Troubleshooting Active Directory Installation Wizard Problems

Article
12/09/2009

Overview

Active Directory Installation Wizard relies on a number of systems in Windows 2000 Server, including DNS registration and resolution, LDAP query and response, Kerberos authentication, Active Directory replication, FRS replication, and the application of Group Policy objects. This section contains some general guidelines for troubleshooting problems related to the Active Directory Installation Wizard. If you detect an error in any of the event logs or commands used during troubleshooting, refer to the related topic in this chapter.

Table 2.9 shows the symptoms or errors that can occur with the Active Directory Installation Wizard, along with possible root causes and solutions.

Table 2.9 Active Directory Installation Wizard Errors

Symptom or Error	Root Cause	Solution
Network location cannot be reached.	Network connectivity problems.	Verify network connectivity.
Active Directory Installation Failed: The operation failed with the following error: The system cannot find the file specified.	This error message can be caused by one or more of the following conditions: The default Ntds.dit file is missing or not correctly located in the %SystemRoot%\System32 folder. Incorrect permission on the default Ntds.dit file. Incorrect permissions on an existing NTDS folder structure.	Troubleshoot "access denied" error messages in Active Directory Installation Wizard.
The wizard cannot gain access to the list of domains in the forest. The error is: The specified domain either does not exist or could not be contacted.	This problem can occur if a domain controller in the domain has not registered an "A" record for itself in DNS.	Add the A record for the domain controller with the ipconfig /registerdns command. Flush the DNS cache on the computer running the Active Directory Installation Wizard by using the ipconfig /flushdns command. See "Troubleshooting Active Directory-Related DNS Problems" in this guide.
DCPromo fails with an "invalid parameter" error	In the Active Directory Installation Wizard, the administrator entered either a single- or multi-label NetBIOS name (such as CORP or CORP.COM) that is identical to the Active Directory domain name, or entered a name that is already in use on the network.	Use a NetBIOS name that does not conflict with other computers or domains on the network.
Error Message: The specified domain either does not exist or could not be contacted	DNS problems might be preventing name resolution for the source domain controller. This issue can occur because the SYSVOL directory is not shared out on the domain controller that will be used to source Active Directory.	See "Troubleshooting Active Directory-Related DNS Problems" in this guide to resolve DNS issues. Share out the SYSVOL directory. To verify that the SYSVOL directory is shared out, use the net share command to see if the SYSVOL share is showing. By default, the SYSVOL share is located in the following folder: %SystemRoot%\Sysvol\Sysvol.
The operation failed because: Failed to modify the necessary properties for the machine account %computername%$ Access Denied.	Source domain controller is not trusted for delegation.	Troubleshoot "access denied" error messages in Active Directory Installation Wizard.
The operation failed because: To perform the requested operation, the directory service needs to contact the Domain Naming Master (server <servername>). The attempt to contact it failed. The specified server cannot perform the requested operation.	Servers that are being promoted to domain controllers might generate this error message when they are unable to contact the domain naming master role holder during promotion. This happens while creating the first domain controller in a new child domain or in a new tree in an existing forest.	Troubleshoot domain naming master errors in Active Directory Installation Wizard.
Active Directory Installation Failed. The operation failed because: The Directory Service failed to create the object CN=<servername>,CN=Partitions,CN=Configuration,DC=<domain controller>.	Servers that are being promoted to domain controllers might generate this error message when they are unable to contact the domain naming master role holder during promotion.	Troubleshoot domain naming master errors in Active Directory Installation Wizard.
The replication system encountered an internal error.	See Microsoft Knowledge Base article 267887: "Internal Error Running Dcpromo.exe."	See Microsoft Knowledge Base article 267887: "Internal Error Running Dcpromo.exe."
Missing SYSVOL and NETLOGON shares	Missing NETLOGON and SYSVOL shares typically occur on additional domain controllers in an existing domain, but can also occur on the first domain controller in a new domain.	Verify that the Net Logon service is running. Also see "Troubleshooting FRS" in this guide.
An LDAP read of operational attributes failed.	The domain naming master for the forest is offline or cannot be contacted.	Make the current domain naming master accessible. If necessary, see "Seizing Operations Master Roles" in this guide.

Troubleshooting "Access Denied" Error Messages in Active Directory Installation Wizard

There are several reasons why you might receive an "Access Denied" error message while using the Active Directory Installation Wizard. All have to do with permissions on the files or file structures that are necessary for the installation and service of a domain controller.

Procedures for Troubleshooting "Access Denied" Error Messages in Active Directory Installation Wizard

Verify file permissions to make sure they are correct. Verify that the default Ntds.dit file permissions in the System32 folder are:

System32\Ntds.dit BUILTIN\Users: Read [RX] BUILTIN\Power Users: Read [RX] BUILTIN\Administrators: Full Control [ALL] NT AUTHORITY\SYSTEM: Full Control [ALL] Everyone: Read [RX]

Verify folder permissions. If Active Directory was previously removed and now you are installing it again, the %SystemRoot%\Ntds and %SystemRoot%\Ntds\Drop folders will still exist. If permissions were changed, the error message might be caused by the folder permissions. The simplest resolution is to delete the original Ntds folder structure before running the Active Directory Installation Wizard. Or, you can change the folder permissions to match the following:

%SystemRoot%\Ntds BUILTIN\Users: Special Access [RX] BUILTIN\Power Users: Special Access [RWXD] BUILTIN\Administrators: Special Access [A] NT AUTHORITY\SYSTEM: Special Access [A] CREATOR OWNER: Special Access [A] %SystemRoot%\Ntds\Drop BUILTIN\Users: Special Access [RX] BUILTIN\Power Users: Special Access [RWXD] BUILTIN\Administrators: Special Access [A] NT AUTHORITY\SYSTEM: Special Access [A] CREATOR OWNER: Special Access [A]

Verify that the current domain controllers in the domain have applied security policy and the Enable computer and users accounts to be trusted for delegation user right is granted to the Administrators Group.
1. In the Group Policy snap-in, click Computer Configuration, click Windows Settings, click Security Settings, click Local Policies, and then click User Rights Assignment.
2. For computers that do not have this right, confirm that Group Policy objects in the directory service and file system have replicated by looking for event ID 1704 in the application event log, and then manually apply the policy by typing the following command:

secedit /refreshpolicy machine_policy

Use a Dcpromo answer file to source the promotion from a deterministic domain controller. Search the Microsoft Knowledge Base for article 223757: "Unattended Promotion and Demotion of Windows 2000 Domain Controllers." Use the ReplicationSourceDC paramater in the answer file.
Verify that the source domain controller is in the domain controllers OU. The name of the source domain controller can be found in the Dcpromo.log file in the %Systemroot%\debug folder on the Windows 2000 server that you are trying to promote.
Open a command prompt on the source domain controller, and run the Gpresult.exe Resource Kit tool to verify that the Default Domain Controllers policy is being applied to the source domain controller.

Troubleshooting Domain Naming Master Errors in Active Directory Installation Wizard

Replication latency or replication errors can cause inconsistency in the domain naming master role owner as seen by different domain controllers in the forest.

Procedures for Troubleshooting Domain Naming Master Errors in the Active Directory Installation Wizard

Verify replication is functioning for the domain naming master.
Verify the existence of operations masters to ensure that domain controllers in the forest are consistent about the computer name that is designated as the current domain naming master.
View the current operations master role holders and confirm that the domain naming master is a global catalog server.