Microsoft KB Archive/270152

= The DC Promo Program Does Not Work When Using Network Address Translation =

Article ID: 270152

Article Last Modified on 3/1/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q270152



SYMPTOMS
When you attempt to promote or to demote Microsoft Windows 2000 Server with the DC Promo program, you may receive the following error message:

Active Directory Installation Failed.

The operation failed because:

Failed to modify the necessary properties for the machine account $

The specified server cannot perform the requested operation.



CAUSE
This behavior can occur when one or more domain controllers are on a Windows 2000 server that is using network address translation (NAT); and it can be caused by the H.323/Lightweight Directory Access Protocol (LDAP) proxy service.



RESOLUTION
To resolve this behavior, you must install Microsoft Windows 2000 Service Pack 1 (SP1), or disable the H.323/LDAP proxy service. To disable the service, you can type the following command at a command prompt:

netsh routing ip nat delete h323



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.



MORE INFORMATION
Read the following excerpts from the Windows 2000 Server Deployment Planning Guide for more information regarding the recommended configuration for Windows 2000 domain controllers:

Page 217: The translated method, or NAT, gives you a more secure network because the addresses of your private network are completely hidden from the Internet. The connection shared computer, which uses NAT, does all of the translation of Internet addresses to your private network, and vice versa. However, be aware that the NAT computer does not have the ability to translate all payloads. This is because some applications use IP addresses in other fields besides the standard TCP/IP header fields.

The following protocols do not work with NAT:
 * Kerberos
 * IPSec

Page 815:

Do not use NAT on a network with other Windows 2000 Server domain controllers, DNS servers, gateways, DHCP servers, or systems configured for static IP because of possible conflict with other services.

Do not connect NAT directly to a corporate network because Kerberos authentication, IPSec, and Internet Key Encryption (IKE) will not work.

Additional query words: dcpromo

Keywords: kbdcpromo kbprb KB270152

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.