none
Could not create the NTDS setting object in Window Server 2008 R2

    Question

  • I have a AD running window server 2008 R2, then i use window server 2003 to promote additional DC it's ok

    but when i use window server 2008 R2 to promote addtional DC apprear an error message " could not create the NTDS setting object"

    What can i solve this problem ?

    Friday, December 24, 2010 4:15 AM

Answers

  • Hi,

     

    What is the extended error message can you read? We need to know the detailed information so that the accurate suggestions can be provided to you. For example:

     

    Error string

    Decimal Error

    Hex Error

    “A device attached to the system is not functioning.”

    31

    0x1f

    “A security package specific error occurred”

    1825

    0x721

    “Access is denied”

    5

    5

    “An attempt was made to add an object to the directory with a name that is already in use.”

    8305

    0x2071

    “An internal error occurred”

    1359

    0x54f

    “Could not find the domain controller for this domain”

    1908

    0x774

    “Directory object not found.”

    8333

    0x2d

    “Ensure the provided network credentials have sufficient permissions. (1908)”

    1908

    0x774

    “Ensure the provided network credentials have sufficient permissions. (1753)”

    1753

    0x6d9

    “Logon Failure: The target account name is incorrect.”

    1396

    0x574

    “The Directory Service cannot perform the requested operation because a domain rename operation is in progress.”

     

     

    “The directory service is busy”

     

     

    “The DSA operation is unable to proceed because of a DNS lookup failure”

    8524

    0x214c

    “The remote procedure call failed and did not execute.”

    1727

    0x6bf

    “The remote procedure call failed”

    1726

    0x6be

    “The RPC Server is unavailable”

    1722

    0x6ba

    “There are no more endpoints available from the endpoint mapper.”

    1753

    0x6d9

     

    Here are the solutions for some of the above errors:

     

    “Access is denied”

     

    Check system time for accuracy including YY, MM, DD, AM | PM + Timezone between new replica, the KDC and the helper DC. Correct time as required, reboot the DC being prooted and retry the operation.

     

    “Could not find the domain controller for this domain”

     

    Verify that the KDC service status is running and that startup value is automatic. Reboot with correct configuration. For more troubleshooting suggestions, please read the following Microsoft KB article:

     

    How to force Kerberos to use TCP instead of UDP in Windows

    http://support.microsoft.com/kb/244474

     

    “The Directory Service cannot perform the requested operation because a domain rename operation is in progress.”

     

    Check the following Microsoft KB article for the detailed troubleshooting suggestions:

     

    Error message when you use the Active Directory Installation Wizard to add a member server in a Windows Server 2003 SP1 domain: "The Directory Service cannot perform the requested operation because a domain rename operation is in progress"

    http://support.microsoft.com/kb/936918

     

    “The RPC Server is unavailable”

    Delete the host record of the IP address that was not configured correct and run the command: ipconfig /flushdns.

     

    If the above suggestions cannot address the issue for you, please provide us the detailed error message for our further research.

     

    In addition to the information “Meinolf Weber” required, please also upload the Dcpromo.log from %SystemFolder%\Debug folder.

     

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, December 27, 2010 6:30 AM
    Moderator
  • Check the permission(member of domain admin,enterprise admin) of account you are using for promoting the server as an ADC, secondly, your account have permission on domain controller OU to create AD computer object.

     

    You have specified the DNS IP of the working on the server promoted as ADC in the NIC.


    Awinish Vishwakarma | TA - DS/Exchange
    Monday, December 27, 2010 2:16 PM
    Moderator

All replies

  • If your Active Directory Functional level is Windows Server 2003, you can promote the Windows Server 2003 server as an additional domain controller.

    Please make sure that:

    1- Your Windows Server 2003 points to your Windows Server 2008 R2

    2- There is no missing DNS records for your DC

    3- there is no firewall/router that is blocking traffic between the two servers

     

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

     

    Friday, December 24, 2010 10:40 AM
  • what happen if i have firewall between them ? i opened all port on firewall

    Friday, December 24, 2010 2:53 PM
  • Hello,

    is the server in the correct Kerberos time frame of 5 minutes as the domain requires?

    Please post an unedited ipconfig /all from the existing DC/DNS servers and the new machine. Make sure to use only an existing DC/DNS on the NIC and NONE else during promotion.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Friday, December 24, 2010 9:23 PM
  • Hi,

     

    What is the extended error message can you read? We need to know the detailed information so that the accurate suggestions can be provided to you. For example:

     

    Error string

    Decimal Error

    Hex Error

    “A device attached to the system is not functioning.”

    31

    0x1f

    “A security package specific error occurred”

    1825

    0x721

    “Access is denied”

    5

    5

    “An attempt was made to add an object to the directory with a name that is already in use.”

    8305

    0x2071

    “An internal error occurred”

    1359

    0x54f

    “Could not find the domain controller for this domain”

    1908

    0x774

    “Directory object not found.”

