Re: Cannot access Default Domain Conrollers Policy -- DCPROMO error
anonymous_at_discussions.microsoft.com
Date: 04/19/04
- Next message: Laura E. Hunter \(MVP\): "Re: loss password administrator"
- Previous message: Mike: "FORCE LOGOFF"
- Next in thread: Steven L Umbach: "Re: Cannot access Default Domain Conrollers Policy -- DCPROMO error"
- Reply: Steven L Umbach: "Re: Cannot access Default Domain Conrollers Policy -- DCPROMO error"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 19 Apr 2004 13:20:12 -0700
Yes, the policy does not show as being effected, even
after a restart.
There are NO GPOS showing on the Active Directory Users
and Computers MMC. I am starting to think the guy who set
this up did not set it up completely or, perhaps, deleted
some of the tools.
One suggestion was to reinstall the adminpack which I
will try tomorrow.
I'm still working on this, if you have any other
suggestions.
Thanks,
Steve
>-----Original Message-----
>So you added the administrators group to the Domain
Controler Security
>Policy for that user right and it still does not show as
the effective
>setting in Local Security policy even after a reboot??
Are there any other
>GPO's in the domain controller container?? To find them
and access
>group/security policy, use AD Users and Computers and
then select the domain
>controller container, right click, select properties,
then Group Policy and
>edit to view or configure the GPO's there.
>
>If there is more than one GPO, the one a the top of the
list would take
>precedence assuming default GPO settings. I would also
run the gpresult tool
>on the domain controller to see where machine policy is
being applied from
>and the last time the policy was applied. In a default
setup it woul be
>receiving computer configuration from the domain and
domain controller
>default GPO's. Gpresult and other important tools such
as dcdiag and
>netdiag or on the install cd in the support/tools folder
where you would
>need to run the setup there. --- Steve
>
>http://support.microsoft.com/default.aspx?scid=kb;en-
us;321709
>
><anonymous@discussions.microsoft.com> wrote in message
>news:1d0ec01c4230f$65901700$a301280a@phx.gbl...
>> I am really trying to solve the problem addressed by KB
>> 232070. It directs me to set the Default Domain
Controler
>> policy via the Active Directory Users and Computers
MMC,
>> but I cannot access it there. That led to this posting.
>> Sorry to be so obtuse, but I do not understand
where/how
>> to grant Administators/Enterprise Administrators the
right
>> to add a second DC. To answer your questions directly:
>>
>> Running dcpol.msc via Start | Run shows me MMC titled
>> Domain Controler Security Policy.
>>
>> I have set Security Settings | Local Policies | User
>> Rights Assignment | Enable computer and user accounts
to
>> trusted for delegation to include the Administrator
group
>> and a specific user account(testing the change).
>>
>> Local Setting is correct. Effective setting is blank.
>>
>> I have restarted the computer. I have run
>> secedit /refreshpolicy.
>>
>> Loged in as a user, member of Enterprise Administrators
>> and Domain Administrators groups.
>>
>> What am I missing?
>>
>>
>> >-----Original Message-----
>> >What do you mean you can not access Domain Controller
>> Security Policy? What
>> >message do you get? Did you try dcpol.msc in the run
box.
>> To see what the
>> >policy actually is, you can view Local Security
Policy on
>> the domain
>> >controller for "effective settings" but it needs to be
>> configured at the
>> >Domain Controller Security policy level. --- Steve
>> >
>> >
>> >"SHPainter3" <anonymous@discussions.microsoft.com>
wrote
>> in message
>> >news:185ea01c422dd$2a828490$a001280a@phx.gbl...
>> >> I am trying to promote a member server to be a DC
and
>> get
>> >> the following error message:
>> >>
>> >> The operation failed because: Failed to modify the
>> >> necessary properties for the machine account SC300$
>> >> [member server]
>> >> "Access is denied. "
>> >>
>> >> I have read and followed KB 232070 which addresses
this
>> >> error message. However, the Active Directory Users
and
>> >> Computer snap-in does not give me access to the
Default
>> >> Domain Controllers Policy.
>> >>
>> >> This notwithstanding, I have tried to set the Enable
>> >> Computer and User Accounts to be trusted for
Delegation
>> >> via the Domain Policy management snap-in. I am not
sure
>> >> this worked.
>> >>
>> >> First question: Where can I set the Default Domain
>> >> Controllers Policy to Enable Computer and User
Accounts
>> >> to be trusted for Delegation?
>> >> How can I determine this setting definitively?
>> >>
>> >> Second question: If I did manage to enable the
policy,
>> >> can anyone suggest other reasons why I receive this
>> error
>> >> when I try to promote a server to DC?
>> >> Are there any other causes?
>> >>
>> >> Some other notes
>> >>
>> >> Current solitary DC is Win 2K SP3 (we're afraid to
patch
>> >> it)
>> >> Server to be promoted is Win 2K SP4
>> >>
>> >> I have been following KB 216498 to remove the
>> >> failed/partially promoted DC from the current DC.
>> >>
>> >> Thanks and regards,
>> >> Steve
>> >>
>> >
>> >
>> >.
>> >
>
>
>.
>
- Next message: Laura E. Hunter \(MVP\): "Re: loss password administrator"
- Previous message: Mike: "FORCE LOGOFF"
- Next in thread: Steven L Umbach: "Re: Cannot access Default Domain Conrollers Policy -- DCPROMO error"
- Reply: Steven L Umbach: "Re: Cannot access Default Domain Conrollers Policy -- DCPROMO error"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
