Dcpromo May Generate "Access Denied" or "Cannot Find the File Specified" Error Message (308311)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
This article was previously published under Q308311

SYMPTOMS

When you run Dcpromo.exe to promote a Windows 2000-based server to a domain controller, Dcpromo may not finish successfully and may generate one of the following error messages:
Active Directory Installation Failed:
The operation failed with the following error:
The system cannot find the file specified.

New Credentials.
The operation failed with the following error: "Access is denied".
These error messages can be caused by one or more of the following conditions:
  • The absence of the default Ntds.dit file.
  • Incorrect permission on the default Ntds.dit file.
  • Incorrect permissions on an existing NTDS folder structure.

MORE INFORMATION

An Ntds.dit file is installed by default on every Windows 2000-based server, no matter which type of server product is installed (Windows 2000 Server, Windows 2000 Advanced Server, or Windows 2000 Datacenter Server). If you promote any Windows 2000-based server to a domain controller, there will be two Ntds.dit files on the domain controller. The first file is stored in the %SystemRoot%\System32 folder. This is the default file that is used by Dcpromo to create the Ntds.dit file that is stored in the %SystemRoot%\Ntds folder. The second file is the Ntds.dit file that is used by the domain controller to store and manipulate Active Directory objects.

"The System Cannot Find the File Specified" Error Message

This error message occurs if the default Ntds.dit file is missing or not correctly located in the %SystemRoot%\System32 folder. The simplest resolution is to expand the default Ntds.di_ file in any version of Windows 2000 Server to the %SystemRoot%\System32 folder.

You can verify that this is the cause of the error message by reading the %SystemFolder%\Debug\Dcpromo.log file. The log will contain the following information:

09/21 11:06:04 [INFO] Copying initial Directory Service database file %systemroot%\system32\ntds.dit to %systemroot%\NTDS\ntds.dit
09/21 11:06:04 [ERROR] Failed to copy install file %systemroot%\system32\ntds.dit to %systemroot%\NTDS\ntds.dit: 2
09/21 11:06:04 [INFO] DsRolepInstallDs returned 2
09/21 11:06:04 [ERROR] Failed to install the directory service (2)
09/21 11:06:12 [INFO] The attempted domain controller operation has completed
09/21 11:06:12 [INFO] DsRolepSetOperationDone returned 0

"Access Is Denied" Error Message

There are several reasons whey this error message might occur, but all have to do with permissions on the files or file structures that are necessary for the installation and service of a domain controller.

File Permissions Are Incorrect

To resolve this issue, verify that the default Ntds.dit file permissions in the System32 folder are: 

System32\Ntds.dit 
BUILTIN\Users:             Read [RX]
BUILTIN\Power Users:       Read [RX]
BUILTIN\Administrators:    Full Control [ALL]
NT AUTHORITY\SYSTEM:       Full Control [ALL]
Everyone:                  Read [RX]

Folder Structure Permissions Are Incorrect

If the server you are promoting was a domain controller in the past but was demoted, the %SystemRoot%\Ntds and %SystemRoot%\Ntds\Drop folders will still exist. If the permissions were changed between the demotion and the current promotion, the error message may be cause by the folder permissions. The simplest resolution is to delete the original Ntds folder structure before running Dcpromo.exe. Or, you can change the folder permissions to match these: 

%SystemRoot%\Ntds
BUILTIN\Users:             Special Access [RX]
BUILTIN\Power Users:       Special Access [RWXD]
BUILTIN\Administrators:    Special Access [A]
NT AUTHORITY\SYSTEM:       Special Access [A]
CREATOR OWNER:             Special Access [A]

%SystemRoot%\Ntds\Drop
BUILTIN\Users:             Special Access [RX]
BUILTIN\Power Users:       Special Access [RWXD]
BUILTIN\Administrators:    Special Access [A]
NT AUTHORITY\SYSTEM:       Special Access [A]
CREATOR OWNER:             Special Access [A]

You can verify that this is the cause of the error message by reading the %SystemFolder%\Debug\Dcpromo.log file. The log will contain the following information:

09/21 11:42:55 [INFO] Copying initial Directory Service database file D:\WINNT\system32\ntds.dit to D:\WINNT\NTDS\ntds.dit
09/21 11:42:55 [ERROR] Failed to copy install file D:\WINNT\system32\ntds.dit to D:\WINNT\NTDS\ntds.dit: 5
09/21 11:42:55 [INFO] DsRolepInstallDs returned 5
09/21 11:42:55 [ERROR] Failed to install the directory service (5)
09/21 11:43:05 [INFO] The attempted domain controller operation has completed
09/21 11:43:05 [INFO] DsRolepSetOperationDone returned 0

Additional Information

You can identify error codes that are reported in the log file by typing net helpmsg errorcode at a command prompt. For example, typing net helpmsg 5 returns "Access is denied."

A domain controller that has been successfully promoted has the following permissions assigned by default to the Ntds folder structure: 

%SystemRoot%\Ntds
NT AUTHORITY\SYSTEM:       Special Access [A]
BUILTIN\Administrators:    Special Access [A]

%SystemRoot%\Ntds\Drop
NT AUTHORITY\SYSTEM:       Special Access [A]
BUILTIN\Administrators:    Special Access [A]

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

258703 'Access Is Denied' Error Message When Running Dcpromo

Modification Type:MajorLast Reviewed:11/20/2003
Keywords:kberrmsg kbprb KB308311
©2003 Microsoft Corporation. All rights reserved.