    8333

    0x2d

    “Ensure the provided network credentials have sufficient permissions. (1908)”

    1908

    0x774

    “Ensure the provided network credentials have sufficient permissions. (1753)”

    1753

    0x6d9

    “Logon Failure: The target account name is incorrect.”

    1396

    0x574

    “The Directory Service cannot perform the requested operation because a domain rename operation is in progress.”

     

     

    “The directory service is busy”

     

     

    “The DSA operation is unable to proceed because of a DNS lookup failure”

    8524

    0x214c

    “The remote procedure call failed and did not execute.”

    1727

    0x6bf

    “The remote procedure call failed”

    1726

    0x6be

    “The RPC Server is unavailable”

    1722

    0x6ba

    “There are no more endpoints available from the endpoint mapper.”

    1753

    0x6d9

     

    Here are the solutions for some of the above errors:

     

    “Access is denied”

     

    Check system time for accuracy including YY, MM, DD, AM | PM + Timezone between new replica, the KDC and the helper DC. Correct time as required, reboot the DC being prooted and retry the operation.

     

    “Could not find the domain controller for this domain”

     

    Verify that the KDC service status is running and that startup value is automatic. Reboot with correct configuration. For more troubleshooting suggestions, please read the following Microsoft KB article:

     

    How to force Kerberos to use TCP instead of UDP in Windows

    http://support.microsoft.com/kb/244474

     

    “The Directory Service cannot perform the requested operation because a domain rename operation is in progress.”

     

    Check the following Microsoft KB article for the detailed troubleshooting suggestions:

     

    Error message when you use the Active Directory Installation Wizard to add a member server in a Windows Server 2003 SP1 domain: "The Directory Service cannot perform the requested operation because a domain rename operation is in progress"

    http://support.microsoft.com/kb/936918

     

    “The RPC Server is unavailable”

    Delete the host record of the IP address that was not configured correct and run the command: ipconfig /flushdns.

     

    If the above suggestions cannot address the issue for you, please provide us the detailed error message for our further research.

     

    In addition to the information “Meinolf Weber” required, please also upload the Dcpromo.log from %SystemFolder%\Debug folder.

     

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, December 27, 2010 6:30 AM
    Moderator
  • Check the permission(member of domain admin,enterprise admin) of account you are using for promoting the server as an ADC, secondly, your account have permission on domain controller OU to create AD computer object.

     

    You have specified the DNS IP of the working on the server promoted as ADC in the NIC.


    Awinish Vishwakarma | TA - DS/Exchange
    Monday, December 27, 2010 2:16 PM
    Moderator
  • Hi Arthur_li

    Could you help me please ?

    We would to have 3 DC in Windows servers 2008 R2, 2 DC on the site A and 1 in the site B.

    The DC on the site A is connected directly through a VPN (we use openVPN, install directly on the server)  to the site B.

    We opened the firewall in both sides.

    The issue is when we run DC promo on the DC B to join DC A, we get this kind of error in the dcpromo log file :

     

