Home Internet Mail Server Proxy Server Virus Windows Windows Server

Tuesday, December 06, 2011

Active Directory Installation Wizard was Unable to Convert the Computer Account to A Domain Controller Account, Access is denied


Today i try to create new domain controller on my office, and i get an error when enter the replicated the configuration container "Access is Denied". I was so confused search how to solve this problem.



Here are the error that always appears, when i try to enter the credentials password of domain admin.

There are several reasons why receive an "Access Denied" error message while using the Active Directory Installation Wizard. All have to do with permissions on the files or file structures that are necessary for the installation and service of a domain controller.

How to troubleshooting "Access Denied" Error Messages in Active Directory Installation Wizard:
  • Make sure the permissions of Ntds.dit that located on Windows\NTDS folder are correct.
Windows\NTDS\Ntds.dit
BUILTIN\Users:          Read [RX]
BUILTIN\Power Users:    Read [RX]
BUILTIN\Administrators: Full Control [ALL]
NT AUTHORITY\SYSTEM:    Full Control [ALL]
Everyone:               Read [RX]
  • Verify folder permissions on Windows\System32\Ntds and Windows\System32\Ntds\Drop folders will still exist. If permissions were changed, the error message might be caused by the folder permissions. Delete the original Ntds folder structure before running the Active Directory Installation Wizard. Change the folder permissions to match the following:
%SystemRoot%\Ntds
BUILTIN\Users:          Special Access [RX]
BUILTIN\Power Users:    Special Access [RWXD]
BUILTIN\Administrators: Special Access [A]
NT AUTHORITY\SYSTEM:    Special Access [A]
CREATOR OWNER:          Special Access [A]

%SystemRoot%\Ntds\Drop
BUILTIN\Users:          Special Access [RX]
BUILTIN\Power Users:    Special Access [RWXD]
BUILTIN\Administrators: Special Access [A]
NT AUTHORITY\SYSTEM:    Special Access [A]
CREATOR OWNER:          Special Access [A]
  • Security policy on the current domaon controller and the Enable computer and users accounts to be trusted for delegation user right is granted to the Administrators Group such Administrators and Domain Admins.
  • Make sure that the source domain controller is in the domain controllers OU. The name of the source domain controller can be found in the Dcpromo.log file in the %Systemroot%\debug folder.
  • Verify that the Default Domain Controllers policy is being applied to the source domain controller, run the Gpresult.exe Resource Kit tool from command prompt on the source domain controller.

0 comments:

Post a Comment

Home Photography
Copyright © 2017 Xiu's Blog | All Rights Reserved.