DCPROMO demote failed (Acess Denied)

J

jvaldry

Hello,

I have a problem with Demoting a Windows 2000 server in a Windows 2003
Active Directory Domain. There error message I receive when running
dcpromo.exe is:
"The Operation Failed: Failed to modify the necessary properties for
the machine account MICHELANGELO$(my server name) Access Denied."


While searching for an answer I searched through Google Groups and
found references to this problem and two solutions in the MS KB.


http://support.microsoft.com/?kbid=232070
http://support.microsoft.com/?kbid=250874


I have tried both of these solutions and neither works.

The dcpromo.log file contains the following error messages:

--snip--
10/16 13:08:27 [INFO] Removing Directory Service objects referring to
the local server from the remote server vasari.arts.uci.edu
10/16 13:08:27 [INFO] Error - The attempt to configure the machine
account MICHELANGELO$ on server vasari.arts.uci.edu failed. (5)
10/16 13:08:28 [INFO] NtdsDemote returned 5
10/16 13:08:28 [INFO] DsRolepDemoteDs returned 5
10/16 13:08:28 [ERROR] Failed to demote the directory service (5)
--snip--



Other messages on Google Groups suggest using "dcpromo /forceremoval"
to solve the problem. However I hesitate to do this because I when
promoted a development W2K3 server and attempted to demote it, that
server also now exhibits the EXACT same error. Does anyone have any
suggestions on how to resolve this problem?
Thank you for reading and giving my problem your time.

-Jason Valdry
 
M

Matt Anderson

Hello,

I have a problem with Demoting a Windows 2000 server in a Windows 2003
Active Directory Domain.

What happens if you log on as enterprise admin?

Matt
 
G

Guest

Well, You could spend the time to troubleshoot this.
Or you could just use the /forceremoval switch to force remove it. Then do
the metadata cleanup. If the box holds FSMOs then you could sieze them to
another DC.

If your really interested in which attribute it is failing on (probably
useraccountcontrol), then you need to do a network trace. The ldap modify
calls will show you what attribute it is failing on.
Once you know the attribute, then fix the security on it.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top