Select the product you need help with
STOP:c00002cb Security Accounts Manager initialization failedArticle ID: 2642837 - View products that this article applies to. SymptomsMixed environment containing WS2003 and WS2008 R2 DC's (Domain Controllers). After transferring PDC FSMO role to a windows 2008R2 DC and restarting the domain controller a blue screen appears with the following message: STOP:c00002cb Security Accounts Manager initialization failed because of the following error: The system cannot find the file specified. Error Status: 0xc000034 Please shut down the system and reboot into Directory Services Restore Mode, check event log for more detailed information. Around the time when the FSMO role was transfered to this Domain Controller the system event log contains the following event: Log Name: System Source: Microsoft-Windows-Directory-Services-SAM Date: <date & time> Event ID: 12305 Task Category: None Level: Warning Keywords: User: SYSTEM Computer: dc1.contoso.com Description: An error occured while creating new default accounts for this domain. This maybe due to a transient error condition. The task will retry periodically until success and will log this message again in a week if the problem persists. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event
(http://schemas.microsoft.com/win/2004/08/events/event)
"><System> <Provider Name="Microsoft-Windows-Directory-Services-SAM" Guid="{0D4FDC09-8C27-494A-BDA0-505E4FD8ADAE}" /> <EventID>12305</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2011-10-31T16:44:03.367198800Z" /> <EventRecordID>18173</EventRecordID> <Correlation /> <Execution ProcessID="480" ThreadID="5248" /> <Channel>System</Channel> <Computer>dc1.contoso.com</Computer> <Security UserID="S-1-5-18" /> </System> <EventData Name="SAMMSG_PDC_TASK_FAILURE"> <Binary>340000C0</Binary> </EventData> </Event> Cause====== The error occurs because one or more of the following built in groups are missing: Denied RODC Password Replication Group Allowed RODC Password Replication Group ResolutionTo resolve this problem, rebuild or restore the broken DC and seize the PDC FSMO to another DC. DO NOT REBOOT the new FSMO role owner but follow the below steps to create the missing RODC groups: 1. Log on to the PDC emulator and open ADSIEdit. 2.Navigate to CN=Server,CN=System,DC=<DOMAINNAME> 3. Right-click on CN=Server and choose Properties. 4. Highlight the samDomainUpdates value and click View 5. Changed the value from the current value of FE to FA 6. Click OK and Apply to save the changes. 7. Open LDP.exe and click on Connection -> Bind and click OK to connect. 8. Click on Browse -> Modify and enter the following information: a. DN: - leave blank b. Edit Entry Attribute: runSamUpgradeTasks c. Values:1 d. Operation: Add **** Important: Make sure that there is no space after runSamUpgradeTasks 9. Click Enter on the Modify dialog and then click Run. Check if the groups now exist. The DC can now be rebooted and the blue screen will not longer appear. More informationIn a mixed Environment where WS03 and WS08 R2 Domain Controllers exist and there are no Read Only Domain controllers and RODC prep has not been run, if the FSMO roles are owned by 2003 DC the RODC groups do not exist. Once PDC FSMO is transferred to a WS2008 R2 DC these groups are automatically created. If this operation fails the above errors will be reported in the System event log and the FSMO owner will experience a blue screen upon reboot. Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use
(http://go.microsoft.com/fwlink/?LinkId=151500)
for other considerations.Properties |  |
Back to the top
