ADS-Training Home
All Libraries and Lists
Site Management
Create (reserved)
Site Help
ADS-Training InfoCenter
Knowledge Base and Tips
: "Access Denied" Error Message During Active...
New Item
|
Edit Item
|
Delete Item
|
Alert Me
|
Go Back to List
Title:
"Access Denied" Error Message During Active Directory Promotion of Replica Domain Controller
Body:
During Active Directory promotion of a replica domain controller, you may receive the following error message:
The operation failed because: Failed to modify the necessary properties for the machine account %computername%$ "Access Denied".
The %SystemRoot%\Debug\Dcpromo.log folder contains entries similar to the following example:
MM/DD HH:MM:SS [INFO] Configuring the server account
MM/DD HH:MM:SS [INFO] NtdsSetReplicaMachineAccount returned 5
MM/DD HH:MM:SS [INFO] DsRolepSetMachineAccountType returned 5
MM/DD HH:MM:SS [INFO] Error - Failed to modify the necessary properties for the machine account %computername%$(5)
A network trace shows that the ModifyReponse frame to the LDAP ModifyRequest frame to the UserAccountControl attribute is unsuccessful with an "insufficient access" error message.
RESOLUTION
To resolve this problem, use the appropriate method:
Verify that the current domain controllers in the domain have applied security policy and the Enable computer and users accounts to be trusted for delegation user right is granted to the Administrators Group in the domain controllers policy
(click Computer Configuration, click Windows Settings, click Security Settings, click Local Policies, and then click User Rights Assignment).
The full
http://support.microsoft.com/?kbid=250874
KB Article by ID Number:
250874
Directory Services Keywords:
Dcpromo W2000DCPROMO
General Services Keywords:
AD GENERAL
Technologies Keywords:
LDAP
Networking Keywords:
Accessibility W2000ACCESS
Expires:
Attachments:
Created at 12/7/2004 8:01 PM by
Jean-François APREA
Last modified at 12/7/2004 8:01 PM by
Jean-François APREA