    12/29/2010 19:12:13 [INFO] Promotion request for replica domain controller
    12/29/2010 19:12:13 [INFO] DnsDomainName  adtest.local
    12/29/2010 19:12:13 [INFO]     ReplicaPartner  DCA.adtest.local
    12/29/2010 19:12:13 [INFO]     SiteName  SITE-B
    12/29/2010 19:12:13 [INFO]     DsDatabasePath  C:\Windows\NTDS, DsLogPath  C:\Windows\NTDS
    12/29/2010 19:12:13 [INFO]     SystemVolumeRootPath  C:\Windows\SYSVOL
    12/29/2010 19:12:13 [INFO]     Account adtest.local\administrator
    12/29/2010 19:12:13 [INFO]     Options  1179840
    12/29/2010 19:12:13 [INFO] Validate supplied paths
    12/29/2010 19:12:13 [INFO] Validating path C:\Windows\NTDS.
    12/29/2010 19:12:13 [INFO]     Path is a directory
    12/29/2010 19:12:13 [INFO]     Path is on a fixed disk drive.
    12/29/2010 19:12:13 [INFO] Validating path C:\Windows\NTDS.
    12/29/2010 19:12:13 [INFO]     Path is a directory
    12/29/2010 19:12:13 [INFO]     Path is on a fixed disk drive.
    12/29/2010 19:12:13 [INFO] Validating path C:\Windows\SYSVOL.
    12/29/2010 19:12:13 [INFO]     Path is on a fixed disk drive.
    12/29/2010 19:12:13 [INFO]     Path is on an NTFS volume
    12/29/2010 19:12:13 [INFO] Start the worker task
    12/29/2010 19:12:13 [INFO] Request for promotion returning 0
    12/29/2010 19:12:13 [INFO] Forcing time sync
    12/29/2010 19:12:13 [INFO] Forcing a time sync with DCA.adtest.local
    12/29/2010 19:12:26 [INFO] Searching for a domain controller for the domain adtest.local that contains the account DCB$
    12/29/2010 19:12:52 [INFO] Located domain controller DCA.adtest.local for domain adtest.local
    12/29/2010 19:12:52 [INFO] Directing kerberos authentication to DCA.adtest.local returns 0
    12/29/2010 19:12:52 [INFO] DsRolepFlushKerberosTicketCache() successfully flushed the Kerberos ticket cache
    12/29/2010 19:12:59 [INFO] Using site SITE-B for server DCA.adtest.local
    12/29/2010 19:12:59 [INFO] Stopping service NETLOGON
    12/29/2010 19:12:59 [INFO] Stopping service NETLOGON
    12/29/2010 19:13:20 [INFO] Configuring service NETLOGON to 1 returned 0
    12/29/2010 19:13:20 [INFO] Stopped NETLOGON
    12/29/2010 19:13:20 [INFO] Deleting current sysvol path C:\Windows\SYSVOL 
    12/29/2010 19:13:45 [INFO] Created system volume path
    12/29/2010 19:13:45 [INFO] Copying initial Directory Service database file C:\Windows\system32\ntds.dit to C:\Windows\NTDS\ntds.dit
    12/29/2010 19:13:45 [INFO] Installing the Directory Service
    12/29/2010 19:13:45 [INFO] Calling NtdsInstall for adtest.local
    12/29/2010 19:13:46 [INFO] Starting Active Directory Domain Services installation
    12/29/2010 19:13:46 [INFO] Validating user supplied options
    12/29/2010 19:13:46 [INFO] Determining a site in which to install
    12/29/2010 19:13:46 [INFO] Examining an existing forest...
    12/29/2010 19:13:47 [INFO] Configuring the local computer to host Active Directory Domain Services
    12/29/2010 19:13:56 [INFO] EVENTLOG (Warning): NTDS General / Internal Configuration : 1463
    Active Directory Domain Services has detected and deleted some possibly corrupted indices as part of initialization.

    12/29/2010 19:13:58 [INFO] EVENTLOG (Informational): NTDS General / Internal Configuration : 2120
    This Active Directory Domain Services server does not support the Recycle Bin. Deleted objects may be undeleted, however, when an object is undeleted, some attributes of that object may be lost.  Additionally, attributes of other objects that refer to the object being undeleted may also be lost.
     
    12/29/2010 19:13:58 [INFO] Creating the NTDS Settings object for this Active Directory Domain Controller on the remote AD DC DCA.adtest.local...
    12/29/2010 19:14:19 [INFO] EVENTLOG (Error): NTDS Replication / Setup : 1125
    The Active Directory Domain Services Installation Wizard (Dcpromo) was unable to establish connection with the following domain controller.
     
     
     
    Domain controller:
    DCA.adtest.local
     
     
     
    Additional Data
     
    Error value:
    1722 The RPC server is unavailable.
     
    12/29/2010 19:14:19 [INFO] Error - Active Directory Domain Services could not create the NTDS Settings object for this Active Directory Domain Controller CN=NTDS Settings,CN=DCB,CN=Servers,CN=SITE-B,CN=Sites,CN=Configuration,DC=adtest,DC=local on the remote AD DC DCA.adtest.local. Ensure the provided network credentials have sufficient permissions. (1722)
    12/29/2010 19:14:19 [INFO] EVENTLOG (Error): NTDS General / Internal Processing : 1168
    Internal error: An Active Directory Domain Services error has occurred.
     
     
     
    Additional Data
     
    Error value (decimal):
    -1073741823
     
    Error value (hex):
    c0000001
     
    Internal ID:
    300162a
     
    12/29/2010 19:14:20 [INFO] EVENTLOG (Informational): NTDS General / Service Control : 1004
    Active Directory Domain Services was shut down successfully.
     
    12/29/2010 19:14:20 [INFO] NtdsInstall for adtest.local returned 1722
    12/29/2010 19:14:20 [INFO] DsRolepInstallDs returned 1722
    12/29/2010 19:14:20 [ERROR] Failed to install to Directory Service (1722)
    12/29/2010 19:14:20 [ERROR] DsRolepFinishSysVolPropagation (Abort Promote) failed with 8001
    12/29/2010 19:14:20 [WARNING] Failed to abort system volume installation (8001

     

     

    Thanks

    Thursday, December 30, 2010 7:50 AM
  • Hello ebifilou,

    please create your own thread as this is already marked as answered.

    Include the following information in the thread, ipconfig /all from the existing DC/DNS servers and the one that should be promoted. Additional the security group membership of the user account running the dcpromo command. The logfile states it doesn;t have the correct permissions.

    Disable the firewall during promotion or follow this article to open the correct ports:

    http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx

    RPC errors often belong to firewall problems, which is by default enabled on Windows server 2008 and higher OS.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Thursday, December 30, 2010 12:20 PM