"Access Denied" Error Message During Active Directory Promotion of Replica Domain Controller (250874)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
This article was previously published under Q250874

SYMPTOMS

During Active Directory promotion of a replica domain controller, you may receive the following error message:
The operation failed because: Failed to modify the necessary properties for the machine account %computername%$ "Access Denied".
The %SystemRoot%\Debug\Dcpromo.log folder contains entries similar to the following example:

MM/DD HH:MM:SS [INFO] Configuring the server account
MM/DD HH:MM:SS [INFO] NtdsSetReplicaMachineAccount returned 5
MM/DD HH:MM:SS [INFO] DsRolepSetMachineAccountType returned 5
MM/DD HH:MM:SS [INFO] Error - Failed to modify the necessary properties for the machine account %computername%$(5)

A network trace shows that the ModifyReponse frame to the LDAP ModifyRequest frame to the UserAccountControl attribute is unsuccessful with an "insufficient access" error message.

CAUSE

One of the operations that takes place during the promotion of a replica domain controller is the modification of the UserAccountControl attribute for the computer you are promoting. The UserAccountControl attribute is important for defining the role of the computer as a member server or domain controller. Specifically, the computer you are promoting performs the following tasks:
  1. Performs a Lightweight Directory Access Protocol (LDAP) search against an existing domain controller in the domain for its computer account (ObjectClass=user,ObjectClass=computer,SamAccountName=%ComputerName%$).
  2. Attempts to update the UserAccountControl attribute, indicating a change from a member server to a domain controller.
  3. Attempts to move the computer account object from the current container or organizational unit, to the domain controller's organizational unit of the domain.
  4. Sources the schema, configuration, and domain naming contexts for replication from domain controllers that already exist.
For steps 2 and 3 to succeed, the source domain controller used by the new replica must have successfully replicated and applied the security policy. Application of policy is identified by Event ID 1704 in the application log after Active Directory promotion (Dcpromo) has run (look for Event 1704 being logged after the last entry in Dcpromo.log).

The specific right required to update the UserAccountControl attribute is the "Enable computer and users accounts to be trusted for delegation" user right, granted to the Administrators group in default domain controllers policy.

RESOLUTION

To resolve this problem, use the appropriate method:
  • Verify that the current domain controllers in the domain have applied security policy and the Enable computer and users accounts to be trusted for delegation user right is granted to the Administrators Group in the domain controllers policy (click Computer Configuration, click Windows Settings, click Security Settings, click Local Policies, and then click User Rights Assignment).

    For additional information about editing Group Policy Objects in Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:

    322143 HOW TO: Administer GPOs in Windows 2000

    For computers that do not have this right, confirm that group policy objects in the directory service and file system have replicated, and then manually apply the policy by typing the following command:

    secedit /refreshpolicy machine_policy

    NOTE: Look for the following message in the application log to confirm the application of the policy:
    Event ID 1704: Security Policy in the Group policy objects are applied successfully.
  • Stop the Netlogon service on the source domain controllers that do not have this right applied to discover another domain controller in the domain that applied this right.
  • Verify that the source domain controller is in the organization unit. The name of the source domain controller can be found in the hidden file called Dcpromo.log in the %Systemroot%\debug folder on the Windows 2000 server that you are trying to promote.
  • Open a command prompt on the source domain controller, and run the Gpresult.exe Resource Kit utility to verify that the domain controllers policy is being applied to the source domain controller.

STATUS

Microsoft has confirmed this to be a problem in Microsoft Windows 2000.
Modification Type:MajorLast Reviewed:9/22/2003
Keywords:kberrmsg kbnetwork kbprb KB250874
©2003 Microsoft Corporation. All rights reserved.