Article ID: 250874 - View products that this article applies to.
This article was previously published under Q250874
During Active Directory promotion of a replica domain controller, you may receive the following error message:
The %SystemRoot%\Debug\Dcpromo.log folder contains entries similar to the following example:
The operation failed because: Failed to modify the necessary properties for the machine account %computername%$ "Access Denied".
MM/DD HH:MM:SS [INFO] Configuring the server accountA network trace shows that the ModifyReponse frame to the LDAP ModifyRequest frame to the UserAccountControl attribute is unsuccessful with an "insufficient access" error message.
MM/DD HH:MM:SS [INFO] NtdsSetReplicaMachineAccount returned 5
MM/DD HH:MM:SS [INFO] DsRolepSetMachineAccountType returned 5
MM/DD HH:MM:SS [INFO] Error - Failed to modify the necessary properties for the machine account %computername%$(5)
One of the operations that takes place during the promotion of a replica domain controller is the modification of the UserAccountControl attribute for the computer you are promoting. The UserAccountControl attribute is important for defining the role of the computer as a member server or domain controller. Specifically, the computer you are promoting performs the following tasks:
The specific right required to update the UserAccountControl attribute is the "Enable computer and users accounts to be trusted for delegation" user right, granted to the Administrators group in default domain controllers policy.
To resolve this problem, use the appropriate method:
Microsoft has confirmed this to be a problem in Microsoft Windows 2000.