Microsoft KB Archive/232070

= When you run Dcpromo.exe to create a replica domain controller, you receive the "Failed to modify the necessary properties for the machine account. Access is denied." error message =

Article ID: 232070

Article Last Modified on 10/31/2006

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q232070



SYMPTOMS
When you run Dcpromo.exe to create a replica domain controller, you may receive the following error message in Dcpromo.exe:

Failed to modify the necessary properties for the machine account. Access is denied.

Examination of the Dcpromoui.log file indicates that the initial part of the promotion was successful (this is also verified because the computer becomes a member server in the domain), but that the promotion to domain controller did not succeed because Dcpromo.exe could not modify the machine account.



CAUSE
This problem can occur if the account that is used for the promotion operation has not been assigned the "Delegation Privilege" right. Or, if this right has been assigned, the policy has not propagated yet, possibly because of replication latency. By default, only members in the Administrators group have the "Delegation Privilege" right.



RESOLUTION
To resolve this problem, use an account in the Administrators group, or add the appropriate account to the Administrators group. To grant this right to another user or group, set the delegation privilege on the Group Policy object:
 * 1) In the Active Directory Users and Computers snap-in, edit the Default Domain Controllers Policy on the Domain Controllers Organizational Unit.
 * 2) Double-click Computer Configuration, click Windows Settings, click Security Settings, click Local Policies, and then click User Rights Assignment.
 * 3) Under Enable Computer and User Accounts to be trusted for Delegation, add the appropriate account or group.
 * 4) Apply the policy using one of the following methods:
 * 5) * At a command prompt, type secedit /refreshpolicy machine_policy /enforce.
 * 6) * In the Sites and Services snap-in (Dssite.msc), use the Replicate Now feature to force replication from the domain controller on which the policy was changed to the other domain controllers in the domain.

To apply the updated policy, restart the domain controller.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.



MORE INFORMATION
The Dcpromoui.log file reports an error similar to the one shown below. In the following example, a replica/backup domain controller is attempting to be installed: dcpromoui t:0x490 00685   Exit  doProgressLoop dcpromoui t:0x490 00686   Exit  DS::CreateReplica dcpromoui t:0x490 00687   Exception caught dcpromoui t:0x490 00688   catch completed dcpromoui t:0x490 00689   handling exception dcpromoui t:0x490 00690   Active Directory Installation Failed dcpromoui t:0x490 00691   Enter GetErrorMessage 80070005 dcpromoui t:0x490 00692   Exit  GetErrorMessage 80070005 dcpromoui t:0x490 00693   Access is denied. Further down in the log, the following text appears Failed to modify the necessary properties for the machine account MYDC$

"Access is denied. " The following is sample Dcpromoui.log output from a computer that is running Windows 2000 Service Pack 4 (SP4):

09/12 09:33:14 [INFO] Error - The Active Directory Installation Wizard was unable to convert the computer account $ to a domain controller account. (5) 09/12 09:33:15 [INFO] NtdsInstall for returned 5 09/12 09:33:15 [INFO] DsRolepInstallDs returned 5 09/12 09:33:15 [ERROR] Failed to install to Directory Service (5)

Keywords: kbenv kbprb KB232070

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.