DCpromo error; Policy problem ??

  • Thread starter Thread starter Nwtest
  • Start date Start date
N

Nwtest

I 'm trying to run adcpromo in one of my member servers
but getting this error: Failed to modify the properties of
the machine account Mydc$ "access denied"

I almost done everything; I also tried the following
workarounds but no lucks after performing these KBID from
MS http://support.microsoft.com/?kbid=232070 and
http://support.microsoft.com/?kbid=250874

I'm fairly sure that the problem is the account
credentials but dont know to fix it using GPO.
I double check DNS, replication, GPO application all fine
and lovely. But still not workingggggggggggggg.

WJHERE IS THE PROBLEM.. THREE WEEKS NOW...!!

Please advise.
 
I know you have tried several things so here are a few far fetched
ones that I have seen:

Make sure all of your existing domain controllers are actually in the
Domain Controllers OU in Active Directory and not in the Computers OU.

Make sure that the Default Domain Controllers policy is actually
linked to the Domain Controllers OU. If not link it and use secedit
to push the policy to all DC's in the domain.

Make sure that the computer account for the machine you are tring to
promote is actually in the Computers OU.

Add the Everyone Group to the "Enable Computer and User Accounts to
be trusted for Delegation" Default Domian Controllers group policy.
You might also make sure that Administrators, Domain Admins and the
Enterprise Domain Controllers group is added as well.


Tom Ausburne (MSFT)
Windows 2000 Directory Services
This posting is provided "AS IS" with no warranties, and confers no
rights.
 
Hi Tom,
Thanks for being there. I tried the following you mention
especially adding the Enterprise DC, Everyones group in
my default domain controllers policy. restarted all the DC
to make sure that netlogon and secedit applied successfuly
no errors in all of them in event viewer. I then try to
run dcpromo in my member server and I HAVE SAME Problem!

I called our entrprise admins to try the EA account in my
test DC and it works in my child domain.

I dont want to call him every time I want to add a DC.. Is
there any other workaround you know?

Thanks.
NWtest
 
Back
Top