Demote 2003 DC with DC PROMO fails Access is denied.

I just replaced 2 of my DC's with 2 New DC's.  all the roles are transferred to the new servers and everything seems to be working fine with the old DCs turned off.  So now I want to DCPROMO and remove the old.  In the process I am getting the following error:

The operation failed because: Active Directory could not configure the computer account SERVER$ on the remote domain controller "Access is denied."

Specify an account with Enterprise Adminstrator privileges to the forest,

I have done this and I keep getting the same error message over and over.  Where do I need to add permissions?  The user name I am using is a member of Enterprise Admin group.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hi ohmErnie,


you shouldnt have to use that but the dcpromo tool can be vaery buggy especially in regards to demotion

make sure you follow this afterwards


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ohmErnieAuthor Commented:
I managed to demote the Domain controllers sucessfully, but I still see the name servers in DNS, WINs, ect.  I am wondering if I need to do something else after this demotion? perhaps the link specified by Jay Jay70?
have you followed the link?

you will need to use the ntdsutil to clean the machines out of AD

also take note that you need to clear the machine manaully from AD sites and services
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

ohmErnieAuthor Commented:
I went through step 1, but really did not have to since the demotion was actually sucessful.  When I went through step 1, the old dc's were already removed.  I then proceeded to step 2 and 3 which needed to be completed.  Looks good...thanks for the help.
not a problem mate

cheers :)
Forceremoval should be used with great care... Is there really no other solution to this problem?
As a side note - setting the right permissions on the computer object to be demoted in AD enabled me to finish this task without using the /forceremoval option. First remove "protect this object from accidental deletion (windows 2008 servers in domain)" if it exists, then give domain admins and administrators all rights to the object from the security tab. My DC then demoted gracefully.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.