MPECS Inc. Blog: DCPromo Error - Unable to convert computer account NewDC$

Tuesday, 21 October 2008

DCPromo Error - Unable to convert computer account NewDC$

We are facilitating a Swing Migration in the Eastern US for a new client by providing phone support and feedback to the local I.T. professional who is doing the actual Swing.

When promoting a domain controller into the existing SBS domain they received the following error:

Operation Failed
Active Directory Wizard was unable to convert the computer account NewDC$ to a domain controller account. Access denied.

We have not encountered this error on any of the Swings we have done to date.

A quick search turned up the problem:

Microsoft KB 232070: When you run Dcpromo.exe to create a replica domain controller, you receive the "Failed to modify the necessary properties for the machine account. Access is denied." error message.

Working with the I.T. professional we discovered that the policy setting for Enable computer and user accounts to be trusted for delegation was blank.

This is what the policy setting in the Default Domain Controllers GPO should be out of the box on one of our SBS domains:

Enable computer and user accounts to be trusted for delegation

Now, something to keep in mind when making any changes to these types of policy settings: Do not click the Add User or Group button and type the name of a user or group then click the OK button.

Take an extra step or two to make sure that the proper Active Directory object is selected:

Click the Add User or Group button.
Click the Browse button.
Type the name of the user or group. In this case we will use administrators.
Click the Check Names button.
A successful query will underline your user or group thus confirming the correct object is selected. Any other possibilities and you will get a "Which one do you want" type prompt.
Click OK.
Click OK.
Click Apply and OK.
Click Start --> Run --> GPUpdate /Force [Enter]
Check the SBS App Log for the SceCli information Event ID 1704 indicating a successful replication.

You can then rerun DCPromo on the problematic server. Make sure that Windows Firewall service is disabled on the soon to be DC!

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

5 comments:

Anonymous said...: life saver, thank you!!; 21 January, 2009 13:25
Anonymous said...: Thanks! I was very helpful!!!; 16 February, 2009 12:38
Unknown said...: Followed these instructions and worked! Just remember to allow replication across entire network which can take an hour or two if you have remote sites in other countries!; 16 March, 2010 08:15
Unknown said...: Worked! Remember to allow for replication though. If you have remote servers in foreign countries like I do that can take over an hour!; 16 March, 2010 08:15
Anonymous said...: No help for me but I solved my issue by unchecking "Protect object from accidental deletion" in the properties of computer account; 04 June, 2016 02:11