Could this be some help?
PSS ID Number: Q250874 Article last modified on 11-24-2000 :2000 ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows 2000 Server - Microsoft Windows 2000 Advanced Server - Microsoft Windows 2000 Datacenter Server ------------------------------------------------------------------------------- SYMPTOMS ======== During Active Directory promotion of a replica domain controller, you may receive the following error message: The operation failed because: Failed to modify the necessary properties for the machine account %computername%$ "Access Denied". The %SystemRoot%\Debug\Dcpromo.log folder contains entries similar to the following example: MM/DD HH:MM:SS [INFO] Configuring the server account MM/DD HH:MM:SS [INFO] NtdsSetReplicaMachineAccount returned 5 MM/DD HH:MM:SS [INFO] DsRolepSetMachineAccountType returned 5 MM/DD HH:MM:SS [INFO] Error - Failed to modify the necessary properties for the machine account %computername%$(5) A network trace shows that the ModifyReponse frame to the LDAP ModifyRequest frame to the UserAccountControl attribute is unsuccessful with an "insufficient access" error message. CAUSE ===== One of the operations that takes place during the promotion of a replica domain controller is the modification of the UserAccountControl attribute for the computer you are promoting. The UserAccountControl attribute is important for defining the role of the computer as a member server or domain controller. Specifically, the computer you are promoting performs the following tasks: 1. Performs a Lightweight Directory Access Protocol (LDAP) search against an existing domain controller in the domain for its computer account (ObjectClass=user,ObjectClass=computer,SamAccountName=%ComputerName%$). 2. Attempts to update the UserAccountControl attribute, indicating a change from a member server to a domain controller. 3. Attempts to move the computer account object from the current container or organizational unit, to the domain controller's organizational unit of the domain. 4. Sources the schema, configuration, and domain naming contexts for replication from domain controllers that already exist. For steps 2 and 3 to succeed, the source domain controller used by the new replica must have successfully replicated and applied the security policy. Application of policy is identified by Event ID 1704 in the application log after Active Directory promotion (Dcpromo) has run (look for Event 1704 being logged after the last entry in Dcpromo.log). The specific right required to update the UserAccountControl attribute is the "Enable computer and users accounts to be trusted for delegation" user right, granted to the Administrators group in default domain controllers policy. RESOLUTION ========== To resolve this problem, use the appropriate method: - Verify that the current domain controllers in the domain have applied security policy and the "Enable computer and users accounts to be trusted for delegation" user right granted to the Administrators Group (click Computer Configuration, click Windows Settings, click Security Settings, click Local Policies, and then click User Rights Assignment). For computers that do not have this right, confirm that group policy objects in the directory service and file system have replicated, and then manually apply the policy by typing the following command: secedit /refreshpolicy machine_policy NOTE: Look for the following message in the application log to confirm the application of the policy: Event ID 1704: Security Policy in the Group policy objects are applied successfully. - Stop the Netlogon service on the source domain controllers that do not have this right applied to discover another domain controller in the domain that applied this right. - Verify that the source domain controller is in the organization unit. The name of the source domain controller can be found in the hidden file called Dcpromo.log in the %Systemroot%\debug folder on the Windows 2000 server that you are trying to promote. - Open a command prompt on the source domain controller, and run the Gpresult.exe Resource Kit utility to verify that the domain controllers policy is being applied to the source domain controller. STATUS ====== Microsoft has confirmed this to be a problem in Microsoft Windows 2000. Additional query words: fail fails failing ====================================================================== Keywords : kberrmsg kbnetwork Technology : kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000DataServ kbwin2000DataServSearch kbwin2000Serv kbwin2000ServSearch kbwin2000Search kbWinAdvServSearch kbWinDataServSearch Version : :2000 Issue type : kbprb ============================================================================= Copyright Microsoft Corporation 2000. Regards Jan Gustavsson -----Original Message----- From: Elmer St�wer [mailto:[EMAIL PROTECTED]] Sent: den 5 juni 2002 20:08 To: NT 2000 Discussions Subject: RE: replication issue in 2k network Ok checking dcpromo.log. I deleted all entries which looked ok or were doubled. --- 06/05 19:56:45 [INFO] F�r die Dom�ne cyberconsult.lan mit dem Konto SOKRATES$ wird ein Dom�nencontroller gesucht. 