You get one of the two error messages decribed beneath.
The promotion operation has not been assigned the "Delegation Privilege" right or the policy has not been propagated yet.
You get one of the following error messages during the creation of a Replica Domain Controller:
Message 1: Failed to modify the necessary properties for the machine account. Access is denied.
Message 2: Error - The Active Directory Installation Wizard was unable to convert the computer account <Computer Name>$ to a domain controller account. (5)
The cause of the error messages is that the promotion operation has not been assigned the "Delegation Privilege" right (only members of the Administrators group have the "Delegation Privilege" rights) or the policy has not been propagated yet.
To solve the problem you can:
If the correct rights are missing: Use an account in the Adminsitrators group or add the used account to the Administrators grou.
If the policy has not been propagated correctly: At a command prompt type "secedit /refreshpoliciy machine_policy /enforce" or open the Sites and Services snap-in and use "Replcicate now".
About the Author
Wim Peeters is electronics engineer with an additional master in IT and over 30 years of experience including time spent in support, development, consulting, training and database administration. Wim has worked with SQL Server since version 6.5. He has developed in C/C++, Java and C# on Windows and Linux in different European countries and different European languages. He writes knowledge base articles to solve IT problems and publishes them on the Lubby Knowledge Platform where he is one of the most important contributors and the main developer.