Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. STOP 0xC00002CB "Security Accounts Manager Initialization Failed" error on a Windows Server-based Domain Controller

STOP 0xC00002CB "Security Accounts Manager Initialization Failed" error on a Windows Server-based Domain Controller

View products that this article applies to.

Symptoms

You have mixed environment containing Windows Server 2003, Windows Server 2008 R2 and Windows Server 2012 Domain Controllers. After transferring PDC FSMO role to a Windows Server 2008 R2 domain controller, when you restart the domain controller, you may receive the following error message:

STOP: C00002CB Security Accounts Manager initialization failed because of the following error: The system cannot find the file specified.
Error Status: 0xc000034.
Please shut down the system and reboot into Directory Services Restore Mode, check event log for more detailed information.

Additionally, at the time when the FSMO role was transferred to this Domain Controller, the system event log contains the following event:

↑ Back to the top

Cause

The error occurs because one or more of the following built-in groups are missing:
  • Denied RODC Password Replication Group
  • Allowed RODC Password Replication Group

↑ Back to the top

Resolution

To resolve this problem, rebuild or restore the broken domain controller and seize the PDC FSMO to another domain controller. 
Note: DO NOT REBOOT the new FSMO role owner. Follow the below steps to create the missing RODC groups:
  1. Log on to the PDC emulator and open ADSIEdit.
  2. Navigate to CN=Server,CN=System,DC=<DOMAINNAME>
  3. Right-click on CN=Server and choose Properties.
  4. Highlight the samDomainUpdates value and click View
  5. Changed the value from the current value of FE to FA
  6. Click OK and Apply to save the changes.
  7. Open LDP.exe and click on Connection -> Bind and click OK to connect.
  8. Click on Browse -> Modify and enter the following information:
    • DN: - leave blank
    • Edit Entry Attribute: runSamUpgradeTasks
      Note: Make sure that there is no space after  runSamUpgradeTasks
    • Values:1
    • Operation:  Add
  9. Click Enter on the Modify dialog and then click Run.
  10. Check if the groups now exist. The DC can now be rebooted and the blue screen will not longer appear.

↑ Back to the top

More Information

In a mixed Environment where Windows Server 2003 and Windows Server 2008 R2 domain controllers exist and there are no Read Only Domain controllers and RODC prep has not been run, if the FSMO roles are owned by Windows Server 2003 DC the RODC groups do not exist. Once PDC FSMO is transferred to a Windows Server 2008 R2 DC these groups are automatically created. If this operation fails the above errors will be reported in the System event log and the FSMO owner will experience a blue screen upon reboot.

↑ Back to the top

Keywords: kbfsmo, kbbluescreen, kb

↑ Back to the top

Article Info
Article ID : 2642837
Revision : 1
Created on : 1/7/2017
Published on : 5/28/2014
Exists online : False
Views : 1385