Moniker 0 Posted March 23, 2001 Greets- I was wondering I'm having an issue with active directory and DNS. I have it working with third party DNS to the point of the DC announcing that it is the DC. The problem I seem to be running into now is when it begins to sync, a credentials dialog box appears and says [The operation failed because:Failed to modify the nessasary properties for the machine account MACHINE$] "Access is denied". It also asks to enter an account that has sufficent priviliges to create an additional DC. Well I am the admin and Ive tried all my other admin accounts. I cant seem to get it to show anything in the logs (and I ve created a test server to try this with logging everything I can think of). does anyone here have any suggestions, if I havent provided enough detail please just let me know and I'll provide what I can ------------------ Share this post Link to post
clutch 1 Posted March 23, 2001 This may not be helpful, and I am still learning this as well, but I had a ton of problems with AD/DDNS until I setup a secondary DDNS box on my test LAN. Now they update each just fine, and they don't generate a ton of errors in the event logs. I am in the process of reading a couple of books on AD, but at the moment this is all I can offer. Sorry. ------------------ Regards, clutch Share this post Link to post
Moniker 0 Posted March 23, 2001 have you run into any issues with your admin account not being able to promote members to DC's or any problem at promoting machines at all? It just keeps complaining about the machine account and I've tried a number of things but to no avail. If you have had any issues along the way could you let me know, as they could point me where I need to go. I can also provide info on problems I've encountered and the solutions I've found so far. Thanks for your help in advance. -Moniker Share this post Link to post
clutch 1 Posted March 23, 2001 I haven't had any issues with dcpromo. Now, the member server is an active member of AD prior to running dcpromo, correct? Sounds like a dumb question, but I am just making sure that your server is in the domain. I have not tried to join a workgroup level server into a foreign domain, as I have always had the domain ready for the new server during installation. As far as credentials go, you might want to try entering the admin user account name as either: DOMAIN_NAME\Administrator, or administrator@DOMAIN_NAME It could be an issue of not having the proper domain reference when making the request of network resources (such as joining a domain). The pop-ups *usually* have a DOMAIN entry to fill out, but try this method anyway in the username field even if you do see a DOMAIN option. ------------------ Regards, clutch Share this post Link to post
Moniker 0 Posted March 23, 2001 Yes, the server is already in the domain and has a valid machine account. Ive tried resetting the machine account thinking that maybe the SID just didnt match(for some reason fell out of sync)but I tried that and had no luck with it. I have tried dcpromo while it was included in the domain and while it was just logged on to the local machine. I havent tried it from no domain account(workgroup)to directly coming in as a DC. My first inclination was to try the account@domain.com and the good old DOMAIN\account neither of them worked. My eyes are constantly drawn back to the "MACHINE$ account" error. I've been reading as much as I can on AD as well but havent't found anything as of yet that could explain it. The worst of it is it won't even spawn any type of error in the logs that could at least give me something to look at. Share this post Link to post
clutch 1 Posted March 23, 2001 I had a situation once where I could not get a member server to join a domain due to "conflicting credentials". I wound up renaming the server (server name wasn't important as it was just going to be a file server) and sure enough, it was able to join. Just a thought. ------------------ Regards, clutch Share this post Link to post
Moniker 0 Posted March 24, 2001 Ive tried it with multiple machines. So I guess I've already done that as well what I'm doing at the moment is enabling advanced logging for specific things hoping it will record some events to enable advanced logging for those who dont know regedt32>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics hopefully I get something from this... I appreciate all the suggestions youve given so far it seems we are both thinking on about the same track. So if you come up with any other suggestions please post them. Thanks in advance.... ****EDIT**** for values on setting up logging in the regisrty 0=none 1=minimum 3=medium 5=maximum [This message has been edited by Moniker (edited 24 March 2001).] Share this post Link to post
clutch 1 Posted March 24, 2001 You don't by chance have any mapped drives to the AD controllers from the joining servers do you? A good friend of mine just told me that's why he couldn't get his member server to join his newly created AD. ------------------ Regards, clutch Share this post Link to post
Moniker 0 Posted March 24, 2001 No, I dont this is a fresh machine I'm trying it with. I have other things running on other servers so I cant chance screwing them up with some obscure registry setting. I finally got an error to come up in the log and I think I may be on to something. I just have to do the research and try the fixes Ill post when I have more info (may be tommorrow or monday). Thanks for your help so far... -Moniker Share this post Link to post
