dcpromo fails to demote domain controller

D

Dan Varozza

We have a single forest, single domain, windows 2000 SP4
Active directory domain with two domain controllers. Both
are Global Catalog servers. SERVER1 has all the FSMO
roles. I am trying to demote SERVER2 into a member server.

I run dcpromo.exe and the wizard runs for a bit, stopping
services, etc. Then it comes up with a prompt to
authenticate with different credentials that have
Enterprise Administrator priveledges to the forest.:

"The operation failed because: The attempt to configure
the machine account SERVER2$ on SERVER1.domainname.com
failed. Access is Denied"

I have tried several accounts that I have confirmed to be
Enterprise Admis.

Any ideas?
 
G

Guest

Possibly a secure channel issue, but you should be seeing more errors in
Event Viewer or a replication monitor tool.

Netdom is the tool you will want to use to reset the secure channel.
 
B

Brian

Were getting the exact same problem when trying to
install active directory on a new server. The microsoft
kb article 232070 does not fix the problem. I've
reinstalled the entire OS on the server. DNS is working
fine and passes netdiag /test:dns.

I am also using an account that has the permissions to
change the computer account type from a member server to
a domain controller as i am using the Enterprise admins
account.

I do not have anything in the event log that seems to be
applicable so I am at a loss of what to try next.

Brian.
-----Original Message-----
Possibly a secure channel issue, but you should be seeing more errors in
Event Viewer or a replication monitor tool.

Netdom is the tool you will want to use to reset the secure channel.

--
James Brandt [MSFT]


We have a single forest, single domain, windows 2000 SP4
Active directory domain with two domain controllers. Both
are Global Catalog servers. SERVER1 has all the FSMO
roles. I am trying to demote SERVER2 into a member server.

I run dcpromo.exe and the wizard runs for a bit, stopping
services, etc. Then it comes up with a prompt to
authenticate with different credentials that have
Enterprise Administrator priveledges to the forest.:

"The operation failed because: The attempt to configure
the machine account SERVER2$ on SERVER1.domainname.com
failed. Access is Denied"

I have tried several accounts that I have confirmed to be
Enterprise Admis.

Any ideas?


.
 
G

Guest

I ran "netdom verify SERVERNAME /d:domainname" from both
domain controllers and netdom reported "the secure channel
from SERVERNAME to the DOMAINNAME has been verified."

So it appears that the secure channel is not the problem?
-----Original Message-----
Were getting the exact same problem when trying to
install active directory on a new server. The microsoft
kb article 232070 does not fix the problem. I've
reinstalled the entire OS on the server. DNS is working
fine and passes netdiag /test:dns.

I am also using an account that has the permissions to
change the computer account type from a member server to
a domain controller as i am using the Enterprise admins
account.

I do not have anything in the event log that seems to be
applicable so I am at a loss of what to try next.

Brian.
-----Original Message-----
Possibly a secure channel issue, but you should be seeing more errors in
Event Viewer or a replication monitor tool.

Netdom is the tool you will want to use to reset the secure channel.

--
James Brandt [MSFT]


We have a single forest, single domain, windows 2000 SP4
Active directory domain with two domain controllers. Both
are Global Catalog servers. SERVER1 has all the FSMO
roles. I am trying to demote SERVER2 into a member server.

I run dcpromo.exe and the wizard runs for a bit, stopping
services, etc. Then it comes up with a prompt to
authenticate with different credentials that have
Enterprise Administrator priveledges to the forest.:

"The operation failed because: The attempt to configure
the machine account SERVER2$ on SERVER1.domainname.com
failed. Access is Denied"

I have tried several accounts that I have confirmed to be
Enterprise Admis.

Any ideas?


.
.
 
R

Resonate

Not sure if its related but i had the same problem when trying to add a DC

http://support.microsoft.com/?kbid=250874 fixed it for me

This bit

Verify that the current domain controllers in the domain have applied
security policy and the Enable computer and users accounts to be trusted for
delegation user right is granted to the Administrators Group in the domain
controllers policy (click Computer Configuration, click Windows Settings,
click Security Settings, click Local Policies, and then click User Rights
Assignment).


Hope this helps
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top