General discussion

Locked

Domain Controller Access Denied

By wmr02 ·
When promoting a new server at a remote site to a domain controller we are getting access denied when attempting to access resources (like printers) across the network. (Sites and services has been set up). Attempt to connect to the remote DC using AD managment toos rewards us with access denied. We are able to remote desktop to the server and authenticate with an account having domain admin rights. Usually demoting the box, removing it from the domain, adding it back in to the domain, and repromoting it resolves this, Usuall but not always

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by maxwell edison In reply to Domain Controller Access ...

This problem can occur if the account that is used for the promotion operation has not been assigned the "Delegation Privilege" right. Or, if this right has been assigned, the policy has not propagated yet, possibly because of replication latency. By default, only members in the Administrators group have the "Delegation Privilege" right.

To resolve this problem, use an account in the Administrators group, or add the appropriate account to the Administrators group. To grant this right to another user or group, set the delegation privilege on the Group Policy object:

1. In the Active Directory Users and Computers snap-in, edit the Default Domain Controllers Policy on the Domain Controllers Organizational Unit.

2. Double-click Computer Configuration, click Windows Settings, click Security Settings, click Local Policies, and then click User Rights Assignment.

3. Under Enable Computer and User Accounts to be trusted for Delegation, add the appropriate account or group.

4. Apply the policy using one of the following methods: ? At a command prompt, type secedit /refreshpolicy machine_policy /enforce.
? In the Sites and Services snap-in (Dssite.msc), use the Replicate Now feature to force replication from the domain controller on which the policy was changed to the other domain controllers in the domain.

To apply the updated policy, restart the domain controller.

Source: Microsoft Konwledgebase Q232070

http://support.microsoft.com/?kbid=232070

Collapse -

by maxwell edison In reply to

Or, Microsoft knowledgebase article Q329860:

"Replication Access Was Denied" Error Messages Occur After You Promote a Server to Domain Controller

http://support.microsoft.com/default.aspx?scid=kb;en-us;329860

CAUSE
These issues may occur if the computer account is not updated correctly during the domain controller promotion procedure (Dcpromo).

RESOLUTION
To resolve this issue, follow these steps.

Step 1: Move the Computer Account to the Domain Controllers Container

1. On a domain controller that is in the "healthy" part of the domain (not the domain controller with which you experience the issue), start the Active Directory Users and Computers snap-in.

2. Expand the domain container, and then click the container in which the computer account with which you experience the issue appears.

3. Right-click the computer account, and then click Move.

4. In the Container to move object to list, click Domain Controllers, and then click OK.

5. Click the Domain Controllers container to verify that the computer object is displayed.

6. Quit the Active Directory Computers and Users snap-in.

Step 2: Verify the userAccountControl Property

WARNING: If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Exchange 2000 Server, or both. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

continued......

Collapse -

by maxwell edison In reply to

1. On a domain controller that is in the "healthy" part of the domain (not the domain controller with which you experience the issue), install the Windows 2000 Support Tools if they have not already been installed. For additional information about how to install the Windows 2000 Support Tools, click the article number below to view the article in the Microsoft Knowledge Base:
301423 How to Install the Windows 2000 Support Tools to a Windows 2000 Server-Based Computer

2. Start the ADSI Edit snap-in. To do so, click Start, point to Programs, point to Windows 2000 Support Tools, point to Tools, and then click ADSI Edit.

3. Expand Domain NC [server.example.com] (where server is the name of the domain controller and example.com is the name of the domain.

4. Expand DC=example,DC=com.

5. Expand OU=Domain Controllers, right-click CN=ServerName (where ServerName is the domain controller with which you experience the issues that are described in the "Symptoms" section of this article), and then click Properties.

6. Click the Attributes tab (if it is not already selected).

7. In the Select which properties to view list, click Both, and then click userAccountControl in the Select a property to view list.

8. If the Value(s) box does not contain 532480, type 532480 in the Edit Attribute box, and then click Set.

9. Click Apply, click OK, and then quit the ADSI Edit snap-in.

Step 3: Reset the Secure Channel Password

1. On the domain controller with which you experience the issue, install the Windows 2000 Support Tools if they have not already been installed.

2. Click Start, click Run, type cmd, and then click OK.

3. Change to the folder that contains the Nltest.exe utility. By default, this folder is C:\Program Files\Support Tools.

4. Run the following command, where example.com is the name of your domain:
nltest /sc_change_pwd:example.com

5. Quit the command prompt, and then restart the server.

Collapse -

by maxwell edison In reply to

.
Or, perhaps the following "Experts Exchange" dialogue will be helpful:

http://www.experts-exchange.com/Operating_Systems/Q_20628413.html

Collapse -

by wmr02 In reply to

We know what the symptoms but not why they are occurring without warning and how to prevent them

Collapse -

by shmaltz In reply to Domain Controller Access ...

Are you sure that it is part of the domain? is the user account that is used on the client machine a user that is valid on the domain?
Even if the server is part of the domain before promoting it, it could still be that the workstation is not, or that a local user account is used. Make sure that the user account used on the clinet is exists in the domain.

Collapse -

by wmr02 In reply to Domain Controller Access ...

This question was closed by the author

Back to Windows Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums