Microsoft KB Archive/308311

= Dcpromo May Generate &quot;Access Denied&quot; or &quot;Cannot Find the File Specified&quot; Error Message =

Article ID: 308311

Article Last Modified on 3/1/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q308311



SYMPTOMS
When you run Dcpromo.exe to promote a Windows 2000-based server to a domain controller, Dcpromo may not finish successfully and may generate one of the following error messages:

Active Directory Installation Failed:

The operation failed with the following error:

The system cannot find the file specified.

New Credentials.

The operation failed with the following error: &quot;Access is denied&quot;.

These error messages can be caused by one or more of the following conditions:
 * The absence of the default Ntds.dit file.
 * Incorrect permission on the default Ntds.dit file.
 * Incorrect permissions on an existing NTDS folder structure.



MORE INFORMATION
An Ntds.dit file is installed by default on every Windows 2000-based server, no matter which type of server product is installed (Windows 2000 Server, Windows 2000 Advanced Server, or Windows 2000 Datacenter Server). If you promote any Windows 2000-based server to a domain controller, there will be two Ntds.dit files on the domain controller. The first file is stored in the %SystemRoot%\System32 folder. This is the default file that is used by Dcpromo to create the Ntds.dit file that is stored in the %SystemRoot%\Ntds folder. The second file is the Ntds.dit file that is used by the domain controller to store and manipulate Active Directory objects.

&quot;The System Cannot Find the File Specified&quot; Error Message
This error message occurs if the default Ntds.dit file is missing or not correctly located in the %SystemRoot%\System32 folder. The simplest resolution is to expand the default Ntds.di_ file in any version of Windows 2000 Server to the %SystemRoot%\System32 folder.

You can verify that this is the cause of the error message by reading the %SystemFolder%\Debug\Dcpromo.log file. The log will contain the following information:

09/21 11:06:04 [INFO] Copying initial Directory Service database file %systemroot%\system32\ntds.dit to %systemroot%\NTDS\ntds.dit

09/21 11:06:04 [ERROR] Failed to copy install file %systemroot%\system32\ntds.dit to %systemroot%\NTDS\ntds.dit: 2

09/21 11:06:04 [INFO] DsRolepInstallDs returned 2

09/21 11:06:04 [ERROR] Failed to install the directory service (2)

09/21 11:06:12 [INFO] The attempted domain controller operation has completed

09/21 11:06:12 [INFO] DsRolepSetOperationDone returned 0

&quot;Access Is Denied&quot; Error Message
There are several reasons whey this error message might occur, but all have to do with permissions on the files or file structures that are necessary for the installation and service of a domain controller.

File Permissions Are Incorrect
To resolve this issue, verify that the default Ntds.dit file permissions in the System32 folder are:

System32\Ntds.dit BUILTIN\Users:            Read [RX] BUILTIN\Power Users:      Read [RX] BUILTIN\Administrators:   Full Control [ALL] NT AUTHORITY\SYSTEM:      Full Control [ALL] Everyone:                 Read [RX]

Folder Structure Permissions Are Incorrect
If the server you are promoting was a domain controller in the past but was demoted, the %SystemRoot%\Ntds and %SystemRoot%\Ntds\Drop folders will still exist. If the permissions were changed between the demotion and the current promotion, the error message may be cause by the folder permissions. The simplest resolution is to delete the original Ntds folder structure before running Dcpromo.exe. Or, you can change the folder permissions to match these:

%SystemRoot%\Ntds BUILTIN\Users:            Special Access [RX] BUILTIN\Power Users:      Special Access [RWXD] BUILTIN\Administrators:   Special Access [A] NT AUTHORITY\SYSTEM:      Special Access [A] CREATOR OWNER:            Special Access [A]

%SystemRoot%\Ntds\Drop BUILTIN\Users:            Special Access [RX] BUILTIN\Power Users:      Special Access [RWXD] BUILTIN\Administrators:   Special Access [A] NT AUTHORITY\SYSTEM:      Special Access [A] CREATOR OWNER:            Special Access [A]

You can verify that this is the cause of the error message by reading the %SystemFolder%\Debug\Dcpromo.log file. The log will contain the following information:

09/21 11:42:55 [INFO] Copying initial Directory Service database file D:\WINNT\system32\ntds.dit to D:\WINNT\NTDS\ntds.dit

09/21 11:42:55 [ERROR] Failed to copy install file D:\WINNT\system32\ntds.dit to D:\WINNT\NTDS\ntds.dit: 5

09/21 11:42:55 [INFO] DsRolepInstallDs returned 5

09/21 11:42:55 [ERROR] Failed to install the directory service (5)

09/21 11:43:05 [INFO] The attempted domain controller operation has completed

09/21 11:43:05 [INFO] DsRolepSetOperationDone returned 0

Additional Information
You can identify error codes that are reported in the log file by typing net helpmsg at a command prompt. For example, typing net helpmsg 5 returns &quot;Access is denied.&quot;

A domain controller that has been successfully promoted has the following permissions assigned by default to the Ntds folder structure:

%SystemRoot%\Ntds NT AUTHORITY\SYSTEM:      Special Access [A] BUILTIN\Administrators:   Special Access [A]

%SystemRoot%\Ntds\Drop NT AUTHORITY\SYSTEM:      Special Access [A] BUILTIN\Administrators:   Special Access [A]

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

258703 'Access Is Denied' Error Message When Running Dcpromo

Keywords: kberrmsg kbprb KB308311

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.