Solved

Access Denied when demoting windows 2003 dc controller

Posted on 2015-01-25
10
136 Views
Last Modified: 2015-02-23
I have moved my domain over to windows 2012 servers and I am now trying to demote a windows 2003 dc.  When I attempt this I get the following

The operation failed because: The Active Directory Domain Services Installation Wizard was unable to convert the computer account <hostname>$ to an Active Directory Domain Controller account. "Access is denied"  and it prompts for an enterprise account.

What I have found is that the Enable computer and user accounts to be trusted for delegation policy is the likely cause of the failure,   no matter which users I try to demote the server with this policy shows disabled.

I have gone through and verified the correct permissions on the user, this is a top level ent admin account with all need rights.

I have verified the domain controller policy exists and that the OU for domain controllers is linked accordingly.  The default domain policy is applying to the user when it logs in.  And that policy is set to administrators

I have even tried adding a specific user to the trusted delegation policy, but no matter what I do the user show disabled for this policy

Any suggestions?
0
Comment
Question by:zubar75
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
10 Comments
 
LVL 8

Expert Comment

by:nader alkahtani
ID: 40569747
Did you read Microsoft support solution search about KB2002413
0
 

Author Comment

by:zubar75
ID: 40569751
yes,  I went through KB2002413.  All lines up ok
0
 
LVL 8

Expert Comment

by:nader alkahtani
ID: 40569767
0
Office 365 Training for IT Pros

Learn how to provision Office 365 tenants, synchronize your on-premise Active Directory, and implement Single Sign-On.

 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40569793
I have seen similar issues when the domain controller computer account is set to "protect from accidental deletion". I would check and make sure that this setting is not set.

Right click on the DC object and select properties, click the object tab and make sure this setting is not enabled.

If all else fails you can transfer the roles to another DC (if you haven't already) and then use adsiedit to remove the DC and ntdsutil to removed metadata.

Will.
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40569964
protecting from accidental deletion was introduced in 2008 so unless the user put in the 2012 servers then hit that check box for that server then it isn't a factor; just tried in a test environment with the object protected and dcpromo was fine - which makes sense since it only prevents object deletion, not moving across an OU or container

i would remove manually using the technet article cited above
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40569969
Thanks for pointing that out Seth. Now that you mention it, it was an issue while doing the metadata cleanup using ntdsutil, it was failing and saying access denied. This was due to the Protect from accidental deletion.

Will.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40571217
logon to affected server with domain admins
Then run DCPromo /forceremoval command, hopefully this should demote server
After that you may need to run metadata cleanup to remove demoted DC trace from AD completely
https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx
0
 

Author Comment

by:zubar75
ID: 40571468
Was hoping to remove the controller clean from the active directory and not force remove.

Already looked at the protect from accidental detetion,  same problem.

Any suggestions about the "Enable computer and user accounts to be trusted for delegation policy" showing as disabled?
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40572047
OK
Check Default "Computers" container permissions, it might be possible that there is deny permissions set to create computer objects

If you find one, just remove those permissions, force AD replication and check if it works
0
 

Author Comment

by:zubar75
ID: 40590204
No Deny permissions on the default computers container
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision Office 365 tenants, synchronize your on-premise Active Directory, and implement Single Sign-On.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question