DCPROMO fails with error "Access is denied" if the user performing the promotion is not granted the "trusted for delegation" user right

DCPROMO promotion of a Windows Server 2008 or Windows Server 2008 R2 member computer to a replica DC fails with the following error:

Title:                Windows Security
Message Text:   Network Credentials

The operation failed because: The Active Directory Domain Services Installation Wizard was unable to convert the computer account <hostname>$ to an Active Directory Domain Controller account. "Access is denied"

DCPROMO Demotion can fail with the same error: 

Title:                Windows Security
Message Text:  Network Credentials

The operation failed because: Active Directory Domain Services could not configure the computer account <hostname>$ to the remote Active Directory Domain Controller account <fully qualified name of helper DC>. "Access is denied"

Back to the top | Give Feedback

The user account used to execute DCPROMO has not been granted the “Enable computer and user accounts to be trusted for delegation” user right

Back to the top | Give Feedback

1. Verify that the default domain controllers policy exists in Active Directory and is granting the “Enable computer and user accounts to be trusted for delegation” user right to the Administrators security group or alternate user accounts used to promote and demote domain controllers in the target domain.
   
   If the domain controller policy does not exist, evaluate whether that condition is due to simple replication latency, an AD replication failure or whether the policy has been deleted from Active Directory. If the policy has been deleted, contact Microsoft Support to recreate the missing policy with the default policy GUID. Do not manually recreate the policy with the same name and settings as the default.
   
   If the default domain controllers policy exists in Active Directory on some domain controllers but not others, evaluate whether that inconsistency is due simple replication latency or a replication failure. Resolve as required.
   
   
2. Verify that the user account performing the DCPROMO operation has been granted the “Enable computer and user accounts to be trusted for delegation” user right in the default domain controllers policy.
   
   By default, this right is granted to members of the Administrators security group in the target domain. The built-in Administrator account is a member of this security group but may have been removed.
   
   If a user other than the built-in administrators group is performing DCPROMO promotions, either add that user account to the Administrators security group OR add the user account the “Enable computer and user accounts to be trusted for delegation” user right in the default domain controllers policy.
   
   If the “Enable computer and user accounts to be trusted for delegation” was recently modified, or the policy granting the DCPROMO user account exists on some domain controllers in the domain but not others, check for simple replication latency or a replication failure in both Active Directory and FRS / DFSR.
   
   If the policy was recently modified, have the DCPROMO user account log off and log on. Run "whoami /all" to verify that the “Enable computer and user accounts to be trusted for delegation” user right exists in the users security token.
   
   
3. Verify that the default domain controllers policy is linked to the domain controllers OU and that all DC machine accounts reside in that OU. If DC machine accounts reside in an alternate OU container, either move all DC machine accounts to the domain controllers OU or link the default domain controllers policy to the alternate OU container (not a best practice).
   
   
4. Verify that the file system portion of default domain controllers policy exists in the SYSVOL share of the DC being used to apply policy on the computer being promoted or demoted. If not present, evaluate whether that condition is due to simple replication latency, a replication failure in FRS / DFSR, or whether the policy has been deleted from the SYSVOL. Resolve as required. 
   
   If the policy has been deleted, contact Microsoft Support to recreate the missing policy with the default policy GUID. Do not manually recreate the policy with the same name and settings as the default.
   
   
5. The default domain policy or policy in general is not applying to the logged on user
   
   Check for policy inheritance, WMI filtering or security descriptor problem that may be preventing policy from applying. 

Back to the top | Give Feedback

DCPROMO.LOG and DCPROMOUI.LOG from promotion

The DCPROMO.LOG contains the following

[INFO] Creating the NTDS Settings object for this Active Directory Domain Controller on the remote AD DC <helperDC>.contoso.com...
[INFO] Replicating the schema directory partition
…
[INFO] Replicated the schema container.
[INFO] Active Directory Domain Services updated the schema cache.
[INFO] Replicating the configuration directory partition
…
[INFO] Replicated the configuration container.
[INFO] Error - The Active Directory Domain Services Installation Wizard was unable to convert the computer account <DC being promoted>$ to an Active Directory Domain Controller account. (5)
[INFO] EVENTLOG (Error): NTDS General / Internal Processing : 1168
Internal error: An Active Directory Domain Services error has occurred.
 
