"Access is denied" error when you try to create NTDS Settings object

Symptoms

When you try to promote new Windows Server 2012 R2 domain controllers in an existing domain, the operation fails with an "Access is denied" error. This issue occurs even when the user is a member of the Domain Admins or Enterprise Admins group.

In this situation, the administrator sees the following error message:

Title:  Windows Security
Message Text:  Network Credentials

The operation failed because: Active Directory Domain Services could not configure the computer account <hostname>$ to the remote Active Directory Domain Controller account <fully qualified name of helper DC>. "Access is denied"

The failure occurs when adding the NTDS Settings object for the new Domain Controller, returning the following error message:

The operation failed because:

Active Directory Domain Services could not create the NTDS Settings object for this Active Directory Domain Controller CN=NTDS Settings,CN=TEST-DC,CN=Servers,CN=mysite,CN=Sites,CN=Configuration,DC=domain,DC=com on the remote AD DC DCName.ChildDomain.domain.com. Ensure the provided network credentials have sufficient permissions.

"Access is denied."

Additionally, the DCPromo.log file shows the following errors:

2705 09/08/2016 15:07:42 [INFO]
Error - Active Directory Domain Services could not create the NTDS Settings object for this Active Directory Domain Controller CN=NTDS Settings,CN=TEST-DC,CN=Servers,CN=mysite,CN=Sites,CN=Configuration,DC=domain,DC=com on the remote AD DC DCName.ChildDomain.domain.com. Ensure the provided network credentials have sufficient permissions. (5)
09/08/2016 15:07:42 [INFO] EVENTLOG (Error): NTDS General / Internal Processing : 1168
Internal error: An Active Directory Domain Services error has occurred.

Additional Data

Error value (decimal):
-1073741823

Error value (hex):
c0000001

Internal ID:
30017c6


09/08/2016 15:07:43 [INFO] NtdsInstall for ChildDomain.domain.com returned 5
09/08/2016 15:07:43 [INFO] DsRolepInstallDs returned 5
09/08/2016 15:07:43 [ERROR] Failed to install to Directory Service (5)
09/08/2016 15:07:43 [ERROR] DsRolepFinishSysVolPropagation (Abort Promote) failed with 8001
09/08/2016 15:07:43 [WARNING] Failed to abort system volume installation (8001)
09/08/2016 15:07:43 [INFO] Starting service NETLOGON
09/08/2016 15:07:43 [INFO] Configuring service NETLOGON to 2 returned 0
09/08/2016 15:07:43 [INFO] The attempted domain controller operation has completed

Where the errors map to the following:

Error mapping

Cause

This issue occurs because the Add/Remove Replica In Domain permission is missing for the Domain Admins and Enterprise Admins groups on the domain partition of the domain.

Resolution

To resolve this issue, follow these steps:
  1. Verify that all the steps and conditions in the "Resolution" section of Knowledge Base article 2002413 are true for your environment. 
  2. If domain controller promotion still fails even after you make sure that the user also has the SeEnableDelegationPrivilege permission, check ADSIEdit.msc to verify the user's effective permissions for the domain partition:
    1. Click Start, click Run, and then type adsiedit.msc.
    2. Expand Default naming context, right-click DC=domain,DC=com, and then click Properties.
    3. On the Security tab, click the Advanced button.
    4. On the Effective Access tab, enter the user or group name of the user who is performing the operation that's failing in DCPromo.
    5. Confirm whether the Add/remove replica in domain control access permission has been granted.


  3. If the Add/Remove Replica In Domain permission is missing for the user or group, add it by using ADSIEdit.msc:
    1. Click Start, click Run, and then type adsiedit.msc.
    2. Expand Default naming context, right-click DC=domain,DC=com, and then click Properties.
    3. On the Security tab, click the Advanced button.
    4. On the Permissions tab, add the Add/remove replica in domain control access permission for the desired user or group as follows:

      Type: Allow
      Applies to: This object only

More Information

Note there could be additional reasons why a domain controller promotion or demotion fails with an “Access is denied” error. For more information, see KB 2002413.
Svojstva

ID članka: 3207962 - posljednja izmjena: 5. sij 2017. - verzija: 1

Povratne informacije