Issue #1: You will get the following error message when demoting a domain controller:
The operation failed because: The attempt at remote domain controller dc.domain.com to remove domain controller CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com from the forest was unsuccessful. "Access is denied."
Resolution: Make sure the Protect object from accidental deletion is NOT selected in NTDS Settings properties.
NTDS Settings -> Properties -> Object Tab
Issue #2:
The operation failed because: Active Directory could not configure the computer account HOULAB01$ on the remote domain controller tdc01.santhosh.lab. "Access is denied."
Resolution: Make sure the Protect object from accidental deletion is NOT selected in domain controller object properties.
27 comments:
keep rocking.. This scenario really very helpful to me..:):):) hats off sivarajan.
Thanks a lot Santosh! I've been to a lot of sites with lengthy explanations, but none of them helped me.
So glad I came across your blog. You're the man!
Spent an hour trying to figure this out. THANK YOU!!!!
This was very helpful. I was able to demote domain controller. It is easy to forget small check marks. Santosh, it is good that you created this blog. Thank you very much. Your information was very useful - Srini
Thanks for this very helpful, buried in Tech-net somewhere very easy to over look this.
Thanks for the feedback!
Thanks, after reading 20 other sites this solved it.
Thanks for the feedback JCA!
I had a similar situation but that box was already unchecked. I went to ADSIEDIT cn=default-first-site-name cn=sites cn=configuration dc=domain dc=local. My DC servers had security set to deny for everyone for "Delete all Child Objects" . No idea why? Unchecked and demotion went fine.
Thanks for the post. It came in handy after a while of looking for answers much appreciated.
Thanks por help!
Thanks
Excellent... Thanks.
Thanks! I had overlooked this issue.
Thanks for the quick and concise help! I turned this on a while back after running a BPA scan and completely forgot about it. Great work!
Thanks for this solution
Absolutely! Thanks for the feedback. Happy to hear that you were able to resolve the issues.
if this wasn't so serious an issue this wouldn't have been so funny... thanks, you helped me get rid of our last 2008 DC!
This did the trick! Thanks so much!
Убрать защиту от удаления объекта ПК domain.local/Domain Controllers/DC-DEMOTEз
dcpromo.log [INFO] Error - Доменным службам Active Directory не удается настроить учетную запись компьютера DC-DEMOTE$ на удаленном контроллере домена Active Directory pdc.domain.local. (5)
dcpromoui.log OperationStatus : 0x5 !0 => error
DisplayString : Доменным службам Active Directory не удается настроить учетную запись компьютера DC-DEMOTE$ на удаленном контроллере домена Active Directory pdc.domain.local.
Убрать защита от удаления NTDS объекта domain.local/Configuration/Sites/domain-local-site/Servers/DC-DEMOTE/NTDS Settings
dcpromo.log [INFO] Error - Ошибка на удаленном сервере службы каталогов pdc.domain.local при попытке ликвидации сервера службы каталогов CN=DC-DEMOTE,CN=Servers,CN=domain-local-site,CN=Sites,CN=Configuration,DC=domain,DC=local. (5)
dcpromoui.log Enter ProgressDialog::UpdateText Ошибка на удаленном сервере службы каталогов pdc.domain.local при попытке ликвидации сервера службы каталогов CN=DC-DEMOTE,CN=Servers,CN=domain-local-site,CN=Sites,CN=Configuration,DC=domain,DC=local.
Thanks, you fixed my issue (2008 RODC)
Ray J
Thank you for information. It helped me.
Talgat A
Its been 10 years and your still correct. Your are my hero
Post a Comment