There are several reasons why you might receive an "Access Denied" error message while using the Active Directory Installation Wizard. All have to do with permissions on the files or file structures that are necessary for the installation and service of a domain controller.

Procedure DRX.4: To troubleshoot "Access Denied" error messages

  1. Verify file permissions to make sure they are correct. Verify that the default Ntds.dit file permissions in the System32 folder are as follows:

      Copy Code
    System32\Ntds.dit 
    BUILTIN\Users: Read [RX] 
    BUILTIN\Power Users: Read [RX] 
    BUILTIN\Administrators: Full Control [ALL] 
    NT AUTHORITY\SYSTEM: Full Control [ALL] 
    Everyone: Read [RX]
    
  2. Verify folder permissions. If Active Directory was previously removed and now you are installing it again, the %SystemRoot%\Ntds and %SystemRoot%\Ntds\Drop folders will still exist. If permissions were changed, the error message might be caused by the folder permissions. The simplest resolution is to delete the original Ntds folder structure before running the Active Directory Installation Wizard. Or, you can change the folder permissions to match the following:

      Copy Code
    %SystemRoot%\Ntds 
    BUILTIN\Users: Special Access [RX] 
    BUILTIN\Power Users: Special Access [RWXD] 
    BUILTIN\Administrators: Special Access [A] 
    NT AUTHORITY\SYSTEM: Special Access [A] 
    CREATOR OWNER: Special Access [A] 
    %SystemRoot%\Ntds\Drop 
    BUILTIN\Users: Special Access [RX] 
    BUILTIN\Power Users: Special Access [RWXD] 
    BUILTIN\Administrators: Special Access [A] 
    NT AUTHORITY\SYSTEM: Special Access [A] 
    CREATOR OWNER: Special Access [A
    
  3. Verify that the current domain controllers in the domain have applied security policy and the Enable computer and users accounts to be trusted for delegation user right is granted to the Administrators Group.

    • In the Group Policy snap-in, click Computer Configuration, click Windows Settings, click Security Settings, click Local Policies, and then click User Rights Assignment.
    • For computers that do not have this right, confirm that Group Policy objects in the directory service and file system have replicated by looking for event ID 1704 in the application event log, and then manually apply the policy by typing the following command:
        Copy Code
      secedit /refreshpolicy machine_policy
      
  4. Use a Dcpromo answer file to source the promotion from a deterministic domain controller. Search the Microsoft Knowledge Base for article 223757: Unattended promotion and demotion of Windows 2000 and Windows Server 2003 domain controllers. Use the ReplicationSourceDC parameter in the answer file. (For more information, see the TechNet article Create an answer file for domain controller installation.)

  5. Verify that the source domain controller is in the domain controller's organization units. The name of the source domain controller can be found in the Dcpromo.log file in the %Systemroot%\debug folder on the server running Windows Server 2003 that you are trying to promote.

  6. Open a command prompt on the source domain controller, and run the Gpresult.exe Resource Kit tool to verify that the Default Domain Controllers policy is being applied to the source domain controller.