Hi,
Thanks for the posting. I did some research and found the following
resolution for this error message. Go thru the step by step resolution
method.
When you try to promote a replica domain controller, you receive:
The operation failed because: Failed to modify the necessary properties for
the machine account %computername%$ "Access Denied"
The %SystemRoot%\Debug\Dcpromolog folder contains entries similar to:
MM/DD HH:MM:SS [INFO] Configuring the server account
MM/DD HH:MM:SS [INFO] NtdsSetReplicaMachineAccount returned 5
MM/DD HH:MM:SS [INFO] DsRolepSetMachineAccountType returned 5
MM/DD HH:MM:SS [INFO] Error - Failed to modify the necessary properties for
the machine account %COMPUTERNAME%$(5)
During the promotion of a replica domain controller, the UserAccountControl
attribute for the computer you are promoting is modified to define its'
role as a domain controller. The computer you are promoting tries to:
1. Perform a LDAP search against an existing domain controller for its
computer account
(ObjectClass=user,ObjectClass=computer,SamAccountName=%ComputerName%$).
2. Update the UserAccountControl attribute, indicating a change from a
member server to a domain controller.
3. Move the computer account object (CAO) from the current container or
organizational unit (OU), to the domain controller's OU of the domain.
4. Source the schema, configuration, and domain naming contexts for
replication, from domain controllers that already exist.
For steps 2 and 3 to succeed, the source domain controller used by the new
replica must have successfully replicated and applied the security policy,
as identified by Event ID 1704 in the application log, after Dcpromo has
run.
The operation failed because the Enable computer and users accounts to be
trusted for delegation user right, required to update the
UserAccountControl, has not been granted. This right is granted to the
Administrators group, in the defaut domain controllers policy.
To fix the problem:
Make sure that existing domain controllers have applied security policy and
that the Enable computer and users accounts to be trusted for delegation
user right has been granted to the Administrators group (Default Domain
Controller Policy / Computer Configuration / Windows Settings / Security
Settings / Local Policies).
If a domain controller does not have this right, confirm that GPOs have
replicated, and then manually apply the policy by typing the following
command:
secedit /refreshpolicy machine_policy
NOTE: If the Application event log contains:
Event ID 1704: Security Policy in the Group policy objects are applied
successfully. the GPOs have been appliced.
If you're in a hurry, stop the Netlogon service on the source domain
controller that doesn't have this right, to discover another DC that does.
Also look at
http://support.microsoft.com/?kbid=250874 for more
information. Hope it would solve your problem.
Thanks,
(e-mail address removed)
This posting is provided "AS IS" with no warranties, and confers no rights.
