Can I avoid a forced dcpromo?

Posted on 2014-08-22
Last Modified: 2015-03-04
I am removing a DC from a 2003 domain, intending to shut it down forever.  There are 2 other DC's, each running DNS, both are Global Catalogs, replicating with no errors, all roles are on the PDC.  DCPRomo failed with access denied, saying the user doesn't have permission to perform the operation.  The user is a Schema admins and Enterprise admins member.  I have changed the DNS setting for the server I want to remove to another DNS server.  I would like to avoid a forced removal if possible.  I see that in order to possibly get around this problem, I can remove the permission to delete all Child objects from Everyone by unchecking the deny box on OU's.  

My first question is do I have to do that on all the OU's (all do not have the Everyone group), or can I just do it at the domain level?  Or do I have to do both?

Second question is if I do a dcpromo /forceremoval, with no intention of reinstalling the server as a DC or anything else, do I still need to do the metadata fix?  I have never had this problem before, will I get prompted through the metadata fix , or is it manual? Trying to determine how late I might be here.
Question by:quaybj
    LVL 34

    Accepted Solution

    My first question is do I have to do that on all the OU's...

    no need to be messing with OU ACL for a dcpromo issue

    do I still need to do the metadata fix?

    yes, manually need to use ntdsutil to clean up else remnants are still on the other servers since a force removal doesn't contact the other domain controllers to inform that it's no longer a domain controller

    How to remove data in Active Directory after an unsuccessful domain controller demotion

    Author Comment

    Thanks Seth for that clear, no nonsense answer to question 1.  I did not want to do that, felt just wrong.

    I also found and now the article you mentioned for question 2, and am clear now on what i need to do and why.
    LVL 34

    Expert Comment

    Does your ID is also member of domain admins group in AD?
    U said it is member of schema admins and enterprise admins which is not sufficient to demote DC
    Please add your ID to domain admins, log off and log back on and try

    Author Comment

    Mahesh, yes the id is administrator of teh domain and is a member of domain admins.  Thanks.

    Author Closing Comment

    sorry this took so long, thought i already closed the question.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
    On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now