error when demoting dc

[Martin]

Hi folks

Using dcpromo to demote a dc the following appears;

The operation failed because: The attempt to configure the machine account
DC2$ on server 'dc2.domain.com failed'. "Access is denied. "
Please specify an account with Enterprise Administrator privileges to the
forest 'domain.com'

As far as I can see my administrator account has every possible privilege
available and has full control on the 'DC2$' machine account
Is there somewhere else I should be checking ?

This same account has successfully promoted and demoted dc's in the past.

Thanks in advance
Martin

 

[Martin]

To anyone interested I've resolved this myself thanks


To resolve this problem, use an account in the Administrators group, or add
the appropriate account to the Administrators group. To grant this right to
another user or group, set the delegation privilege on the Group Policy
object: 1. In the Active Directory Users and Computers snap-in, edit the
Default Domain Controllers Policy on the Domain Controllers Organizational
Unit.
2. Double-click Computer Configuration, click Windows Settings, click
Security Settings, click Local Policies, and then click User Rights
Assignment.
3. Under Enable Computer and User Accounts to be trusted for
Delegation, add the appropriate account or group.
4. Apply the policy using one of the following methods: . At a command
prompt, type secedit /refreshpolicy machine_policy /enforce.
. In the Sites and Services snap-in (Dssite.msc), use the
Replicate Now feature to force replication from the domain controller on
which the policy was changed to the other domain controllers in the domain.

 

[Guest]

This was my exact problem. Thanks for posting the fix.