Domain Controller promotion fails with “Access is denied”

Most of us have been promoting domain controllers here and there and the majority of deployments are successful, especially if your DNS infrastructure is working smoothly. But as always, there are those deployments that are problematic and eat your time for something small, as I was able to reproduce in this article form a real life environment.

I was trying to promote a new domain controller in an existing domain, and everything went great, until the wizard threw a nice error that you can see in the bellow picture.

The operation failed because:

The Active Directory Domain Services Installation Wizard (Dcpromo.exe) was unable to convert the computer account <hostname>$ to an Active Directory Domain Controller account.

Verify that the user running Dcpromo.exe is granted the “Enable computer and user accounts to be trusted for delegation” user right in the Default Domain Controllers Policy.

For more information, see the resolution section of http://go.microsoft.com/fwlink/?LinkId=178406.

The error was:

“Access is denied.”

View of the Access is denied error message when trying to promote a new domain controller in an existing domain

It got my attention with the Access is denied message, so I immediately went and checked my group membership for the account I used to run the Active Directory Domain Services Configuration Wizard. If the account is not part of the Administrators group, it is normal to fail, but everything was all right since I was using the built-in domain Administrator account.

Checking if the account used by the AD DS Configuration Wizard is part of the domain Administrators group

One other thing that crossed my mind is to check the Default Domain Controllers Policy and look at the Enable computer and user accounts to be trusted for delegation setting, as it says in the error message. So I opened up the GPO and expanded Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Right Assignments. The domain Administrators security group or the account we are using for promoting the domain controller needs to be listed in the setting I just mention in order for the domain controller promotion to work, and it was.

Checking if the domain Administrators group is trusted for delegation

After a few good minutes and a few more tries I though to check the computer object in Active Directory. Who knows? And there you have it, the problem was that the person who provided me the server, after joining it to the domain, he went and checked the Protect object from accidental deletion box which created the whole problem.

Disabling the option that caused the failure of the new domain controller promotion

After disabling the option by un-checking the box, the domain controller promotion went great with no errors whatsoever.

View of a successful domain controller promotion after solving the Access is denied issue

 

Summary

As you can see, those small changes are the ones creating the big problems. Never thought that someone will enable the option to protect the computer object against deletion, but most of the time what you think it cannot be, it usually is. I hope this helps someone, and for sharing your experience on the subject please use the comments area.

Want content like this delivered right to your

email inbox?


3 thoughts on “Domain Controller promotion fails with “Access is denied”

  • 01/09/2023 at 17:04
    Permalink

    Thanks for the great article. This help me today!

    Reply
  • 01/02/2022 at 05:05
    Permalink

    THANK YOU! No one mentions that DCPROMO.exe can’t touch accounts that are protected from deletion, and this should really be in the Microsoft docs.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

css.php