You receive an "Access is denied" error message if you try to add a new DFS root target from a host server that is running Windows Server 2003 (892783)


The information in this article applies to:

  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Web Edition

SYMPTOMS

If you try to add a new root target to an existing domain-based Distributed File System (DFS) implementation, you receive the following error message:
Access is denied

CAUSE

This issue occurs if the following conditions are true:
  • The existing domain-based DFS implementation is on a host server that is running Microsoft Windows 2000 Server.
  • The Windows 2000 domain is operating in Mixed Mode.
  • You try to add a new root target from a host server that is running Microsoft Windows Server 2003.
This issue occurs because DFS connects to the registry of the target Windows Server 2003-based host server by using the security context of the Local Service account, and the Local Service account does not have the correct registry permissions.

Note A root target is a host server that runs the DFS service. For additional information about DFS functions, visit the following Microsoft Web site:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/netmgmt/distributed_file_system_dfs_functions.asp

RESOLUTION

To resolve this issue, transfer the Primary Domain Controller (PDC) emulator Floating Single Master Operation (FSMO) role in the forest root domain to a Windows Server 2003 domain controller. To do this, follow these steps:
  1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Right-click Active Directory Users and Computers, and then click Connect to Domain Controller.

    Note You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer.

    Do either of the following:
    • In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.
    • In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.
  3. In the console tree, right-click Active Directory Users and Computers, point to All Tasks, and then click Operations Masters.
  4. Click the PDC tab, and then click Change.
  5. Click OK to confirm that you want to transfer the role, and then click Close.

MORE INFORMATION

For additional information about how to view and transfer FSMO roles in Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:

324801 How to view and transfer FSMO roles in Windows Server 2003

For additional information about related topics, click the following article number to view the article in the Microsoft Knowledge Base:

827016 Local Service and other well-known security principals do not appear on your Windows Server 2003 domain controller

Modification Type:MajorLast Reviewed:1/27/2005
Keywords:kbtshoot kberrmsg KB892783 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.