Re: Cannot access Default Domain Conrollers Policy -- DCPROMO error
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 04/20/04
- Next message: Steven L Umbach: "Re: Access Denied with an external Trust"
- Previous message: Dan: "Access Denied with an external Trust"
- In reply to: anonymous_at_discussions.microsoft.com: "Re: Cannot access Default Domain Conrollers Policy -- DCPROMO error"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 20 Apr 2004 00:51:12 GMT
If there are no GPO's in the "domain controller" container then you can create a new
one, configure that user right and try again. Did gpresult show any policies being
applied to the domain controller other that local?? If you can, paste your gpresult
for the domain controller while logged on as the administrator in a reply. Below is
a partial paste from mine to give you an idea of what info gpresult will display. ---
Steve
###############################################################
Last time Group Policy was applied: Monday, April 19, 2004 at 7:45:00 PM
Group Policy was applied from: server1-2000.umbach1.com
===============================================================
The computer received "Registry" settings from these GPOs:
Local Group Policy
Default Domain Policy
Default Domain Controllers Policy
===============================================================
The computer received "Scripts" settings from these GPOs:
Local Group Policy
===============================================================
The computer received "Security" settings from these GPOs:
Local Group Policy
Domain Main 1
Default Domain Policy
Default Domain Controllers Policy
===============================================================
The computer received "EFS recovery" settings from these GPOs:
Local Group Policy
Default Domain Policy
Default Domain Controllers Policy
<anonymous@discussions.microsoft.com> wrote in message
news:134501c4264b$b8343b50$a301280a@phx.gbl...
> Yes, the policy does not show as being effected, even
> after a restart.
>
> There are NO GPOS showing on the Active Directory Users
> and Computers MMC. I am starting to think the guy who set
> this up did not set it up completely or, perhaps, deleted
> some of the tools.
>
> One suggestion was to reinstall the adminpack which I
> will try tomorrow.
>
> I'm still working on this, if you have any other
> suggestions.
>
> Thanks,
> Steve
>
>
>
> >-----Original Message-----
> >So you added the administrators group to the Domain
> Controler Security
> >Policy for that user right and it still does not show as
> the effective
> >setting in Local Security policy even after a reboot??
> Are there any other
> >GPO's in the domain controller container?? To find them
> and access
> >group/security policy, use AD Users and Computers and
> then select the domain
> >controller container, right click, select properties,
> then Group Policy and
> >edit to view or configure the GPO's there.
> >
> >If there is more than one GPO, the one a the top of the
> list would take
> >precedence assuming default GPO settings. I would also
> run the gpresult tool
> >on the domain controller to see where machine policy is
> being applied from
> >and the last time the policy was applied. In a default
> setup it woul be
> >receiving computer configuration from the domain and
> domain controller
> >default GPO's. Gpresult and other important tools such
> as dcdiag and
> >netdiag or on the install cd in the support/tools folder
> where you would
> >need to run the setup there. --- Steve
> >
> >http://support.microsoft.com/default.aspx?scid=kb;en-
> us;321709
> >
> ><anonymous@discussions.microsoft.com> wrote in message
> >news:1d0ec01c4230f$65901700$a301280a@phx.gbl...
> >> I am really trying to solve the problem addressed by KB
> >> 232070. It directs me to set the Default Domain
> Controler
> >> policy via the Active Directory Users and Computers
> MMC,
> >> but I cannot access it there. That led to this posting.
> >> Sorry to be so obtuse, but I do not understand
> where/how
> >> to grant Administators/Enterprise Administrators the
> right
> >> to add a second DC. To answer your questions directly:
> >>
> >> Running dcpol.msc via Start | Run shows me MMC titled
> >> Domain Controler Security Policy.
> >>
> >> I have set Security Settings | Local Policies | User
> >> Rights Assignment | Enable computer and user accounts
> to
> >> trusted for delegation to include the Administrator
> group
> >> and a specific user account(testing the change).
> >>
> >> Local Setting is correct. Effective setting is blank.
> >>
> >> I have restarted the computer. I have run
> >> secedit /refreshpolicy.
> >>
> >> Loged in as a user, member of Enterprise Administrators
> >> and Domain Administrators groups.
> >>
> >> What am I missing?
> >>
> >>
> >> >-----Original Message-----
> >> >What do you mean you can not access Domain Controller
> >> Security Policy? What
> >> >message do you get? Did you try dcpol.msc in the run
> box.
> >> To see what the
> >> >policy actually is, you can view Local Security
> Policy on
> >> the domain
> >> >controller for "effective settings" but it needs to be
> >> configured at the
> >> >Domain Controller Security policy level. --- Steve
> >> >
> >> >
> >> >"SHPainter3" <anonymous@discussions.microsoft.com>
> wrote
> >> in message
> >> >news:185ea01c422dd$2a828490$a001280a@phx.gbl...
> >> >> I am trying to promote a member server to be a DC
> and
> >> get
> >> >> the following error message:
> >> >>
> >> >> The operation failed because: Failed to modify the
> >> >> necessary properties for the machine account SC300$
> >> >> [member server]
> >> >> "Access is denied. "
> >> >>
> >> >> I have read and followed KB 232070 which addresses
> this
> >> >> error message. However, the Active Directory Users
> and
> >> >> Computer snap-in does not give me access to the
> Default
> >> >> Domain Controllers Policy.
> >> >>
> >> >> This notwithstanding, I have tried to set the Enable
> >> >> Computer and User Accounts to be trusted for
> Delegation
> >> >> via the Domain Policy management snap-in. I am not
> sure
> >> >> this worked.
> >> >>
> >> >> First question: Where can I set the Default Domain
> >> >> Controllers Policy to Enable Computer and User
> Accounts
> >> >> to be trusted for Delegation?
> >> >> How can I determine this setting definitively?
> >> >>
> >> >> Second question: If I did manage to enable the
> policy,
> >> >> can anyone suggest other reasons why I receive this
> >> error
> >> >> when I try to promote a server to DC?
> >> >> Are there any other causes?
> >> >>
> >> >> Some other notes
> >> >>
> >> >> Current solitary DC is Win 2K SP3 (we're afraid to
> patch
> >> >> it)
> >> >> Server to be promoted is Win 2K SP4
> >> >>
> >> >> I have been following KB 216498 to remove the
> >> >> failed/partially promoted DC from the current DC.
> >> >>
> >> >> Thanks and regards,
> >> >> Steve
> >> >>
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >
- Next message: Steven L Umbach: "Re: Access Denied with an external Trust"
- Previous message: Dan: "Access Denied with an external Trust"
- In reply to: anonymous_at_discussions.microsoft.com: "Re: Cannot access Default Domain Conrollers Policy -- DCPROMO error"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
