JSI Tip 3034. 'Access Denied' during Active Directory promotion of a replica domain controller?


When you try to promote a replica domain controller, you receive:

The operation failed because: Failed to modify the necessary properties for the machine account %computername%$ "Access Denied"
The %SystemRoot%\Debug\Dcpromolog folder contains entries similar to:
MM/DD HH:MM:SS \[INFO\] Configuring the server account 
MM/DD HH:MM:SS \[INFO\] NtdsSetReplicaMachineAccount returned 5
MM/DD HH:MM:SS \[INFO\] DsRolepSetMachineAccountType returned 5
MM/DD HH:MM:SS \[INFO\] Error - Failed to modify the necessary properties for the machine account %COMPUTERNAME%$(5)
During the promotion of a replica domain controller, the UserAccountControl attribute for the computer you are promoting is modified to define its' role as a domain controller. The computer you are promoting tries to:

1. Perform a LDAP search against an existing domain controller for its computer account (ObjectClass=user,ObjectClass=computer,SamAccountName=%ComputerName%$).

2. Update the UserAccountControl attribute, indicating a change from a member server to a domain controller.

3. Move the computer account object (CAO) from the current container or organizational unit (OU), to the domain controller's OU of the domain.

4. Source the schema, configuration, and domain naming contexts for replication, from domain controllers that already exist.

For steps 2 and 3 to succeed, the source domain controller used by the new replica must have successfully replicated and applied the security policy, as identified by Event ID 1704 in the application log, after Dcpromo has run.

The operation failed because the Enable computer and users accounts to be trusted for delegation user right, required to update the UserAccountControl, has not been granted. This right is granted to the Administrators group, in the defaut domain controllers policy.

To fix the problem:

Make sure that existing domain controllers have applied security policy and that the Enable computer and users accounts to be trusted for delegation user right has been granted to the Administrators group (Default Domain Controller Policy / Computer Configuration / Windows Settings / Security Settings / Local Policies).

If a domain controller does not have this right, confirm that GPOs have replicated, and then manually apply the policy by typing the following command:

secedit /refreshpolicy machine_policy

NOTE: If the Application event log contains:

Event ID 1704: Security Policy in the Group policy objects are applied successfully. the GPOs have been appliced.

If you're in a hurry, stop the Netlogon service on the source domain controller that doesn't have this right, to discover another DC that does.


Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish