"Access Denied" Error Message During Active Directory Promotion of Replica Domain Controller

To resolve this problem, use the appropriate method:

• Verify that the current domain controllers in the domain have applied security policy and the Enable computer and users accounts to be trusted for delegation user right is granted to the Administrators Group in the domain controllers policy (click Computer Configuration, click Windows Settings, click Security Settings, click Local Policies, and then click User Rights Assignment).
  
  For additional information about editing Group Policy Objects in Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:
  322143 (http://support.microsoft.com/kb/322143/EN-US/ ) HOW TO: Administer GPOs in Windows 2000
  For computers that do not have this right, confirm that group policy objects in the directory service and file system have replicated, and then manually apply the policy by typing the following command:
  secedit /refreshpolicy machine_policy
  NOTE: Look for the following message in the application log to confirm the application of the policy:
  Event ID 1704: Security Policy in the Group policy objects are applied successfully.
• Stop the Netlogon service on the source domain controllers that do not have this right applied to discover another domain controller in the domain that applied this right.
• Verify that the source domain controller is in the organization unit. The name of the source domain controller can be found in the hidden file called Dcpromo.log in the %Systemroot%\debug folder on the Windows 2000 server that you are trying to promote.
• Open a command prompt on the source domain controller, and run the Gpresult.exe Resource Kit utility to verify that the domain controllers policy is being applied to the source domain controller.