Can I avoid a forced dcpromo?

I am removing a DC from a 2003 domain, intending to shut it down forever.  There are 2 other DC's, each running DNS, both are Global Catalogs, replicating with no errors, all roles are on the PDC.  DCPRomo failed with access denied, saying the user doesn't have permission to perform the operation.  The user is a Schema admins and Enterprise admins member.  I have changed the DNS setting for the server I want to remove to another DNS server.  I would like to avoid a forced removal if possible.  I see that in order to possibly get around this problem, I can remove the permission to delete all Child objects from Everyone by unchecking the deny box on OU's.  

My first question is do I have to do that on all the OU's (all do not have the Everyone group), or can I just do it at the domain level?  Or do I have to do both?

Second question is if I do a dcpromo /forceremoval, with no intention of reinstalling the server as a DC or anything else, do I still need to do the metadata fix?  I have never had this problem before, will I get prompted through the metadata fix , or is it manual? Trying to determine how late I might be here.
quaybjAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Seth SimmonsSr. Systems AdministratorCommented:
My first question is do I have to do that on all the OU's...

no need to be messing with OU ACL for a dcpromo issue

do I still need to do the metadata fix?

yes, manually need to use ntdsutil to clean up else remnants are still on the other servers since a force removal doesn't contact the other domain controllers to inform that it's no longer a domain controller

How to remove data in Active Directory after an unsuccessful domain controller demotion
http://support.microsoft.com/kb/216498
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
quaybjAuthor Commented:
Thanks Seth for that clear, no nonsense answer to question 1.  I did not want to do that, felt just wrong.

I also found and now the article you mentioned for question 2, and am clear now on what i need to do and why.
0
MaheshArchitectCommented:
Does your ID is also member of domain admins group in AD?
U said it is member of schema admins and enterprise admins which is not sufficient to demote DC
Please add your ID to domain admins, log off and log back on and try
0
quaybjAuthor Commented:
Mahesh, yes the id is administrator of teh domain and is a member of domain admins.  Thanks.
0
quaybjAuthor Commented:
sorry this took so long, thought i already closed the question.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.