DCPROMO demote failed (Acess Denied)

[jvaldry]

Hello,

I have a problem with Demoting a Windows 2000 server in a Windows 2003
Active Directory Domain. There error message I receive when running
dcpromo.exe is:
"The Operation Failed: Failed to modify the necessary properties for
the machine account MICHELANGELO$(my server name) Access Denied."


While searching for an answer I searched through Google Groups and
found references to this problem and two solutions in the MS KB.


http://support.microsoft.com/?kbid=232070
http://support.microsoft.com/?kbid=250874


I have tried both of these solutions and neither works.

The dcpromo.log file contains the following error messages:

--snip--
10/16 13:08:27 [INFO] Removing Directory Service objects referring to
the local server from the remote server vasari.arts.uci.edu
10/16 13:08:27 [INFO] Error - The attempt to configure the machine
account MICHELANGELO$ on server vasari.arts.uci.edu failed. (5)
10/16 13:08:28 [INFO] NtdsDemote returned 5
10/16 13:08:28 [INFO] DsRolepDemoteDs returned 5
10/16 13:08:28 [ERROR] Failed to demote the directory service (5)
--snip--



Other messages on Google Groups suggest using "dcpromo /forceremoval"
to solve the problem. However I hesitate to do this because I when
promoted a development W2K3 server and attempted to demote it, that
server also now exhibits the EXACT same error. Does anyone have any
suggestions on how to resolve this problem?
Thank you for reading and giving my problem your time.

-Jason Valdry

 

[S.J.Haribabu]

Hi Jvaldry,

Since you have already gone thru few articles, Please go thru the general
document on Active directory Access denied errors.

Troubleshooting "Access Denied" Error Messages in Active Directory
Installation Wizard
There are several reasons why you might receive an "Access Denied" error
message while using the Active Directory Installation Wizard. All have to
do with permissions on the files or file structures that are necessary for
the installation and service of a domain controller.

Procedures for Troubleshooting "Access Denied" Error Messages in Active
Directory Installation Wizard
1. Verify file permissions to make sure they are correct. Verify that the
default Ntds.dit file permissions in the System32 folder are:

System32\Ntds.dit
BUILTIN\Users: Read [RX]
BUILTIN\Power Users: Read [RX]
BUILTIN\Administrators: Full Control [ALL]
NT AUTHORITY\SYSTEM: Full Control [ALL]
Everyone: Read [RX]


2. Verify folder permissions. If Active Directory was previously removed
and now you are installing it again, the %SystemRoot%\Ntds and
%SystemRoot%\Ntds\Drop folders will still exist. If permissions were
changed, the error message might be caused by the folder permissions. The
simplest resolution is to delete the original Ntds folder structure before
running the Active Directory Installation Wizard. Or, you can change the
folder permissions to match the following:

%SystemRoot%\Ntds
BUILTIN\Users: Special Access [RX]
BUILTIN\Power Users: Special Access [RWXD]
BUILTIN\Administrators: Special Access [A]
NT AUTHORITY\SYSTEM: Special Access [A]
CREATOR OWNER: Special Access [A]
%SystemRoot%\Ntds\Drop
BUILTIN\Users: Special Access [RX]
BUILTIN\Power Users: Special Access [RWXD]
BUILTIN\Administrators: Special Access [A]
NT AUTHORITY\SYSTEM: Special Access [A]
CREATOR OWNER: Special Access [A]


3. Verify that the current domain controllers in the domain have applied
security policy and the Enable computer and users accounts to be trusted
for delegation user right is granted to the Administrators Group.

1.
In the Group Policy snap-in, click Computer Configuration, click Windows
Settings, click Security Settings, click Local Policies, and then click
User Rights Assignment.

2. For computers that do not have this right, confirm that Group Policy
objects in the directory service and file system have replicated by looking
for event ID 1704 in the application event log, and then manually apply the
policy by typing the following command:

secedit /refreshpolicy machine_policy


4. Use a Dcpromo answer file to source the promotion from a deterministic
domain controller. Search the Microsoft Knowledge Base for article 223757:
"Unattended Promotion and Demotion of Windows 2000 Domain Controllers." Use
the ReplicationSourceDC paramater in the answer file.

5. Verify that the source domain controller is in the domain controllers
OU. The name of the source domain controller can be found in the
Dcpromo.log file in the %Systemroot%\debug folder on the Windows 2000
server that you are trying to promote.

6. Open a command prompt on the source domain controller, and run the
Gpresult.exe Resource Kit tool to verify that the Default Domain
Controllers policy is being applied to the source domain controller

Thanks,

(e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.