The DC Promo Program Does Not Work When Using Network Address Translation (270152)

SYMPTOMS

When you attempt to promote or to demote Microsoft Windows 2000 Server with the DC Promo program, you may receive the following error message:

Active Directory Installation Failed.

The operation failed because:

Failed to modify the necessary properties for the machine account Servername$

The specified server cannot perform the requested operation.

CAUSE

This behavior can occur when one or more domain controllers are on a Windows 2000 server that is using network address translation (NAT); and it can be caused by the H.323/Lightweight Directory Access Protocol (LDAP) proxy service.

RESOLUTION

To resolve this behavior, you must install Microsoft Windows 2000 Service Pack 1 (SP1), or disable the H.323/LDAP proxy service. To disable the service, you can type the following command at a command prompt:

netsh routing ip nat delete h323

MORE INFORMATION

Read the following excerpts from the Windows 2000 Server Deployment Planning Guide for more information regarding the recommended configuration for Windows 2000 domain controllers:

Page 217: The translated method, or NAT, gives you a more secure network because the addresses of your private network are completely hidden from the Internet. The connection shared computer, which uses NAT, does all of the translation of Internet addresses to your private network, and vice versa. However, be aware that the NAT computer does not have the ability to translate all payloads. This is because some applications use IP addresses in other fields besides the standard TCP/IP header fields.

The following protocols do not work with NAT:

Kerberos
IPSec

Page 815: