Event ID 16403 — Well-Known Account Upgrade
Applies To: Windows Server 2008 R2
When a computer is promoted to become a domain controller, the promotion process recreates the required well-known groups and local groups that are not present when you install Active Directory Domain Services (AD DS) to make a computer a domain controller.
|Product:||Windows Operating System|
|Message:||The error "%2" occurred when trying to create the well known account %1.|
Ensure that the account exists and that it has the correct data
The Security Accounts Manager (SAM) was not able to properly upgrade the account that is identified in the Event Viewer event text. The problem may be related to a resource issue during a database read or write operation, or it may be due to a duplicate account name. Determine if the account was created, and configure the account properties as necessary. If the account was not created or if an account name is duplicated, create an account with a unique name for the account that could not be upgraded. Perform the following procedure using the computer that is logging the event to be resolved.
To perform these procedures, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.
Search for the account and verify account properties
To search for the account and verify account properties:
- Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start. In Start Search, type dsa.msc, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- In the console tree, right-click the object that represents your domain, and then click Find. The Find Users, Contacts, and Groups dialog box opens.
- In Name, type the account name that is specified in the event text, and then click Find Now:
- If the account appears in Search results, right-click the account, and then click Properties. Review the account properties to be sure that the account you found represents the account that is named in the event text. Specifically, try to determine that there was not an attempt to create two accounts with the same name.
- If the account is different from the account that was named in the event text, create an account with a unique name for the account that was named in the event text. Set the properties of the new account to match the properties of the account that is named in the event text.
- If the account does not appear in Search results, create the account with a unique name and the same user account properties as it had previously.
Create an account using Active Directory Users and Computers
To create an account using Active Directory Users and Computers:
Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start. In Start Search type dsa.msc, and then press ENTER.
In the console tree, expand the hierarchy of objects.
Right-click the container in which you want to create the new account, click New, and then click the account type that you want to create (such as Computer, Contact, Group, and User). Fill out all the required fields (and any of the appropriate optional fields) in the dialog box that appears for the specific type of account that you selected.
If you select an account type of User or InetOrgPerson, an additional dialog box appears. Click Next to go to the next dialog box, and then fill out the appropriate information.
When you have filled out all the appropriate information and you are ready to create the account, click OK.
To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority. Perform the following steps using a domain controller in the domain.
To verify that the well-known accounts exist:
- Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- Type dsquery * -filter "(objectSID=*)" -limit 44 -attr objectsid distinguishedname > wellknownaccounts.txt, and press ENTER. The first 44 accounts in the directory are copied to a text file.
- Type notepad wellknownaccounts.txt and press ENTER. The file opens in Notepad.
- Check the entries in the list against the following table.
In the following table dSID represents the unique groups of digits that are the domain's security identifier (SID) and dpath represents the actual Lightweight Directory Access Protocol (LDAP) path of the domain. For example, if the domain is named adatum.com, the LDAP path is DC=adatum,DC=com.
Well-known security identifiers and accounts
|S-1-5-32-554||CN=Pre-Windows 2000 Compatible Access,CN=Builtin,dpath|
|S-1-5-32-555||CN=Remote Desktop Users,CN=Builtin,dpath|
|S-1-5-32-556||CN=Network Configuration Operators,CN=Builtin,dpath|
|S-1-5-32-557||CN=Incoming Forest Trust Builders,CN=Builtin,dpath|
|S-1-5-32-558||CN=Performance Monitor Users,CN=Builtin,dpath|
|S-1-5-32-559||CN=Performance Log Users,CN=Builtin,dpath|
|S-1-5-32-560||CN=Windows Authorization Access Group,CN=Builtin,dpath|
|S-1-5-32-561||CN=Terminal Server License Servers,CN=Builtin,dpath|
|S-1-5-32-562||CN=Distributed COM Users,CN=Builtin,dpath|
|S-1-5-32-573||CN=Event Log Readers,CN=Builtin,dpath|
|S-1-5-32-574||CN=Certificate Service DCOM Access,CN=Builtin,dpath|
|S-1-5-21-dSID-498||CN=Enterprise Read-only Domain Controllers,CN=Users,dpath|
|S-1-5-21-dSID-520||CN=Group Policy Creator Owners,CN=Users,dpath|
|S-1-5-21-dSID-521||CN=Read-only Domain Controllers,CN=Users,dpath|
|S-1-5-21-dSID-553||CN=RAS and IAS Servers,CN=Users,dpath|
|S-1-5-21-dSID-571||CN=Allowed RODC Password Replication Group,CN=Users,dpath|
|S-1-5-21-dSID-572||CN=Denied RODC Password Replication Group,CN=Users,dpath|