You are currently offline, waiting for your internet to reconnect

STOP 0xC00002CB "Security Accounts Manager Initialization Failed" error on a Windows Server-based Domain Controller

You have mixed environment containing Windows Server 2003, Windows Server 2008 R2 and Windows Server 2012 Domain Controllers. After transferring PDC FSMO role to a Windows Server 2008 R2 domain controller, when you restart the domain controller, you may receive the following error message:

STOP: C00002CB Security Accounts Manager initialization failed because of the following error: The system cannot find the file specified.
Error Status: 0xc000034.
Please shut down the system and reboot into Directory Services Restore Mode, check event log for more detailed information.

Additionally, at the time when the FSMO role was transferred to this Domain Controller, the system event log contains the following event:

Log Name:      System
Source:        Microsoft-Windows-Directory-Services-SAM
Date:          <date & time>
Event ID: 12305
Task Category: None
Level:         Warning
User:          SYSTEM
An error occured while creating new default accounts for this domain.  This maybe due to a transient error condition. The task will retry periodically until success and will log this message again in a week if the problem persists.
Event Xml:
<Event xmlns="">
    <Provider Name="Microsoft-Windows-Directory-Services-SAM" Guid="{0D4FDC09-8C27-494A-BDA0-505E4FD8ADAE}" />
    <TimeCreated SystemTime="2011-10-31T16:44:03.367198800Z" />
    <Correlation />
    <Execution ProcessID="480" ThreadID="5248" />
    <Security UserID="S-1-5-18" />

The error occurs because one or more of the following built-in groups are missing:
  • Denied RODC Password Replication Group
  • Allowed RODC Password Replication Group
To resolve this problem, rebuild or restore the broken domain controller and seize the PDC FSMO to another domain controller. 
Note: DO NOT REBOOT the new FSMO role owner. Follow the below steps to create the missing RODC groups:
  1. Log on to the PDC emulator and open ADSIEdit.
  2. Navigate to CN=Server,CN=System,DC=<DOMAINNAME>
  3. Right-click on CN=Server and choose Properties.
  4. Highlight the samDomainUpdates value and click View
  5. Changed the value from the current value of FE to FA
  6. Click OK and Apply to save the changes.
  7. Open LDP.exe and click on Connection -> Bind and click OK to connect.
  8. Click on Browse -> Modify and enter the following information:
    • DN: - leave blank
    • Edit Entry Attribute: runSamUpgradeTasks
      Note: Make sure that there is no space after  runSamUpgradeTasks
    • Values:1
    • Operation:  Add
  9. Click Enter on the Modify dialog and then click Run.
  10. Check if the groups now exist. The DC can now be rebooted and the blue screen will not longer appear.

More information
In a mixed Environment where Windows Server 2003 and Windows Server 2008 R2 domain controllers exist and there are no Read Only Domain controllers and RODC prep has not been run, if the FSMO roles are owned by Windows Server 2003 DC the RODC groups do not exist. Once PDC FSMO is transferred to a Windows Server 2008 R2 DC these groups are automatically created. If this operation fails the above errors will be reported in the System event log and the FSMO owner will experience a blue screen upon reboot.

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Article ID: 2642837 - Last Review: 05/28/2014 16:42:00 - Revision: 5.0

Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Service Pack 1, Windows Server 2008 R2 Standard, Windows Server 2008 R2 Datacenter

  • kbfsmo KB2642837