P
Peter Lillington
I cannot demote domain controllers in our domain. The
dcpromo.log shows this:
11/19 16:44:32 [INFO] Removing Directory Service objects
referring to the local server from the remote server
xxx.xxx.xxx
11/19 16:44:33 [INFO] Error - The attempt to configure
the machine account GHOST$ on server xxx.xxx.xxx failed.
(5)
11/19 16:44:35 [INFO] NtdsDemote returned 5
11/19 16:44:35 [INFO] DsRolepDemoteDs returned 5
11/19 16:44:35 [ERROR] Failed to demote the directory
service (5)
The message onscreen also tells you 'access is denied',
and asks for an account with ent admin rights - which the
account used for demotion has.
This looks to be a problem with access permissions on the
computer object in AD. I checked the permissions on the
computer object, and changed them temporarily to give FC
for ent admins (it appeared to be set too restrictively -
the same permissions as found on the AdminSDHolder
object). However, this permission change did not help
and access to the object is still denied. Any ideas
anybody? Thanks,
Peter
dcpromo.log shows this:
11/19 16:44:32 [INFO] Removing Directory Service objects
referring to the local server from the remote server
xxx.xxx.xxx
11/19 16:44:33 [INFO] Error - The attempt to configure
the machine account GHOST$ on server xxx.xxx.xxx failed.
(5)
11/19 16:44:35 [INFO] NtdsDemote returned 5
11/19 16:44:35 [INFO] DsRolepDemoteDs returned 5
11/19 16:44:35 [ERROR] Failed to demote the directory
service (5)
The message onscreen also tells you 'access is denied',
and asks for an account with ent admin rights - which the
account used for demotion has.
This looks to be a problem with access permissions on the
computer object in AD. I checked the permissions on the
computer object, and changed them temporarily to give FC
for ent admins (it appeared to be set too restrictively -
the same permissions as found on the AdminSDHolder
object). However, this permission change did not help
and access to the object is still denied. Any ideas
anybody? Thanks,
Peter