Event ID 12305 — Well-Known Account Upgrade
Applies To: Windows Server 2008
.jpg)
When a computer is promoted to become a domain controller, the promotion process recreates the required well-known groups and local groups that are not present when you install Active Directory Domain Services (AD DS) to make a computer a domain controller.
Event Details
| Product: | Windows Operating System |
| ID: | 12305 |
| Source: | SAM |
| Version: | 6.0 |
| Symbolic Name: | SAMMSG_PDC_TASK_FAILURE |
| Message: | An error occured while creating new default accounts for this domain. This may be due to a transient error condition. The task will retry periodically until success and will log this message again in a week if the problem persists. |
Resolve
Check event logs in an hour to see if the problem persists
The Security Accounts Manager (SAM) was not able to create a well-known account as a result of a computer resource error. The account name and resource error are in the Event Viewer event text. The SAM will attempt to create the account again in about an hour. If this error is reported a second time, review other entries in Event Viewer that may explain the resource issue, and then resolve the issue appropriately.
Verify
To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority. Perform the following steps using a domain controller in the domain.
To verify that the well-known accounts exist:
- Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- Type dsquery * -filter "(objectSID=*)" -limit 44 -attr objectsid distinguishedname > wellknownaccounts.txt, and press ENTER. The first 44 accounts in the directory are copied to a text file.
- Type notepad wellknownaccounts.txt and press ENTER. The file opens in Notepad.
- Check the entries in the list against the following table.
In the following table dSID represents the unique groups of digits that are the domain's security identifier (SID) and dpath represents the actual Lightweight Directory Access Protocol (LDAP) path of the domain. For example, if the domain is named adatum.com, the LDAP path is DC=adatum,DC=com.
Well-known security identifiers and accounts
| objectsid | distinguishedname |
|---|---|
| S-1-5-4 | CN=S-1-5-4,CN=ForeignSecurityPrincipals,dpath |
| S-1-5-9 | CN=S-1-5-9,CN=ForeignSecurityPrincipals,dpath |
| S-1-5-11 | CN=S-1-5-11,CN=ForeignSecurityPrincipals,dpath |
| S-1-5-17 | CN=S-1-5-17,CN=ForeignSecurityPrincipals,dpath |
| S-1-5-32 | CN=Builtin,dpath |
| S-1-5-32-544 | CN=Administrators,CN=Builtin,dpath |
| S-1-5-32-545 | CN=Users,CN=Builtin,dpath |
| S-1-5-32-546 | CN=Guests,CN=Builtin,dpath |
| S-1-5-32-548 | CN=Account Operators,CN=Builtin,dpath |
| S-1-5-32-549 | CN=Server Operators,CN=Builtin,dpath |
| S-1-5-32-550 | CN=Print Operators,CN=Builtin,dpath |
| S-1-5-32-551 | CN=Backup Operators,CN=Builtin,dpath |
| S-1-5-32-552 | CN=Replicator,CN=Builtin,dpath |
| S-1-5-32-554 | CN=Pre-Windows 2000 Compatible Access,CN=Builtin,dpath |
| S-1-5-32-555 | CN=Remote Desktop Users,CN=Builtin,dpath |
| S-1-5-32-556 | CN=Network Configuration Operators,CN=Builtin,dpath |
| S-1-5-32-557 | CN=Incoming Forest Trust Builders,CN=Builtin,dpath |
| S-1-5-32-558 | CN=Performance Monitor Users,CN=Builtin,dpath |
| S-1-5-32-559 | CN=Performance Log Users,CN=Builtin,dpath |
| S-1-5-32-560 | CN=Windows Authorization Access Group,CN=Builtin,dpath |
| S-1-5-32-561 | CN=Terminal Server License Servers,CN=Builtin,dpath |
| S-1-5-32-562 | CN=Distributed COM Users,CN=Builtin,dpath |
| S-1-5-32-568 | CN=IIS_IUSRS,CN=Builtin,dpath |
| S-1-5-32-569 | CN=Cryptographic Operators,CN=Builtin,dpath |
| S-1-5-32-573 | CN=Event Log Readers,CN=Builtin,dpath |
| S-1-5-32-574 | CN=Certificate Service DCOM Access,CN=Builtin,dpath |
| S-1-5-21-dSID | dpath |
| S-1-5-21-dSID-498 | CN=Enterprise Read-only Domain Controllers,CN=Users,dpath |
| S-1-5-21-dSID-500 | CN=Administrator,CN=Users,dpath |
| S-1-5-21-dSID-501 | CN=Guest,CN=Users,dpath |
| S-1-5-21-dSID-502 | CN=krbtgt,CN=Users,dpath |
| S-1-5-21-dSID-512 | CN=Domain Admins,CN=Users,dpath |
| S-1-5-21-dSID-513 | CN=Domain Users,CN=Users,dpath |
| S-1-5-21-dSID-514 | CN=Domain Guests,CN=Users,dpath |
| S-1-5-21-dSID-515 | CN=Domain Computers,CN=Users,dpath |
| S-1-5-21-dSID-516 | CN=Domain Controllers,CN=Users,dpath |
| S-1-5-21-dSID-517 | CN=Cert Publishers,CN=Users,dpath |
| S-1-5-21-dSID-518 | CN=Schema Admins,CN=Users,dpath |
| S-1-5-21-dSID-519 | CN=Enterprise Admins,CN=Users,dpath |
| S-1-5-21-dSID-520 | CN=Group Policy Creator Owners,CN=Users,dpath |
| S-1-5-21-dSID-521 | CN=Read-only Domain Controllers,CN=Users,dpath |
| S-1-5-21-dSID-553 | CN=RAS and IAS Servers,CN=Users,dpath |
| S-1-5-21-dSID-571 | CN=Allowed RODC Password Replication Group,CN=Users,dpath |
| S-1-5-21-dSID-572 | CN=Denied RODC Password Replication Group,CN=Users,dpath |