Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. When you run Dcpromo.exe to create a replica domain controller, you receive the "Failed to modify the necessary properties for the machine account. Access is denied" error message

When you run Dcpromo.exe to create a replica domain controller, you receive the "Failed to modify the necessary properties for the machine account. Access is denied" error message

View products that this article applies to.

This article was previously published under Q232070

↑ Back to the top

Symptoms

When you run Dcpromo.exe to create a replica domain controller, you receive one of the following error messages in Dcpromo.exe:
Error message 1
Failed to modify the necessary properties for the machine account. Access is denied.
Error message 2
Error - The Active Directory Installation Wizard was unable to convert the computer account <Computer Name>$ to a domain controller account. (5)

Examination of the Dcpromoui.log file indicates that the initial part of the promotion was successful (this is also verified because the computer becomes a member server in the domain), but that the promotion to domain controller did not succeed because Dcpromo.exe could not modify the machine account.

↑ Back to the top

Cause

This problem can occur if the account that is used for the promotion operation has not been assigned the "Delegation Privilege" right. Or, if this right has been assigned, the policy has not propagated yet, possibly because of replication latency. By default, only members in the Administrators group have the "Delegation Privilege" right.

↑ Back to the top

Resolution

To resolve this problem, use an account in the Administrators group, or add the appropriate account to the Administrators group. To grant this right to another user or group, set the delegation privilege on the Group Policy object:
  1. In the Active Directory Users and Computers snap-in, edit the Default Domain Controllers Policy on the Domain Controllers Organizational Unit.
  2. Double-click Computer Configuration, click Windows Settings, click Security Settings, click Local Policies, and then click User Rights Assignment.
  3. Under Enable Computer and User Accounts to be trusted for Delegation, add the appropriate account or group.
  4. Apply the policy using one of the following methods:
    • If it is a Windows 2000 domain controller, open a command prompt, and then type:
      secedit /refreshpolicy machine_policy /enforce
    • If it is a Windows Server 2003 or a Windows Server 2008 domain controller, open a command prompt, and type:
      gpupdate /force
  5. Force replication from the domain controller on which the policy was changed to the other domain controllers in the domain by using repadmin, replmon, or Active Directory Sites and Services.
To apply the updated policy, restart the problematic server which you wanted to promote as a domain controller.

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

More information

The Dcpromoui.log file reports an error similar to the one shown below. In the following example, a replica/backup domain controller is attempting to be installed: 
dcpromoui t:0x490 00685    Exit  doProgressLoop 
dcpromoui t:0x490 00686    Exit  DS::CreateReplica 
dcpromoui t:0x490 00687    Exception caught 
dcpromoui t:0x490 00688    catch completed 
dcpromoui t:0x490 00689    handling exception 
dcpromoui t:0x490 00690    Active Directory Installation Failed 
dcpromoui t:0x490 00691    Enter GetErrorMessage 80070005 
dcpromoui t:0x490 00692    Exit  GetErrorMessage 80070005 
dcpromoui t:0x490 00693    Access is denied.
Further down in the log, the following text appears 
Failed to modify the necessary properties for the machine account MYDC$

"Access is denied. "
The following is sample Dcpromoui.log output from a computer that is running Windows 2000 Service Pack 4 (SP4):
09/12 09:33:14 [INFO] Error - The Active Directory Installation Wizard was unable 
to convert the computer account <machinename>$ to a domain controller account. (5) 
09/12 09:33:15 [INFO] NtdsInstall for <domainname> returned 5 
09/12 09:33:15 [INFO] DsRolepInstallDs returned 5 
09/12 09:33:15 [ERROR] Failed to install to Directory Service (5)

↑ Back to the top

Keywords: kbenv, kbprb, KB232070

↑ Back to the top

Article Info
Article ID : 232070
Revision : 8
Created on : 9/11/2009
Published on : 9/11/2009
Exists online : False
Views : 866