DCPROMO fails with error "Access is denied" if the user does the promotion isn't granted the "trusted for delegation" user right

Question

I need to transfer FSMO roles from Windows Server 2012 R2 to Windows Server 2019. It works well with clean Datacenter editions of both systems but not with existing Windows Server 2012 R2 Essentials.

There are existing Windows Server 2012 R2 Essentials with an FSMO role. I have added new Windows Server 2019 Essentials to the domain to which I need t transfer FSMO and installed AD-Domain-Services. When I execute:

Install-ADDSDomainController
-CreateDnsDelegation:$false
-NoGlobalCatalog:$true
-InstallDns:$true
-DomainName "mydomain.com"
-SiteName "Default-First-Site-Name"
-ReplicationSourceDC "server2012.mydomain.com"
-DatabasePath "C:\Windows\NTDS"
-LogPath "C:\Windows\NTDS"
-NoRebootOnCompletion:$true
-SysvolPath "C:\Windows\SYSVOL"
-Force:$true

it fails with error: DCPROMO fails with the error "Access is denied" if the user does the promotion isn't granted the "trusted for delegation" user right

I have checked the Microsoft article => my actions: https://learn.microsoft.com/cs-CZ/troubleshoot/windows-server/identity/access-denied-error-occurs-dcpromo

the recommendation is the article:

1. Verify that the default domain controllers policy exists in Active Directory (AD). => yes it exists
2. Verify that the user account does the DCPROMO operation has been granted the "Enable computer and user accounts to be trusted for delegation" user right in the default domain controllers policy. => User is in Enterprise Administrators, Administrators, Domain Administrators, and Schema Masters groups. I have tried to grant the user right for Administrators and Domain Administrators groups, but it did not help. When I run whoami /all, it shows SeEnableDelegationPrivilege Disabled.
3. Verify that the default domain controllers policy is linked to the domain controllers OU and that all DC machine accounts stay in that OU.=> there is just one OU - Domain Controllers and the only Windows 2012 R2 Server is there.
4. Verify that the file system portion of the default domain controllers policy exists in the SYSVOL share of the DC being used to apply policy on the computer being promoted or demoted. => there is just one DC there.
5. The default domain policy or policy, in general, isn't applying to the logged-on user => it is applied to the user. gpupdate /force applies the changes in domain policy

Both servers have unchecked "Protect object from accidental deletion".

I have not found any other reasonable root cause of the error.

What could be done further or what could be the potential root cause of the issues, please?

Answer 1

When KB5008102 (November 2021) is applied, this error will also occur if a user who is not in the "Domain Admins" global group tries to promote a domain controller. The update blocks the UAC settings up date with a message (on the DC you are replicating from/trying to update the computer object against):

The security account manager blocked a non-administrator from creating an Active Directory account in this domain with mismatched objectClass and userAccountControl account type flags.

Details:

Account name: NEWDCNAME$
Account objectClass: domainDNS
userAccountControl: 8448
Caller address: xx.xx.xx.xx:yyyy
Caller SID: S-1-5-21-YourAccountSID

Microsoft seems to have forgotten that Enterprise Admins should be considered admins in all the domains in a forest.

For instance, if you are trying to promote a new DC in a child domain with an Enterprise Admin account in the parent domain, this will now fail with this update. You have to create an account in the child domain, add it to the domain admins global group, and then do the promotion.