 
Additional Data
 
Error value (decimal):
-1073741823
 
Error value (hex):
c0000001
 
Internal ID:
300162a
 
[INFO] EVENTLOG (Informational): NTDS General / Service Control : 1004
Active Directory Domain Services was shut down successfully.
 
[INFO] NtdsInstall for a.com returned 5
[INFO] DsRolepInstallDs returned 5
[ERROR] Failed to install to Directory Service (5)
[INFO] Starting service NETLOGON
[INFO] Configuring service NETLOGON to 2 returned 0
[INFO] The attempted domain controller operation has completed
[INFO] DsRolepSetOperationDone returned 0

The DCPROMOUI.LOG contains the following

Calling DsRoleGetDcOperationResults
Error 0x0 (!0 => error)
Operation results:
OperationStatus      : 0x5 !0 => error
DisplayString        : The Active Directory Domain Services Installation Wizard was unable to convert the computer account <DC being promoted>$ to an Active Directory Domain Controller account.
ServerInstalledSite  : (null)
OperationResultsFlags: 0x0
Enter ProgressDialog::UpdateText The Active Directory Domain Services Installation Wizard was unable to convert the computer account <dc being promoted>$ to an Active Directory Domain Controller account.
Enter State::SetOperationResultsMessage The Active Directory Domain Services Installation Wizard was unable to convert the computer account <dc being promoted>$ to an Active Directory Domain Controller account.
Enter State::SetOperationResultsFlags 0x0
Exception caught
catch completed
handling exception
Enter State::ClearHiddenWhileUnattended
Enter EnableConsoleLocking
Enter RegistryKey::Create SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Enter RegistryKey::SetValue-DWORD DisableLockWorkstation
Enter State::SetOperationResults result FAILURE
Enter ProgressDialog::UpdateText
Enter State::IsOperationRetryAllowed
true
credentials were invalid, hr=0x80070005
Enter GetErrorMessage 80070005
Enter State::GetOperationResultsMessage The Active Directory Domain Services Installation Wizard was unable to convert the computer account <dc being promoted>$ to an Active Directory Domain Controller account.
Enter State::GetOperation REPLICA
Enter State::GetReplicaDomainDNSName <target dns domain name>

DCPROMO.LOG and DCPROMOUI.LOGS from Demotion

DCPROMO.LOG text is similar to:

[INFO] Uninstalling the Directory Service
[INFO] Invoking NtdsDemote
…
[INFO] Removing Active Directory Domain Services objects that refer to the local Active Directory Domain Controller from the remote Active Directory Domain Controller <DNS domain>...
[INFO] Error - Active Directory Domain Services could not configure the computer account <dc being demoted>$ on the remote Active Directory Domain Controller <helper DC>.<DNS domain>. (5)
[INFO] NtdsDemote returned 5
[INFO] DsRolepDemoteDs returned 5
[ERROR] Failed to demote the directory service (5)
….

DCPROMOUI.LOG text is similar to:

 
….
OperationStatus      : 0x5 !0 => error
DisplayString        : Active Directory Domain Services could not configure the computer account <dc name>$ on the remote Active Directory Domain Controller <helper DC>.<dns domain>.
ServerInstalledSite  : (null)
OperationResultsFlags: 0x0
Enter ProgressDialog::UpdateText Active Directory Domain Services could not configure the computer account <dc name>$ on the remote Active Directory Domain Controller VM1-W7.a.com.
Enter State::SetOperationResultsMessage Active Directory Domain Services could not configure the computer account <dc name>$ on the remote Active Directory Domain Controller <helper DC>.<DNS domain>.
Enter State::SetOperationResultsFlags 0x0
…
credentials were invalid, hr=0x80070005
Enter GetErrorMessage 80070005
Enter State::GetOperationResultsMessage Active Directory Domain Services could not configure the computer account <dc name>$ on the remote Active Directory Domain Controller <helper DC>.<DNS domain>.
Enter State::GetOperation DEMOTE
Enter State::GetParentDomainDnsName

 

Back to the top | Give Feedback