Got a question from a friend about a weird problem when trying to promote a 2012R2 Domain Controller.

The error is in the prereq test before promoting:

Verification of outbound replicaton failed. Error reading the NTDS settings on replication source domain controller 2k3dc.secid.local. Domain Controller data not found for the specified Active Directory domain controller.

And I also got the info that the 2k3DC only was a member of the Domain Users group. That’s not easy to change in the ADUC tool, Member Of Tab in the computer object. Something weird was going on.

From DCDIAG.EXE I got the following info:

Starting test: MachineAccount
The account 2K3DC is not a DC account.  It cannot replicate.
Warning:  Attribute userAccountControl of 2K3DC is: 0x81000 = ( UF_WORKSTATION_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION )
Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION )
This may be affecting replication?
……………………. 2K3DC failed test MachineAccount

Indeed as the error message says, it could affect replication, and it did 🙂

In ADSI Edit we can connect to the Default Naming Context and open the properties of the computer object and see that the userAccountControl attribute has the hex value: 0x81000 = (WORKSTATION_TRUST_ACCOUNT|TRUSTED_FOR_DELEGATION)

A common problem when a computer account is prestaged would be that the DC has this value: 0x82020 = (UF_PASSWD_NOTREQD|UF_SERVER_TRUST_ACCOUNT|UF_TRUSTED_FOR_DELEGATION).

So how do we solve it? If you read KB305144:

These are the default UserAccountControl values for the certain objects: