Article ID: 232070 - Last Review: September 11, 2009 - Revision: 7.0

When you run Dcpromo.exe to create a replica domain controller, you receive the "Failed to modify the necessary properties for the machine account. Access is denied" error message

View products that this article applies to.
This article was previously published under Q232070
Expand all | Collapse all

SYMPTOMS

When you run Dcpromo.exe to create a replica domain controller, you receive one of the following error messages in Dcpromo.exe:
Error message 1
Failed to modify the necessary properties for the machine account. Access is denied.
Error message 2
Error - The Active Directory Installation Wizard was unable to convert the computer account <Computer Name>$ to a domain controller account. (5)

Examination of the Dcpromoui.log file indicates that the initial part of the promotion was successful (this is also verified because the computer becomes a member server in the domain), but that the promotion to domain controller did not succeed because Dcpromo.exe could not modify the machine account.
Back to the top

CAUSE

This problem can occur if the account that is used for the promotion operation has not been assigned the "Delegation Privilege" right. Or, if this right has been assigned, the policy has not propagated yet, possibly because of replication latency. By default, only members in the Administrators group have the "Delegation Privilege" right.
Back to the top

RESOLUTION

To resolve this problem, use an account in the Administrators group, or add the appropriate account to the Administrators group. To grant this right to another user or group, set the delegation privilege on the Group Policy object:
  1. In the Active Directory Users and Computers snap-in, edit the Default Domain Controllers Policy on the Domain Controllers Organizational Unit.
  2. Double-click Computer Configuration, click Windows Settings, click Security Settings, click Local Policies, and then click User Rights Assignment.
  3. Under Enable Computer and User Accounts to be trusted for Delegation, add the appropriate account or group.
  4. Apply the policy using one of the following methods:
    • If it is a Windows 2000 domain controller, open a command prompt, and then type:
      secedit /refreshpolicy machine_policy /enforce
    • If it is a Windows Server 2003 or a Windows Server 2008 domain controller, open a command prompt, and type:
      gupdate /force
  5. Force replication from the domain controller on which the policy was changed to the other domain controllers in the domain by using repadmin, replmon, or Active Directory Sites and Services.
To apply the updated policy, restart the problematic server which you wanted to promote as a domain controller.
Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Back to the top

MORE INFORMATION

The Dcpromoui.log file reports an error similar to the one shown below. In the following example, a replica/backup domain controller is attempting to be installed: 
dcpromoui t:0x490 00685    Exit  doProgressLoop 
dcpromoui t:0x490 00686    Exit  DS::CreateReplica 
dcpromoui t:0x490 00687    Exception caught 
dcpromoui t:0x490 00688    catch completed 
dcpromoui t:0x490 00689    handling exception 
dcpromoui t:0x490 00690    Active Directory Installation Failed 
dcpromoui t:0x490 00691    Enter GetErrorMessage 80070005 
dcpromoui t:0x490 00692    Exit  GetErrorMessage 80070005 
dcpromoui t:0x490 00693    Access is denied.
Further down in the log, the following text appears 
Failed to modify the necessary properties for the machine account MYDC$

"Access is denied. "
The following is sample Dcpromoui.log output from a computer that is running Windows 2000 Service Pack 4 (SP4):
09/12 09:33:14 [INFO] Error - The Active Directory Installation Wizard was unable 
to convert the computer account <machinename>$ to a domain controller account. (5) 
09/12 09:33:15 [INFO] NtdsInstall for <domainname> returned 5 
09/12 09:33:15 [INFO] DsRolepInstallDs returned 5 
09/12 09:33:15 [ERROR] Failed to install to Directory Service (5)
Back to the top
APPLIES TO
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Windows Server 2008 Datacenter without Hyper-V
  • Windows Server 2008 Enterprise without Hyper-V
  • Windows Server 2008 for Itanium-Based Systems
  • Windows Server 2008 Standard without Hyper-V
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
  • Windows Web Server 2008
Back to the top
Keywords: 
kbenv kbprb KB232070
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations