Examination of the Dcpromoui.log file indicates that the initial part of the promotion was successful (this is also verified because the computer becomes a member server in the domain), but that the promotion to domain controller did not succeed because Dcpromo.exe could not modify the machine account.
- In the Active Directory Users and Computers snap-in, edit the Default Domain Controllers Policy on the Domain Controllers Organizational Unit.
- Double-click Computer Configuration, click Windows Settings, click Security Settings, click Local Policies, and then click User Rights Assignment.
- Under Enable Computer and User Accounts to be trusted for Delegation, add the appropriate account or group.
- Apply the policy using one of the following methods:
- If it is a Windows 2000 domain controller, open a command prompt, and then type: secedit /refreshpolicy machine_policy /enforce
- If it is a Windows Server 2003 or a Windows Server 2008 domain controller, open a command prompt, and type: gpupdate /force
- If it is a Windows 2000 domain controller, open a command prompt, and then type:
- Force replication from the domain controller on which the policy was changed to the other domain controllers in the domain by using repadmin, replmon, or Active Directory Sites and Services.
Further down in the log, the following text appears
dcpromoui t:0x490 00685 Exit doProgressLoop
dcpromoui t:0x490 00686 Exit DS::CreateReplica
dcpromoui t:0x490 00687 Exception caught
dcpromoui t:0x490 00688 catch completed
dcpromoui t:0x490 00689 handling exception
dcpromoui t:0x490 00690 Active Directory Installation Failed
dcpromoui t:0x490 00691 Enter GetErrorMessage 80070005
dcpromoui t:0x490 00692 Exit GetErrorMessage 80070005
dcpromoui t:0x490 00693 Access is denied.
The following is sample Dcpromoui.log output from a computer that is running Windows 2000 Service Pack 4 (SP4):
Failed to modify the necessary properties for the machine account MYDC$
"Access is denied. "
09/12 09:33:14 [INFO] Error - The Active Directory Installation Wizard was unable
to convert the computer account <machinename>$ to a domain controller account. (5)
09/12 09:33:15 [INFO] NtdsInstall for <domainname> returned 5
09/12 09:33:15 [INFO] DsRolepInstallDs returned 5
09/12 09:33:15 [ERROR] Failed to install to Directory Service (5)
Article ID: 232070 - Last Review: Jan 7, 2010 - Revision: 1