[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Access Denied when demoting windows 2003 dc controller

Posted on 2015-01-25
10
Medium Priority
?
145 Views
Last Modified: 2015-02-23
I have moved my domain over to windows 2012 servers and I am now trying to demote a windows 2003 dc.  When I attempt this I get the following

The operation failed because: The Active Directory Domain Services Installation Wizard was unable to convert the computer account <hostname>$ to an Active Directory Domain Controller account. "Access is denied"  and it prompts for an enterprise account.

What I have found is that the Enable computer and user accounts to be trusted for delegation policy is the likely cause of the failure,   no matter which users I try to demote the server with this policy shows disabled.

I have gone through and verified the correct permissions on the user, this is a top level ent admin account with all need rights.

I have verified the domain controller policy exists and that the OU for domain controllers is linked accordingly.  The default domain policy is applying to the user when it logs in.  And that policy is set to administrators

I have even tried adding a specific user to the trusted delegation policy, but no matter what I do the user show disabled for this policy

Any suggestions?
0
Comment
Question by:zubar75
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
10 Comments
 
LVL 8

Expert Comment

by:nader alkahtani
ID: 40569747
Did you read Microsoft support solution search about KB2002413
0
 

Author Comment

by:zubar75
ID: 40569751
yes,  I went through KB2002413.  All lines up ok
0
 
LVL 8

Expert Comment

by:nader alkahtani
ID: 40569767
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 1500 total points
ID: 40569793
I have seen similar issues when the domain controller computer account is set to "protect from accidental deletion". I would check and make sure that this setting is not set.

Right click on the DC object and select properties, click the object tab and make sure this setting is not enabled.

If all else fails you can transfer the roles to another DC (if you haven't already) and then use adsiedit to remove the DC and ntdsutil to removed metadata.

Will.
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40569964
protecting from accidental deletion was introduced in 2008 so unless the user put in the 2012 servers then hit that check box for that server then it isn't a factor; just tried in a test environment with the object protected and dcpromo was fine - which makes sense since it only prevents object deletion, not moving across an OU or container

i would remove manually using the technet article cited above
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40569969
Thanks for pointing that out Seth. Now that you mention it, it was an issue while doing the metadata cleanup using ntdsutil, it was failing and saying access denied. This was due to the Protect from accidental deletion.

Will.
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 40571217
logon to affected server with domain admins
Then run DCPromo /forceremoval command, hopefully this should demote server
After that you may need to run metadata cleanup to remove demoted DC trace from AD completely
https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx
0
 

Author Comment

by:zubar75
ID: 40571468
Was hoping to remove the controller clean from the active directory and not force remove.

Already looked at the protect from accidental detetion,  same problem.

Any suggestions about the "Enable computer and user accounts to be trusted for delegation policy" showing as disabled?
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 40572047
OK
Check Default "Computers" container permissions, it might be possible that there is deny permissions set to create computer objects

If you find one, just remove those permissions, force AD replication and check if it works
0
 

Author Comment

by:zubar75
ID: 40590204
No Deny permissions on the default computers container
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question