Demote 2003 DC with DC PROMO fails Access is denied.

I just replaced 2 of my DC's with 2 New DC's.  all the roles are transferred to the new servers and everything seems to be working fine with the old DCs turned off.  So now I want to DCPROMO and remove the old.  In the process I am getting the following error:

The operation failed because: Active Directory could not configure the computer account SERVER$ on the remote domain controller firstolddc.domain.com. "Access is denied."

Specify an account with Enterprise Adminstrator privileges to the forest, home.domain.com.

I have done this and I keep getting the same error message over and over.  Where do I need to add permissions?  The user name I am using is a member of Enterprise Admin group.
LVL 1
ohmErnieAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

 
Jay_Jay70Commented:
Hi ohmErnie,

try using this  DCPROMO /FORCEREMOVAL

you shouldnt have to use that but the dcpromo tool can be vaery buggy especially in regards to demotion

make sure you follow this afterwards
http://www.petri.co.il/delete_failed_dcs_from_ad.htm

Cheers!
0

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
 
ohmErnieAuthor Commented:
I managed to demote the Domain controllers sucessfully, but I still see the name servers in DNS, WINs, ect.  I am wondering if I need to do something else after this demotion? perhaps the link specified by Jay Jay70?
0
 
Jay_Jay70Commented:
have you followed the link?

you will need to use the ntdsutil to clean the machines out of AD

also take note that you need to clear the machine manaully from AD sites and services
0
Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

 
ohmErnieAuthor Commented:
I went through step 1, but really did not have to since the demotion was actually sucessful.  When I went through step 1, the old dc's were already removed.  I then proceeded to step 2 and 3 which needed to be completed.  Looks good...thanks for the help.
0
 
Jay_Jay70Commented:
not a problem mate

cheers :)
0
 
kenternCommented:
Forceremoval should be used with great care... Is there really no other solution to this problem?
0
 
kenternCommented:
As a side note - setting the right permissions on the computer object to be demoted in AD enabled me to finish this task without using the /forceremoval option. First remove "protect this object from accidental deletion (windows 2008 servers in domain)" if it exists, then give domain admins and administrators all rights to the object from the security tab. My DC then demoted gracefully.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.