Problems promoting second server to a DC

Essendon · July 2009

Folks.

When I try to promote a second Windows 2008 server to a DC, it gives me the following error:

The operation failed because: The Active Directory Domain Services Installations Wizard was unable to convert the computer account server2$ to an AD DC account. "Access is denied".

-- The account I am logged on with a Domain/Enterprise/Schema/Local admin account.
-- Windows Firewall is off.
-- UAC is off.
-- server1 (my first/only DC) is in the DC container.
-- I have added the following accounts to "Enable computer and user acccounts to be trusted for delegation" : Administrators, my logon accountname.
-- both VM's can ping each other by hostname and IP.
-- the time's right on both VM's.
-- my current (and only DC) runs DNS. Zones are AD integrated. Updates are secure and non-secure. "A" record for server2 is registered on server1.
-- there are no other machines in the domain.
-- server2 is pointed to server1 for name resolution.
-- server1 is a GC and has all other FSMO's.

One thing I noticed is in server2's Network Connections window, underneath Local Area Connection it says "Network", while in server1 it says "domain.melb" (which is the name of the domain). Could this be a problem?

dcdiag on server1 gives me 3 warnings (no errors), eventID's : 0x80060005, 0x800001D, 0x825A000C . Running dcdiag with the /fix switch doesnt fix the warnings. It passes all other tests. Googled the warnings, didnt really get anywhere.

Could the KDC service have anything to do with this at all? It was disabled, I set it to automatic and started it (for no particular reason, really).

Now since I have tried promoting server2 a few times, is it possible the metadata is messed up?

Help's appreciated folks, I am tearing my hair out at this.

Essendon · July 2009

Something weird I noticed with DNS. The A record for server2 gets deleted from the zone on server1. An ipconfig'registerdns puts it back though but yeah, it falls off the zone for no particular reason. Anyone seen this before?

I am thinking that my problem is DNS-related. Just dont know why, yet.

dynamik · July 2009

Is server2 already joined to the domain?

Essendon · July 2009

dynamik wrote: »

Is server2 already joined to the domain?

Yes, it is already a member server.

astorrs · July 2009

Run a dcdiag on server1 and a netdiag on both server1 & 2. Any issues reported?

astorrs · July 2009

Also since it sounds like server2 is 2008, what's are the domain and forest functional levels set to?

GAngel · July 2009

Is Server1 an 03 box or 08?

rsutton · July 2009

Essendon wrote: »

One thing I noticed is in server2's Network Connections window, underneath Local Area Connection it says "Network", while in server1 it says "domain.melb" (which is the name of the domain). Could this be a problem?

If the connection is not picking up the DNS suffix you may have DHCP or DNS issues. Can you ping the other server by name? Have you tried clearing the DNS cache and re-registering?

Essendon · July 2009

astorrs wrote: »

Run a dcdiag on server1 and a netdiag on both server1 & 2. Any issues reported?

dcdiag reports no errors on server1, even the warnings have cleared themselves out. I said I tried dcdiag in my first post. netdiag is not available in server 2008. I read somewhere that if you did an inplace upgrade of server 2003 to server 2008, then netdiag is available. True?

astorrs wrote:

Also since it sounds like server2 is 2008, what's are the domain and forest functional levels set to?

Server 2008

GAngel wrote:

Is Server1 an 03 box or 08?

Both are 2008 boxes.

rsutton wrote:

Can you ping the other server by name? Have you tried clearing the DNS cache and re-registering?

That was the very first thing I tried.

RTmarc · July 2009

Have you tried dis- and re-joining server2 from/to the domain then promoting?

Ashenwelt · July 2009

Just some basic thoughts.

1. Always review your DNS setup. 99% of DC problems exist there.
2. Disjoin from the domain, as DCs normally are promoted bare of Domain membership (don't have to be... but... ).
3. Go through your logs of errors.
4. Try the FQDN in everything you do.
5. Go over your HyperV settings with a fine tooth comb.

Attempt to promote to DC.

undomiel · July 2009

Are the clocks in synch?

Poking around it looks like it would be a good idea to check the log files: %SystemRoot%\Debug\Dcpromo.log and %SystemRoot%\Debug\Dcpromoui.log.

Essendon · July 2009

Ok just disjoined and rejoined to domain, this time a different error when doing a dcpromo on server2.

"The Following error occurred during the attempt to synchronize naming content "domain.melb" from domain Controller "server1" to "server2":

While accessing the hard disk, a disk operation failed even after retries

This Operation will not continue"

This seems like a VMware issue now.

Essendon · July 2009

Ok, now I have been able to dcpromo to a DC.

On a hunch that server1 did not like the "server2" computer name and the channel was messed up, I renamed server2 to server3. Ran dcpromo again and it worked like a charm. Checked replication/DNS, no problems so far. Maybe the name "server2" was just jinxed.

Weird, aint it? I made no change at all to DNS or anything else. Ah well.

Thank you for the input folks.

dynamik · July 2009

So there was some sort of problem with the server2 computer account in AD?

You renamed it after you removed it from the domain, right?

Hyper-Me · July 2009

Go into each vms hyperv settings and turn off time synch and try it again

Essendon · July 2009

dynamik wrote:

So there was some sort of problem with the server2 computer account in AD?

You renamed it after you removed it from the domain, right?

Yeah, I remembered I reset the computer account some days ago. Perhaps that mucked up the server2 account in AD. And yes, I renamed it after removing it from the domain.

Problems promoting second server to a DC

Comments