Cannot enable computer and user accounts to be trusted for delegation

Brandon Fogliano 136 Reputation points
2022-02-02T15:42:52.563+00:00

I have been reading for days and followed every link that came up in the suggestions above and nothing is working. I am trying to add a domain controller to my environment. I have gotten to the point where I believe it is because I need the "enable computer and user accounts to be trusted for delegation" user right. The problem is nothing I do will enable it. Here is what I've tried:

Made sure the Default Domain Controller Policy is linked and enforced on the OU
Verified that the user right for delegation includes the Administrators group and the administrator account
Tried adding another user that is a domain admin and in admin group
Set the local security policy to have the admin, admin group and 3rd user
Logged in under 3rd user, ran whoami from elevated prompt

Ran gpupdate /force
Ran whoami /all

No matter what I do the state stays disabled and I cannot add my DC to the domain. I did instll the 5010215 update a ways back, could this be causing an issue as I saw other people saying the 5008012 was causing issues.

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Client for IT Pros | User experience | Other
0 comments No comments
{count} votes

Accepted answer
  1. Gary Reynolds 9,621 Reputation points
    2022-02-03T21:48:20.04+00:00

    Hi Brandon,

    Doesn't give us much. As the first error is the delegation error, I think we should check that one first.

    As per this article, the issue might be permissions on the computer object of the new DC, can you do an effective permissions check using the ADUC security dialog to confirm that your account has rights to change the useraccountcontrol attribute. I would check a computer object in the computers container and a DC computer object in the Domain Controllers OU.

    Also check the permissions on the Domain Controller OU for an deny permissions which might apply to your user.

    I might be worth moving the computer object of the new DC to the domain controllers OU first and try the dcpromo again,

    Gary.


9 additional answers

Sort by: Most helpful
  1. Gary Reynolds 9,621 Reputation points
    2022-02-03T06:58:36.693+00:00

    Hi @Brandon Fogliano

    The Enable computer and user accounts to be trusted for delegation rights, is normally allocated to the administrators by default, however this can be changed by using GPOs or Local Security Policy editor. You can use secpol.msc to confirm that the right has been assigned to administrators

    170863-image.png

    When this right is assigned to a user, by default it is disabled, the right is typically enabled by the application as and when it is required. If you can see the privilege listed in the whoami /priv, then the user has the required right. You will need to run the whoami command from an command with run as administrator

    170871-image.png

    If its listed then DCPromo should be able to request this right when it runs.

    You can confirm if a process is able to request the right by using the NetTools User Rights option, which provides the ability to enable rights, you will need start NetTools with run as administrator.

    170854-image.png

    Gary.


  2. Limitless Technology 39,926 Reputation points
    2022-02-03T08:17:41.757+00:00

    Hello BrandonFogliano,

    In this situations, the recommendation is to decommission the server and reinstall. Then re-start the promotion process. In most cases, one single step was missing or didn't applied correctly, and that causes the further process to fail. Reinstalling will save you countless hours of backtracking steps.

    I can recommend the next guide to add additional domain controllers to your domain: https://social.technet.microsoft.com/wiki/contents/articles/8630.active-directory-step-by-step-guide-to-install-an-additional-domain-controller-using-ifm.aspx


    --If the reply is helpful, please Upvote and Accept as answer--


  3. Brandon Fogliano 136 Reputation points
    2022-02-03T18:23:40.553+00:00

    Ok I took the approach of doing both of your ideas. First with NetTools I was able to see that the permission gets set to Enabled for the delegation. I completely removed the AD role and rebooted the VM. I did the IFM method, which is cool, but once I get to the part of installing the AD from the media it fails even faster I get this message at the pre failure screen
    171073-image.png

    Then here is the error screen

    171115-image.png

    I really hope this helps, I've never had this hard of a time adding a DC. The other thing that is interesting is that after trying to run the media, if I go back an look in the Active Directory folder in the media the .dit file is now gone, like its being deleted.

    0 comments No comments

  4. Brandon Fogliano 136 Reputation points
    2022-02-03T18:27:28.283+00:00

    I have also noticed that after the failed installation of Active Directory the new server is removed from DNS and I have to reregister it, what the heck is going on?

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.