06/05 19:56:46 [INFO] Der Dom�nencontroller platon.cyberconsult.lan f�r die Dom�ne cyberconsult.lan wurde gefunden. 06/05 19:56:46 [INFO] Der Standort Alt-Moabit wird f�r den Server \\platon.cyberconsult.lan verwendet. 06/05 19:56:46 [INFO] Forcing time sync 06/05 19:56:46 [INFO] Zeitsynchronisierung mit \\platon.cyberconsult.lan wird erzwungen. 06/05 19:56:46 [ERROR] Failed to get the current time on \\platon.cyberconsult.lan: 5 06/05 19:56:46 [ERROR] NON-FATAL error forcing a time sync (5). Ignoring 06/05 19:56:46 [INFO] Setting machine account to be DC 06/05 19:56:46 [INFO] Das Serverkonto wird konfiguriert. 06/05 19:56:46 [INFO] Searching for the machine account for SOKRATES$ on \\platon.cyberconsult.lan... 06/05 19:56:46 [INFO] Das Serverkonto wird konfiguriert. 06/05 19:56:46 [INFO] NtdsSetReplicaMachineAccount returned 5 06/05 19:56:46 [INFO] DsRolepSetMachineAccountType returned 5 06/05 19:56:46 [INFO] Error - Die erforderlichen Eigenschaften f�r das Computerkonto SOKRATES$ wurden nicht ge�ndert. (5) 06/05 19:56:46 [INFO] Der Dom�nencontrollervorgang wurde abgeschlossen. 06/05 19:56:46 [INFO] DsRolepSetOperationDone returned 0 --- At this time I have no entries in the event log. So, What do I learn? Regards > -----Original Message----- > From: Jan Gustavsson (GIS) [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, June 05, 2002 7:40 AM > To: NT 2000 Discussions > Subject: RE: replication issue in 2k network > > > Hi! > Have you looked in the %SystemRoot%\Debug\Dcpromo.log file for errors? > Do you have any errors in the eventlog on the old DC? > > Regards, > Jan Gustavsson > > > -----Original Message----- > From: Elmer St�wer [mailto:[EMAIL PROTECTED]] > Sent: den 4 juni 2002 17:31 > To: NT 2000 Discussions > Subject: replication issue in 2k network > > > Hi List! > > I have an AD Replication issue here. I can not upgrade a new > DC to the domain with dcpromo. I get an error message access > denied for upgrading the machine ... to a DC. > > Single local domain, single site two servers. Using > replmon.exe to determine the status of replication I get the > following: > > Directory Partition: DC=cyberconsult,DC=lan > > Partner Name: Alt-Moabit\PLATON > Partner GUID: FFF5003A-7832-48CD-A5E0-9D8227C95EC0 > Last Attempted Replication: 6/4/2002 4:31:46 PM (local) > Last Successful Replication: 5/23/2002 5:02:11 > PM (local) > Number of Failures: 3077 > Failure Reason Error Code: 8453 > Failure Description: Der Replikationszugriff > wurde verweigert. > Synchronization Flags: > DRS_WRIT_REP,DRS_INIT_SYNC,DRS_PER_SYNC > USN of Last Property Updated: 337656 > USN of Last Object Updated: 337656 > Transport: Intra-Site RPC > > Change Notifications for this Directory Partition > ------------------------------------------------- > Server Name: Alt-Moabit\PLATON > Object GUID: DBE24D70-EE08-479C-9129-D048C1A6CD91 > Time Added: 12.02.2002 15:20:29 > Flags: DRS_WRIT_REP > Transport: RPC > > "Der Replikationszugriff wurde verweigert" means "replication > access was denied". There are no errors for other partitions > or into the other direction. > > What also confuses me: > under .\sysvol I have the shared .\sysvol\sysvol directory > including the .\sysvol\sysvol\'domain_name' directory in it > (last change 5/23/2002). > > But I also have an .\sysvol\domain directory with the same > content as .\sysvol\sysvol\'domain_name'. I found a registry > key from frs which is pointing there. > > I have no idea what is going wrong... Any hints? > > Thank you > > Elmer > > P. S. > Sorry for my bad english... > -- > Elmer St�wer > System- und Netzwerkadministration > CyberConsult GmbH > mailto:[EMAIL PROTECTED] > www.cyberconsult.de > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to %%email.unsub%% > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to %%email.unsub%% > ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
