DCPROMO Windows Server 2008, R2 error “Access is Denied”

DCPROMO promotion of a Windows Server 2008 or Windows Server 2008 R2 member computer to a replica DC fails with the following error ” Access is Denied”

DCPROMO promotion of a Windows Server 2008 or Windows Server 2008 R2 member server  may fail with the following error:

Title: Windows Security

Message Text: Network Credentials

The operation failed because: The Active Directory Domain Services Installation Wizard was unable to convert the computer account <hostname>$ to an Active Directory Domain Controller account. “Access is denied”

DCPROMO Demotion can fail with the same error:

Title: Windows Security

Message Text: Network Credentials

The operation failed because: Active Directory Domain Services could not configure the computer account <hostname>$ to the remote Active Directory Domain Controller account <fully qualified name of helper DC>. “Access is denied”

Resolution

  1. Type in the name and password for a user account that has been granted the “Enable computer and user accounts to be trusted for delegation” user right in the default domain controllers policy

By default, this right is granted to members of the Administrators security group in the target domain. The built-in Administrator account is a member of this security group.

Type in the name and password for the built-in Administrator user account, or another group that has been granted this right.

  1. Verify that the default domain controllers policy is granting the “Enable computer and user accounts to be trusted for delegation” user right to the Administrators security group
  1. Verify that the default domain controllers policy is linked to the domain controllers OU and that all DC machine accounts reside in that OU. If DC machine accounts reside in alternate OU containers, either move all DC machine accounts to that OU or link the domain controllers policy to the relevant OU container (not supported).
  1. Verify that the domain controllers policy exists in the copy of Active Directory used by the DCPROMO computer to apply policy. If the domain controller policy does not exist, evaluate whether that condition is due to simple replication latency, an AD replication failure or whether the policy has been deleted from Active Directory.
  1. Verify that the file system portion of default domain controllers policy exists in the SYSVOL share of the DC being used to apply policy on the computer being promoted or demoted. If not present, evaluate whether due to simple replication latency, a replication failure in FRS / DFSR, or whether the policy has been deleted from the SYSVOL. Resolve as required.
  1. The default domain controller policy may have experienced a recent update granting administrators or another account the required user right but that change has yet to inbound replicate to the Active Directory or the SYSVOL of the DC being used to source policy.
  1. Settings in default domain controllers policy are not applying on the computer being promoted. Specific causes include policies with conflicting settings but higher precedence, WMI filtering or a failure on the clients part to apply policy.

More Information

Repro Steps

  1. Promote a Windows 2008 R2 (DC1) computer as the 1st DC in the new forest
  2. Join another Windows 2008 R2  (DC2) system as member computer to the domain
  3. Remove administrators security group from the “Enable computer and user accounts to be trusted for delegation right” from default domain controllers policy on DC
  4. Run GPUPDATE /FORCE on the member computer to the application of modified policy
  5. Promote  member as replica DC in existing domain
  6. Note failure when inbound replicating the domain directory partition

Graceful DCPROMO Demotion also may fail the same way by removing the user right

DCPROMO.LOG and DCPROMOUI.LOGS from promotion

The DCPROMO.LOG contains the following:-

[INFO] Creating the NTDS Settings object for this Active Directory Domain Controller on the remote Dc2.remotex.com…

[INFO] Replicating the schema directory partition

[INFO] Replicated the schema container.

[INFO] Active Directory Domain Services updated the schema cache.

[INFO] Replicating the configuration directory partition

[INFO] Replicated the configuration container.

[INFO] Error – The Active Directory Domain Services Installation Wizard was unable to convert the computer account DC2$ to an Active Directory Domain Controller account. (5)

[INFO] EVENTLOG (Error): NTDS General / Internal Processing : 1168

Internal error: An Active Directory Domain Services error has occurred.

Additional Data

Error value (decimal):-1073741823

Error value (hex):c0000001

Internal ID:300162a

[INFO] EVENTLOG (Informational): NTDS General / Service Control : 1004

Active Directory Domain Services was shut down successfully.

[INFO] NtdsInstall for a.com returned 5

[INFO] DsRolepInstallDs returned 5

[ERROR] Failed to install to Directory Service (5)

[INFO] Starting service NETLOGON

[INFO] Configuring service NETLOGON to 2 returned 0

[INFO] The attempted domain controller operation has completed

[INFO] DsRolepSetOperationDone returned 0

The DCPROMOUI.LOG contains the following

Calling DsRoleGetDcOperationResults

Error 0x0 (!0 => error)

Operation results:

OperationStatus      : 0x5 !0 => error

DisplayString: The Active Directory Domain Services Installation Wizard was unable to convert the computer account DC2$ to an Active Directory Domain Controller account.

ServerInstalledSite  : (null)

OperationResultsFlags: 0x0

Enter ProgressDialog:: UpdateText The Active Directory Domain Services Installation Wizard was unable to convert the computer account DC2$ to an Active Directory Domain Controller account.

Enter State:: SetOperationResultsMessage The Active Directory Domain Services Installation Wizard was unable to convert the computer account DC2$ to an Active Directory Domain Controller account.

Enter State::SetOperationResultsFlags 0x0

Exception caught

catch completed

handling exception

Enter State::ClearHiddenWhileUnattended

Enter EnableConsoleLocking

Enter RegistryKey::Create SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Enter RegistryKey::SetValue-DWORD DisableLockWorkstation

Enter State::SetOperationResults result FAILURE

Enter ProgressDialog::UpdateText

Enter State::IsOperationRetryAllowed

true

credentials were invalid, hr=0x80070005

Enter GetErrorMessage 80070005

Enter State::GetOperationResultsMessage The Active Directory Domain Services Installation Wizard was unable to convert the computer account VM2-W7$ to an Active Directory Domain Controller account.

Enter State::GetOperation REPLICA

Enter State::GetReplicaDomainDNSName remotex.com

DCPROMO.LOG and DCPROMOUI.LOGS from Demotion

DCPROMO.LOG text is similar to:

[INFO] Uninstalling the Directory Service

[INFO] Invoking NtdsDemote

[INFO] Removing Active Directory Domain Services objects that refer to the local Active Directory Domain Controller from the remote Active Directory Domain Controller <DNS domain>…

[INFO] Error – Active Directory Domain Services could not configure the computer account <dc being demoted>$ on the remote Active Directory Domain Controller <helper DC>.<DNS domain>. (5)

[INFO] NtdsDemote returned 5

[INFO] DsRolepDemoteDs returned 5

[ERROR] Failed to demote the directory service (5)

….

DCPROMOUI.LOG text is similar to:

….

OperationStatus      : 0x5 !0 => error

DisplayString        : Active Directory Domain Services could not configure the computer account <dc name>$ on the remote Active Directory Domain Controller <helper DC>.<dns domain>.

ServerInstalledSite  : (null)

OperationResultsFlags: 0x0

Enter ProgressDialog::UpdateText Active Directory Domain Services could not configure the computer account <dc name>$ on the remote Active Directory Domain Controller DC1.remotex.com.

Enter State::SetOperationResultsMessage Active Directory Domain Services could not configure the computer account <dc name>$ on the remote Active Directory Domain Controller <helper DC>.<DNS domain>.

Enter State::SetOperationResultsFlags 0x0

credentials were invalid, hr=0x80070005

Enter GetErrorMessage 80070005

Enter State::GetOperationResultsMessage Active Directory Domain Services could not configure the computer account <dc name>$ on the remote Active Directory Domain Controller <helper DC>.<DNS domain>.

Enter State::GetOperation DEMOTE

Enter State::GetParentDomainDnsName