Wondering how to resolve DCPROMO fails with error “Access is denied”? We can help you.

At Bobcares, we offer solutions for every query, big and small, as a part of our Server Management Service.

Let’s take a look at how our Support Team resolve DCPROMO fails with error “Access is denied”.

How to resolve DCPROMO fails with error “Access is denied”?

Usually, DCPROMO promotion of a Windows Server 2008 or later version member computer to a replica domain controller (DC) fails with the following error:

Title: Windows Security
Message Text: Network Credentials
The operation failed because: The Active Directory Domain Services Installation Wizard was unable to convert the computer account <hostname>$ to an Active Directory Domain Controller account. “Access is denied”

Also, DCPROMO Demotion can fail with the same error:

Title: Windows Security
Message Text: Network Credentials
The operation failed because: Active Directory Domain Services could not configure the computer account <hostname>$ to the remote Active Directory Domain Controller account <fully qualified name of helper DC>. “Access is denied”

Issue occurs if the user account use to execute DCPROMO hasn’t grant the “Enable computer and user accounts to trust for delegation” user right.

Today, let us see the steps followed by our Support Techs to resolve it:

1. Firstly, verify that the default domain controllers policy exists in Active Directory.

Then, if the domain controller policy doesn’t exist, evaluate whether that condition is because of simple replication latency, an Active Directory replication failure or whether the policy has delete from Active Directory.

If the policy has been deleted, contact Microsoft Support to recreate the missing policy with the default policy GUID.

2. Next, verify that the server account is not protected from accidental deletion.

3. Then, verify that the user account does the DCPROMO operation has grant the “Enable computer and user accounts to trust for delegation” user right in the default domain controllers policy.

4. Then, verify that the default domain controllers policy is link to the domain controllers OU and that all DC machine accounts stay in that OU.

5. Next, verify that the file system portion of default domain controllers policy exists in the SYSVOL share of the DC  used to apply policy on the computer promote or demote.

6. Finally, the default domain policy or policy in general isn’t applying to the log on user

To check for policy inheritance, WMI filtering or security descriptor problem that may prevent policy from applying.

Run the following command:

gpresult /h result.html

[Looking for a solution to another query? We are just a click away.]

Conclusion

In brief, our skilled Support Engineers at Bobcares demonstrated how to resolve DCPROMO fails with error “Access is denied”.