May 31 2024 07:49 AM
Hello,
We had a pre-existing physical server, which was a domain controller (10.0.0.250). I was able to promote a different physical server (10.0.0.241) to a domain controller on my network. 10.0.0.241 is now my only domain controller. It is also our only DNS server. Both of these servers are/were Server 2016 standard. 10.0.0.250 is no longer on our network. It seems 10.0.0.241 is working great.
I have purchased a new server (Server 2022 standard) and gave it an IP address of 10.0.0.240. I installed Hyper-V on it and created a virtual machine.
My virtual machine is also running Server 2022 standard and has an IP address of 10.0.0.242. Whenever I try to promote this server to a domain controller, I receive an error. I will paste this error below. It seems like I only receive this error on my virtual machine. I have reviewed my DNS settings for all of my servers and have made sure they're set to point at 10.0.0.241. I will also attach the logs mentioned in the error message below. I can send the entire adprep log to anyone who needs it and I will provide any other information needed.
Old DC: 10.0.0.250 (Server 2016 standard - No longer on our network)
Current DC: 10.0.0.241 (Server 2016 standard)
Current hypervisor: 10.0.0.240 (Server 2022 standard)
Current VM I am trying to promote to a domain controller: 10.0.0.242 (Server 2022 standard)
*All server adapters DNS settings set to point at 10.0.0.241
*I can ping 10.0.0.241 from 10.0.0.242
*I was able to test the NPS role on 10.0.0.242. It worked without issue. It seems like all devices are talking on the network.
Failure to promote to domain controller error:
ADPrep execution failed --> Microsoft.DirectoryServices.Deployment.ADPrepLdapException: No Such Object. Server extended error: 8333. Server extended message: 0000208D: NameErr: DSID-03100245, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=contoso,DC=com'
.
Adprep was unable to modify the security descriptor on object CN=Keys,DC=contoso,DC=com.
[Status/Consequence]
ADPREP was unable to merge the existing security descriptor with the new access control entry (ACE).
[User Action]
Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20240531093839 directory for more information..
Check the log files in the C:\Windows\debug\adprep\logs\20240531093839 directory for detailed information.
Here is a small sample of the adprep log: