Solved

Access Denied when demoting windows 2003 dc controller

Posted on 2015-01-25
10
135 Views
Last Modified: 2015-02-23
I have moved my domain over to windows 2012 servers and I am now trying to demote a windows 2003 dc.  When I attempt this I get the following

The operation failed because: The Active Directory Domain Services Installation Wizard was unable to convert the computer account <hostname>$ to an Active Directory Domain Controller account. "Access is denied"  and it prompts for an enterprise account.

What I have found is that the Enable computer and user accounts to be trusted for delegation policy is the likely cause of the failure,   no matter which users I try to demote the server with this policy shows disabled.

I have gone through and verified the correct permissions on the user, this is a top level ent admin account with all need rights.

I have verified the domain controller policy exists and that the OU for domain controllers is linked accordingly.  The default domain policy is applying to the user when it logs in.  And that policy is set to administrators

I have even tried adding a specific user to the trusted delegation policy, but no matter what I do the user show disabled for this policy

Any suggestions?
0
Comment
Question by:zubar75
  • 3
  • 2
  • 2
  • +2
10 Comments
 
LVL 8

Expert Comment

by:nader alkahtani
ID: 40569747
Did you read Microsoft support solution search about KB2002413
0
 

Author Comment

by:zubar75
ID: 40569751
yes,  I went through KB2002413.  All lines up ok
0
 
LVL 8

Expert Comment

by:nader alkahtani
ID: 40569767
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40569793
I have seen similar issues when the domain controller computer account is set to "protect from accidental deletion". I would check and make sure that this setting is not set.

Right click on the DC object and select properties, click the object tab and make sure this setting is not enabled.

If all else fails you can transfer the roles to another DC (if you haven't already) and then use adsiedit to remove the DC and ntdsutil to removed metadata.

Will.
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40569964
protecting from accidental deletion was introduced in 2008 so unless the user put in the 2012 servers then hit that check box for that server then it isn't a factor; just tried in a test environment with the object protected and dcpromo was fine - which makes sense since it only prevents object deletion, not moving across an OU or container

i would remove manually using the technet article cited above
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40569969
Thanks for pointing that out Seth. Now that you mention it, it was an issue while doing the metadata cleanup using ntdsutil, it was failing and saying access denied. This was due to the Protect from accidental deletion.

Will.
0
 
LVL 36

Expert Comment

by:Mahesh
ID: 40571217
logon to affected server with domain admins
Then run DCPromo /forceremoval command, hopefully this should demote server
After that you may need to run metadata cleanup to remove demoted DC trace from AD completely
https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx
0
 

Author Comment

by:zubar75
ID: 40571468
Was hoping to remove the controller clean from the active directory and not force remove.

Already looked at the protect from accidental detetion,  same problem.

Any suggestions about the "Enable computer and user accounts to be trusted for delegation policy" showing as disabled?
0
 
LVL 36

Expert Comment

by:Mahesh
ID: 40572047
OK
Check Default "Computers" container permissions, it might be possible that there is deny permissions set to create computer objects

If you find one, just remove those permissions, force AD replication and check if it works
0
 

Author Comment

by:zubar75
ID: 40590204
No Deny permissions on the default computers container
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question