Solved

Access Denied when demoting windows 2003 dc controller

Posted on 2015-01-25
10
133 Views
Last Modified: 2015-02-23
I have moved my domain over to windows 2012 servers and I am now trying to demote a windows 2003 dc.  When I attempt this I get the following

The operation failed because: The Active Directory Domain Services Installation Wizard was unable to convert the computer account <hostname>$ to an Active Directory Domain Controller account. "Access is denied"  and it prompts for an enterprise account.

What I have found is that the Enable computer and user accounts to be trusted for delegation policy is the likely cause of the failure,   no matter which users I try to demote the server with this policy shows disabled.

I have gone through and verified the correct permissions on the user, this is a top level ent admin account with all need rights.

I have verified the domain controller policy exists and that the OU for domain controllers is linked accordingly.  The default domain policy is applying to the user when it logs in.  And that policy is set to administrators

I have even tried adding a specific user to the trusted delegation policy, but no matter what I do the user show disabled for this policy

Any suggestions?
0
Comment
Question by:zubar75
  • 3
  • 2
  • 2
  • +2
10 Comments
 
LVL 8

Expert Comment

by:nader alkahtani
ID: 40569747
Did you read Microsoft support solution search about KB2002413
0
 

Author Comment

by:zubar75
ID: 40569751
yes,  I went through KB2002413.  All lines up ok
0
 
LVL 8

Expert Comment

by:nader alkahtani
ID: 40569767
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40569793
I have seen similar issues when the domain controller computer account is set to "protect from accidental deletion". I would check and make sure that this setting is not set.

Right click on the DC object and select properties, click the object tab and make sure this setting is not enabled.

If all else fails you can transfer the roles to another DC (if you haven't already) and then use adsiedit to remove the DC and ntdsutil to removed metadata.

Will.
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40569964
protecting from accidental deletion was introduced in 2008 so unless the user put in the 2012 servers then hit that check box for that server then it isn't a factor; just tried in a test environment with the object protected and dcpromo was fine - which makes sense since it only prevents object deletion, not moving across an OU or container

i would remove manually using the technet article cited above
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40569969
Thanks for pointing that out Seth. Now that you mention it, it was an issue while doing the metadata cleanup using ntdsutil, it was failing and saying access denied. This was due to the Protect from accidental deletion.

Will.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40571217
logon to affected server with domain admins
Then run DCPromo /forceremoval command, hopefully this should demote server
After that you may need to run metadata cleanup to remove demoted DC trace from AD completely
https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx
0
 

Author Comment

by:zubar75
ID: 40571468
Was hoping to remove the controller clean from the active directory and not force remove.

Already looked at the protect from accidental detetion,  same problem.

Any suggestions about the "Enable computer and user accounts to be trusted for delegation policy" showing as disabled?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40572047
OK
Check Default "Computers" container permissions, it might be possible that there is deny permissions set to create computer objects

If you find one, just remove those permissions, force AD replication and check if it works
0
 

Author Comment

by:zubar75
ID: 40590204
No Deny permissions on the default computers container
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now