Thursday, September 16, 2010

Access is Denied When Demoting a Domain Controller

Issue #1: You will get the following error message when  demoting a domain controller:

The operation failed because: The attempt at remote domain controller dc.domain.com to remove domain controller CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com from the forest was unsuccessful.  "Access is denied."

Resolution: Make sure the Protect object from accidental deletion is NOT selected in NTDS Settings properties.

NTDS Settings -> Properties -> Object Tab

image

Issue #2:

The operation failed because: Active Directory could not configure the computer account HOULAB01$ on the remote domain controller tdc01.santhosh.lab. "Access is denied."

Resolution: Make sure the Protect object from accidental deletion is NOT selected in domain controller object properties. 

image

24 comments:

keep rocking.. This scenario really very helpful to me..:):):) hats off sivarajan.

Thanks a lot Santosh! I've been to a lot of sites with lengthy explanations, but none of them helped me.

So glad I came across your blog. You're the man!

Spent an hour trying to figure this out. THANK YOU!!!!

This was very helpful. I was able to demote domain controller. It is easy to forget small check marks. Santosh, it is good that you created this blog. Thank you very much. Your information was very useful - Srini

Thanks for this very helpful, buried in Tech-net somewhere very easy to over look this.

Thanks, after reading 20 other sites this solved it.

This comment has been removed by the author.

I had a similar situation but that box was already unchecked. I went to ADSIEDIT cn=default-first-site-name cn=sites cn=configuration dc=domain dc=local. My DC servers had security set to deny for everyone for "Delete all Child Objects" . No idea why? Unchecked and demotion went fine.

Thanks for the post. It came in handy after a while of looking for answers much appreciated.

This comment has been removed by the author.

Thanks! I had overlooked this issue.

Thanks for the quick and concise help! I turned this on a while back after running a BPA scan and completely forgot about it. Great work!

This comment has been removed by the author.

Absolutely! Thanks for the feedback. Happy to hear that you were able to resolve the issues.

if this wasn't so serious an issue this wouldn't have been so funny... thanks, you helped me get rid of our last 2008 DC!

This did the trick! Thanks so much!

Убрать защиту от удаления объекта ПК domain.local/Domain Controllers/DC-DEMOTEз
dcpromo.log [INFO] Error - Доменным службам Active Directory не удается настроить учетную запись компьютера DC-DEMOTE$ на удаленном контроллере домена Active Directory pdc.domain.local. (5)
dcpromoui.log OperationStatus : 0x5 !0 => error
DisplayString : Доменным службам Active Directory не удается настроить учетную запись компьютера DC-DEMOTE$ на удаленном контроллере домена Active Directory pdc.domain.local.

Убрать защита от удаления NTDS объекта domain.local/Configuration/Sites/domain-local-site/Servers/DC-DEMOTE/NTDS Settings
dcpromo.log [INFO] Error - Ошибка на удаленном сервере службы каталогов pdc.domain.local при попытке ликвидации сервера службы каталогов CN=DC-DEMOTE,CN=Servers,CN=domain-local-site,CN=Sites,CN=Configuration,DC=domain,DC=local. (5)
dcpromoui.log Enter ProgressDialog::UpdateText Ошибка на удаленном сервере службы каталогов pdc.domain.local при попытке ликвидации сервера службы каталогов CN=DC-DEMOTE,CN=Servers,CN=domain-local-site,CN=Sites,CN=Configuration,DC=domain,DC=local.

Post a Comment

Popular Posts

Share

Twitter Delicious Facebook Digg Stumbleupon Favorites More