"Access Denied" During Domain Controller Promotion

ID: Q232070

The information in this article applies to:
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server

SYMPTOMS

When you are attempting to create a Replica domain controller, you may receive an "Access denied" error message in Dcpromo.exe. Examination of the Dcpromoui.log file indicates that the initial part of the promotion was successful (this is also verified because the computer becomes a member server in the domain), but that the promotion to domain controller) did not succeed because Dcpromo.exe was unable to modify the machine account.


CAUSE

This behavior can occur if the account used for the promotion operation has not been assigned the "Delegation Privilege" right. Or, if this right has been assigned, the policy has not propagated yet, possibly because of replication latency. By default, only members in the Administrators group have the "Delegation Privilege" right.


RESOLUTION

To resolve this issue, either use an account in the Administrators group, or add the appropriate account to the Administrators group. To grant this right to another user or group:

Set the Delegation Privilege on the Group Policy Object

  1. In the Active Directory Users and Groups snap-in, edit the Default Domain Controllers Policy on the Domain Controllers Organizational Unit.


  2. Double-click Computer Configuration, then Windows Settings, then Security Settings, then, Local Policies, and then User Rights Assignment.


  3. Under Computer and User Accounts to be trusted for Delegation, add the appropriate account or group.


  4. Apply the policy using one of the following methods:

    • At a command prompt, type secedit /refreshpolicy machine_policy.


    • In the the Sites and Services snap-in (Dssite.msc), use the Replicate Now feature to force replication from the domain controller on which the policy was changed to the other domain controllers in the domain.





STATUS

Microsoft has confirmed this to be a problem in the Microsoft products listed at the beginning of this article.


MORE INFORMATION

The Dcpromoui.log file report a error similar to that shown below. In the following example, a replica/backup domain controller is attempting to be installed: 


dcpromoui t:0x490 00685    Exit  doProgressLoop 
dcpromoui t:0x490 00686    Exit  DS::CreateReplica 
dcpromoui t:0x490 00687    Exception caught 
dcpromoui t:0x490 00688    catch completed 
dcpromoui t:0x490 00689    handling exception 
dcpromoui t:0x490 00690    Active Directory Installation Failed 
dcpromoui t:0x490 00691    Enter GetErrorMessage 80070005 
dcpromoui t:0x490 00692    Exit  GetErrorMessage 80070005 
dcpromoui t:0x490 00693    Access is denied.
Further down in the log, the following text appears 

Failed to modify the necessary properties for the machine account MYDC$

"Access is denied. "

Additional query words:

Keywords : kbenv kbtool
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbprb


Last Reviewed: December 30, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.