Domain Controller promotion fails with “Access is denied”
Most of us have been promoting domain controllers here and there and the majority of deployments are successful, especially if your DNS infrastructure is working smoothly. But as always, there are those deployments that are problematic and eat your time for something small, as I was able to reproduce in this article form a real life environment.
I was trying to promote a new domain controller in an existing domain, and everything went great, until the wizard threw a nice error that you can see in the bellow picture.
The operation failed because:
The Active Directory Domain Services Installation Wizard (Dcpromo.exe) was unable to convert the computer account <hostname>$ to an Active Directory Domain Controller account.
Verify that the user running Dcpromo.exe is granted the “Enable computer and user accounts to be trusted for delegation” user right in the Default Domain Controllers Policy.
For more information, see the resolution section of http://go.microsoft.com/fwlink/?LinkId=178406.
The error was:
“Access is denied.”
It got my attention with the Access is denied message, so I immediately went and checked my group membership for the account I used to run the Active Directory Domain Services Configuration Wizard. If the account is not part of the Administrators group, it is normal to fail, but everything was all right since I was using the built-in domain Administrator account.
One other thing that crossed my mind is to check the Default Domain Controllers Policy and look at the Enable computer and user accounts to be trusted for delegation setting, as it says in the error message. So I opened up the GPO and expanded Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Right Assignments. The domain Administrators security group or the account we are using for promoting the domain controller needs to be listed in the setting I just mention in order for the domain controller promotion to work, and it was.
After a few good minutes and a few more tries I though to check the computer object in Active Directory. Who knows? And there you have it, the problem was that the person who provided me the server, after joining it to the domain, he went and checked the Protect object from accidental deletion box which created the whole problem.
After disabling the option by un-checking the box, the domain controller promotion went great with no errors whatsoever.
Summary
As you can see, those small changes are the ones creating the big problems. Never thought that someone will enable the option to protect the computer object against deletion, but most of the time what you think it cannot be, it usually is. I hope this helps someone, and for sharing your experience on the subject please use the comments area.
Want content like this delivered right to your
email inbox?
Thanks for the great article. This help me today!
Glad I could help out.
THANK YOU! No one mentions that DCPROMO.exe can’t touch accounts that are protected from deletion, and this should really be in the Microsoft docs.