General discussion

  • Creator
    Topic
  • #2291192

    Domain Controller Access Denied

    Locked

    by wmr029 ·

    When promoting a new server at a remote site to a domain controller we are getting access denied when attempting to access resources (like printers) across the network. (Sites and services has been set up). Attempt to connect to the remote DC using AD managment toos rewards us with access denied. We are able to remote desktop to the server and authenticate with an account having domain admin rights. Usually demoting the box, removing it from the domain, adding it back in to the domain, and repromoting it resolves this, Usuall but not always

All Comments

  • Author
    Replies
    • #3293326

      Reply To: Domain Controller Access Denied

      by maxwell edison ·

      In reply to Domain Controller Access Denied

      This problem can occur if the account that is used for the promotion operation has not been assigned the “Delegation Privilege” right. Or, if this right has been assigned, the policy has not propagated yet, possibly because of replication latency. By default, only members in the Administrators group have the “Delegation Privilege” right.

      To resolve this problem, use an account in the Administrators group, or add the appropriate account to the Administrators group. To grant this right to another user or group, set the delegation privilege on the Group Policy object:

      1. In the Active Directory Users and Computers snap-in, edit the Default Domain Controllers Policy on the Domain Controllers Organizational Unit.

      2. Double-click Computer Configuration, click Windows Settings, click Security Settings, click Local Policies, and then click User Rights Assignment.

      3. Under Enable Computer and User Accounts to be trusted for Delegation, add the appropriate account or group.

      4. Apply the policy using one of the following methods: ? At a command prompt, type secedit /refreshpolicy machine_policy /enforce.
      ? In the Sites and Services snap-in (Dssite.msc), use the Replicate Now feature to force replication from the domain controller on which the policy was changed to the other domain controllers in the domain.

      To apply the updated policy, restart the domain controller.

      Source: Microsoft Konwledgebase Q232070

      http://support.microsoft.com/?kbid=232070

      • #3293323

        Reply To: Domain Controller Access Denied

        by maxwell edison ·

        In reply to Reply To: Domain Controller Access Denied

        Or, Microsoft knowledgebase article Q329860:

        “Replication Access Was Denied” Error Messages Occur After You Promote a Server to Domain Controller

        http://support.microsoft.com/default.aspx?scid=kb;en-us;329860

        CAUSE
        These issues may occur if the computer account is not updated correctly during the domain controller promotion procedure (Dcpromo).

        RESOLUTION
        To resolve this issue, follow these steps.

        Step 1: Move the Computer Account to the Domain Controllers Container

        1. On a domain controller that is in the “healthy” part of the domain (not the domain controller with which you experience the issue), start the Active Directory Users and Computers snap-in.

        2. Expand the domain container, and then click the container in which the computer account with which you experience the issue appears.

        3. Right-click the computer account, and then click Move.

        4. In the Container to move object to list, click Domain Controllers, and then click OK.

        5. Click the Domain Controllers container to verify that the computer object is displayed.

        6. Quit the Active Directory Computers and Users snap-in.

        Step 2: Verify the userAccountControl Property

        WARNING: If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Exchange 2000 Server, or both. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

        continued……

      • #3293320

        Reply To: Domain Controller Access Denied

        by maxwell edison ·

        In reply to Reply To: Domain Controller Access Denied

        1. On a domain controller that is in the “healthy” part of the domain (not the domain controller with which you experience the issue), install the Windows 2000 Support Tools if they have not already been installed. For additional information about how to install the Windows 2000 Support Tools, click the article number below to view the article in the Microsoft Knowledge Base:
        301423 How to Install the Windows 2000 Support Tools to a Windows 2000 Server-Based Computer

        2. Start the ADSI Edit snap-in. To do so, click Start, point to Programs, point to Windows 2000 Support Tools, point to Tools, and then click ADSI Edit.

        3. Expand Domain NC [server.example.com] (where server is the name of the domain controller and example.com is the name of the domain.

        4. Expand DC=example,DC=com.

        5. Expand OU=Domain Controllers, right-click CN=ServerName (where ServerName is the domain controller with which you experience the issues that are described in the “Symptoms” section of this article), and then click Properties.

        6. Click the Attributes tab (if it is not already selected).

        7. In the Select which properties to view list, click Both, and then click userAccountControl in the Select a property to view list.

        8. If the Value(s) box does not contain 532480, type 532480 in the Edit Attribute box, and then click Set.

        9. Click Apply, click OK, and then quit the ADSI Edit snap-in.

        Step 3: Reset the Secure Channel Password

        1. On the domain controller with which you experience the issue, install the Windows 2000 Support Tools if they have not already been installed.

        2. Click Start, click Run, type cmd, and then click OK.

        3. Change to the folder that contains the Nltest.exe utility. By default, this folder is C:\Program Files\Support Tools.

        4. Run the following command, where example.com is the name of your domain:
        nltest /sc_change_pwd:example.com

        5. Quit the command prompt, and then restart the server.

      • #3293317

        Reply To: Domain Controller Access Denied

        by maxwell edison ·

        In reply to Reply To: Domain Controller Access Denied

        .
        Or, perhaps the following “Experts Exchange” dialogue will be helpful:

        http://www.experts-exchange.com/Operating_Systems/Q_20628413.html

      • #3183841

        Reply To: Domain Controller Access Denied

        by wmr029 ·

        In reply to Reply To: Domain Controller Access Denied

        We know what the symptoms but not why they are occurring without warning and how to prevent them

    • #3293907

      Reply To: Domain Controller Access Denied

      by shmaltz ·

      In reply to Domain Controller Access Denied

      Are you sure that it is part of the domain? is the user account that is used on the client machine a user that is valid on the domain?
      Even if the server is part of the domain before promoting it, it could still be that the workstation is not, or that a local user account is used. Make sure that the user account used on the clinet is exists in the domain.

    • #3183840

      Reply To: Domain Controller Access Denied

      by wmr029 ·

      In reply to Domain Controller Access Denied

      This question was closed by the author

Viewing 2 reply threads