• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 148
  • Last Modified:

Access Denied when demoting windows 2003 dc controller

I have moved my domain over to windows 2012 servers and I am now trying to demote a windows 2003 dc.  When I attempt this I get the following

The operation failed because: The Active Directory Domain Services Installation Wizard was unable to convert the computer account <hostname>$ to an Active Directory Domain Controller account. "Access is denied"  and it prompts for an enterprise account.

What I have found is that the Enable computer and user accounts to be trusted for delegation policy is the likely cause of the failure,   no matter which users I try to demote the server with this policy shows disabled.

I have gone through and verified the correct permissions on the user, this is a top level ent admin account with all need rights.

I have verified the domain controller policy exists and that the OU for domain controllers is linked accordingly.  The default domain policy is applying to the user when it logs in.  And that policy is set to administrators

I have even tried adding a specific user to the trusted delegation policy, but no matter what I do the user show disabled for this policy

Any suggestions?
0
zubar75
Asked:
zubar75
  • 3
  • 2
  • 2
  • +2
1 Solution
 
nader alkahtaniCommented:
Did you read Microsoft support solution search about KB2002413
0
 
zubar75Author Commented:
yes,  I went through KB2002413.  All lines up ok
0
 
nader alkahtaniCommented:
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Will SzymkowskiSenior Solution ArchitectCommented:
I have seen similar issues when the domain controller computer account is set to "protect from accidental deletion". I would check and make sure that this setting is not set.

Right click on the DC object and select properties, click the object tab and make sure this setting is not enabled.

If all else fails you can transfer the roles to another DC (if you haven't already) and then use adsiedit to remove the DC and ntdsutil to removed metadata.

Will.
0
 
Seth SimmonsSr. Systems AdministratorCommented:
protecting from accidental deletion was introduced in 2008 so unless the user put in the 2012 servers then hit that check box for that server then it isn't a factor; just tried in a test environment with the object protected and dcpromo was fine - which makes sense since it only prevents object deletion, not moving across an OU or container

i would remove manually using the technet article cited above
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Thanks for pointing that out Seth. Now that you mention it, it was an issue while doing the metadata cleanup using ntdsutil, it was failing and saying access denied. This was due to the Protect from accidental deletion.

Will.
0
 
MaheshArchitectCommented:
logon to affected server with domain admins
Then run DCPromo /forceremoval command, hopefully this should demote server
After that you may need to run metadata cleanup to remove demoted DC trace from AD completely
https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx
0
 
zubar75Author Commented:
Was hoping to remove the controller clean from the active directory and not force remove.

Already looked at the protect from accidental detetion,  same problem.

Any suggestions about the "Enable computer and user accounts to be trusted for delegation policy" showing as disabled?
0
 
MaheshArchitectCommented:
OK
Check Default "Computers" container permissions, it might be possible that there is deny permissions set to create computer objects

If you find one, just remove those permissions, force AD replication and check if it works
0
 
zubar75Author Commented:
No Deny permissions on the default computers container
0

Featured Post

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

  • 3
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now