dcpromo fails to add server to AD

[Jeroen Jordens]

Hi,

After demoting an AD controller due to a failure (using
dcpromo /forceremove) and removing all other AD related
content for this server I can no longer add this back into
AD.
I tested the procedure in my lab environment with perfect
success. I followed the exact procedure for the production
environment. The server is a domain member, everything
looks fine, when I attempt to add this in to AD I get an
error :
"The operation failed because: Failed to modify the
necessary properties for the machine account SKC1$ "Access
is denied""

Anyone know why? I suspect there must be something left in
AD. I have checked the required properties through
ADSIedit, and have run the metadata cleanup.

I can remove the server from the domain into a workgroup
and re-add it to the domain with no problems.

Cheers
Jeroen

 

[Cary Shultz [A.D. MVP]]

Jeroen,

Check this MSKB Article out. 99% sure that this is the problem.

http://support.microsoft.com/default.aspx?scid=kb;en-us;232070&Product=win2000

HTH,

Cary

 

[Jeroen Jordens]

Cary,

You where right and this fixed the problem.
Now however, when I attempt to transfer FSMO roles I
cannot bind to the added server.

Using ntdsutil, I get the following error:

DsBindW error 0x80090332(The security context could not be
established due to a failure in the requested quality of
service (e.g. mutual authentication or delegation).)

But like I said setting that security setting did allow me
to join AD.

Cheers,

Jeroen

 

[IBTerry [MSFT]]

Try the following article. It seems to fit the situation that you
described.
250874 "Access Denied" Error Message During Active Directory Promotion of
http://support.microsoft.com/?id=250874

IBTerry [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.