperationStatus : 0x5 !0 => error
dcpromoui t:0x870 00823 DisplayString : (null)
dcpromoui t:0x870 00824 ServerInstalledSite : (null)
dcpromoui t:0x870 00825 OperationResultsFlags: 0x0
dcpromoui t:0x870 00826 Exit DoProgressLoop
dcpromoui t:0x870 00827 Exit DS::CreateNewDomain
dcpromoui t:0x870 00828 Exception caught
dcpromoui t:0x870 00829 catch completed
dcpromoui t:0x870 00830 handling exception
dcpromoui t:0x870 00831 Active Directory Installation Failed
dcpromoui t:0x870 00832 Enter GetErrorMessage 80070005
dcpromoui t:0x870 00833 Exit GetErrorMessage 80070005
dcpromoui t:0x870 00834 Access is denied.
dcpromoui t:0x870 00835 Enter State::SetOperationResults result FAILURE
dcpromoui t:0x870 00836 Exit State::SetOperationResults result FAILURE
dcpromoui t:0x870 00837 Enter State::GetOperationResultsMessage
dcpromoui t:0x870 00838 Exit State::GetOperationResultsMessage
dcpromoui t:0x870 00839 Enter Dialog::ModalExecute
dcpromoui t:0x870 00840 Enter GetCredentialsDialog:nInit
dcpromoui t:0x870 00841 Enter GetCredentialMessage
dcpromoui t:0x870 00842 Enter State::GetOperation CHILD
dcpromoui t:0x870 00843 Exit State::GetOperation CHILD
dcpromoui t:0x870 00844 Enter State::GetParentDomainD

Collapse -

by redbeard In reply to Access Denied when creati ...

Point value changed by question poster.

Collapse -

by redbeard In reply to Access Denied when creati ...

Here are the positive results of dcdiag.exe on my root domain controller:

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site\BARTER
Starting test: Connectivity
......................... BARTER passed test Connectivity

Doing primary tests

Testing server: Default-First-Site\BARTER
Starting test: Replications
......................... BARTER passed test Replications
Starting test: NCSecDesc
......................... BARTER passed test NCSecDesc
Starting test: NetLogons
......................... BARTER passed test NetLogons
Starting test: Advertising
......................... BARTER passed test Advertising
Starting test: KnowsOfRoleHolders
......................... BARTER passed test KnowsOfRoleHolders
Starting test: RidManager
......................... BARTER passed test RidManager
Starting test: MachineAccount
......................... BARTER passed test MachineAccount
Starting test: Services
......................... BARTER passed test Services
Starting test: ObjectsReplicated
......................... BARTER passed test ObjectsReplicated
Starting test: frssysvol
......................... BARTER passed test frssysvol
Starting test: kccevent
......................... BARTER passed test kccevent
Starting test: systemlog
......................... BARTER passed test systemlog

Running enterprise tests on : comcon.local
Starting test: Intersite
......................... comcon.local passed test Intersite
Starting test: FsmoCheck
......................... comcon.local passed test FsmoCheck

Back to Windows Forum
4 total posts (Page 1 of 1)  

Related Discussions

Related Forums