Cannot DCPROMO server to DC -- KB232070 insufficient

[SHPainter3]

I am trying to promote a member server to be a DC and get
the following error message:

The operation failed because: Failed to modify the
necessary properties for the machine account SC300$
[member server]
"Access is denied. "

I have read and followed KB 232070 which addresses this
error message. However, the Active Directory Users and
Computer snap-in does not give me access to the Default
Domain Controllers Policy.

This notwithstanding, I have tried to set the Enable
Computer and User Accounts to be trusted for Delegation
via the Domain Policy management snap-in. I am not sure
this worked.

First question: Where can I set the Default Domain
Controllers Policy to Enable Computer and User Accounts
to be trusted for Delegation?
How can I determine this setting definitively?

Second question: If I did manage to enable the policy,
can anyone suggest other reasons why I receive this error
when I try to promote a server to DC?
Are there any other causes?

Some other notes

Current solitary DC is Win 2K SP3 (we're afraid to patch
it)
Server to be promoted is Win 2K SP4

I have been following KB 216498 to remove the
failed/partially promoted DC from the current DC.

Thanks and regards,
Steve

 

[Guest]

I'm having exactly same problem at the monent.
The only difference is that I can access my default domain
Policy snap ins and add user /group account in Enable this
computer account to be trsuted for delegation..
BUT in Short it makes no diffence still a problem. I
cannot promote any DC.
Any help from MS

 

[Paul McGuire]

If you will install the adminpak on the DC then it should give you a default
domain controller policy Icon is admin tools. Then you can access it.
After you make the change you have to force the sync of the policy. Either
reboot both servers or you can run secedit /refreshpolicy

HTH

Paul

 

[Guest]

Thank you very much for the solution. You were dead on.

Steve

-----Original Message-----
If you will install the adminpak on the DC then it should give you a default
domain controller policy Icon is admin tools. Then you can access it.
After you make the change you have to force the sync of the policy. Either
reboot both servers or you can run secedit /refreshpolicy

HTH

Paul

I am trying to promote a member server to be a DC and get
the following error message:

The operation failed because: Failed to modify the
necessary properties for the machine account SC300$
[member server]
"Access is denied. "

I have read and followed KB 232070 which addresses this
error message. However, the Active Directory Users and
Computer snap-in does not give me access to the Default
Domain Controllers Policy.

This notwithstanding, I have tried to set the Enable
Computer and User Accounts to be trusted for Delegation
via the Domain Policy management snap-in. I am not sure
this worked.

First question: Where can I set the Default Domain
Controllers Policy to Enable Computer and User Accounts
to be trusted for Delegation?
How can I determine this setting definitively?

Second question: If I did manage to enable the policy,
can anyone suggest other reasons why I receive this error
when I try to promote a server to DC?
Are there any other causes?

Some other notes

Current solitary DC is Win 2K SP3 (we're afraid to patch
it)
Server to be promoted is Win 2K SP4

I have been following KB 216498 to remove the
failed/partially promoted DC from the current DC.

Thanks and regards,
Steve

.