"Access Is Denied" Error Message When Running Dcpromo (258703)

SYMPTOMS

When you are upgrading a Microsoft Windows NT 4.0-based domain controller to a Windows 2000-based domain controller, during the Active Directory promotion, you may receive an "Access is denied" error message.

When this occurs, the following event is logged in the System log:

Event ID:5721
The session setup to the Windows NT or Windows 2000 Domain Controller for the domain domainname failed because the Domain Controller does not have an account for the computer computername.

The %SystemRoot%\Debug\Dcpromolog folder contains entries similar to the following example:

MM/DD HH:MM:SS [INFO] Stopping service NETLOGON
MM/DD HH:MM:SS [INFO] Stopping service NETLOGON
MM/DD HH:MM:SS [INFO] Configuring service NETLOGON to 1 returned 0
MM/DD HH:MM:SS [INFO] Creating the System Volume C:\WINNT\SYSVOL
MM/DD HH:MM:SS [INFO] Deleting current sysvol path C:\WINNT\SYSVOL
MM/DD HH:MM:SS [INFO] Preparing for system volume replication using root C:\WINNT\SYSVOL
MM/DD HH:MM:SS [INFO] DsRolepInstallDs returned 5
MM/DD HH:MM:SS [ERROR] Failed to install the directory service (5)
MM/DD HH:MM:SS [INFO] Starting service NETLOGON
MM/DD HH:MM:SS [INFO] Configuring service NETLOGON to 2 returned 0
MM/DD HH:MM:SS [INFO] The attempted domain controller operation has completed
MM/DD HH:MM:SS [INFO] DsRolepSetOperationDone returned 0

CAUSE

This problem occurs during promotion if the Active directory database is moved to a folder on which the Administrator account does not have sufficient permissions.

For example, during promotion, the database location may be moved from the default location of C:\Winnt\Ntds to C:\Ntds. The administrator has only Read permission on the Ntds folder. Administrators need to have Full Control NTFS permissions on the new location to perform this operation.

"Access Is Denied" Error Message When Running Dcpromo (258703)

SYMPTOMS

CAUSE

RESOLUTION