Results 1 to 4 of 4

Thread: "access denied" when trying to remove DC from domain

  1. 08-12-2010 #1
    Full_Throttle
    Full_Throttle is offline Member
    Join Date
    Dec 2010
    Posts
    4

    "access denied" when trying to remove DC from domain

    Greetings.
    I am trying to remove a DC from our domain. There is a total of 3 domain controllers, 2 are windows 2008, and the PDC is windows 2008 R2.
    When I run dcpromo on the server 2008 R1 domain controller It errors out.

    The error is ,"Error - Active Directory Domain Services could not configure the computer account zzzz$ on the remote Active Directory Domain Controller yyyy.xxxx.LOCAL"

    I have logged in using the domain admin account, as well as my own account (I am also a domain admin). I have confirmed that the group policy "Enable computer and user accounts to be trusted for delegation" has the administrators group, as well as the domain admin and myself in the list. I have run dcdiag and it seems to be OK. I will post the dcpromo log as well as the dcdiag log.

    Any thoughts?
    Last edited by Full_Throttle; 08-12-2010 at 01:48 AM.
    Reply With Quote Reply With Quote
  2. 08-12-2010 #2
    Full_Throttle
    Full_Throttle is offline Member
    Join Date
    Dec 2010
    Posts
    4

    DCPROMO log

    Here is the DCPromo log:


    12/07/2010 12:13:16 [INFO] Request for demotion of domain controller
    12/07/2010 12:13:16 [INFO] DnsDomainName (NULL)
    12/07/2010 12:13:16 [INFO] ServerRole 1
    12/07/2010 12:13:16 [INFO] Account (NULL) 12/07/2010 12:13:16 [INFO] Options 128
    12/07/2010 12:13:16 [INFO] LastDcInDomain FALSE
    12/07/2010 12:13:16 [INFO] Forced Demote FALSE
    12/07/2010 12:13:16 [INFO] Stage 2 only FALSE
    12/07/2010 12:13:16 [INFO] Start the worker task
    12/07/2010 12:13:16 [INFO] Request for demotion returning 0
    12/07/2010 12:13:16 [INFO] Reading domain policy from the local machine
    12/07/2010 12:13:16 [INFO] Searching for a domain controller for the domain xxxx.LOCAL
    12/07/2010 12:13:16 [INFO] Searching for a domain controller for the domain xxxx.LOCAL that contains the account

    zzzz$
    12/07/2010 12:13:16 [INFO] Located domain controller yyyy.xxxx.LOCAL for domain xxxx.LOCAL
    12/07/2010 12:13:16 [INFO] Support Dc in xxxx.LOCAL is yyyy.xxxx.LOCAL
    12/07/2010 12:13:16 [INFO] Located domain controller yyyy.xxxx.LOCAL for domain xxxx.LOCAL
    12/07/2010 12:13:16 [INFO] Preparing the directory service for demotion
    12/07/2010 12:13:16 [INFO] Searching for other replicas of directory partition

    CN=Schema,CN=Configuration,DC=xxxx,DC=LOCAL on the network...
    12/07/2010 12:13:16 [INFO] Transferring remaining data in directory partition

    CN=Schema,CN=Configuration,DC=xxxx,DC=LOCAL to Active Directory Domain Controller yyyy.xxxx.LOCAL...
    12/07/2010 12:13:16 [INFO] Transferring operations master roles owned by this Active Directory Domain Controller in

    directory partition CN=Schema,CN=Configuration,DC=xxxx,DC=LOCAL to Active Directory Domain Controller

    yyyy.xxxx.LOCAL...
    12/07/2010 12:13:16 [INFO] Transferred Operation Master roles owned by this server in partition

    CN=Schema,CN=Configuration,DC=xxxx,DC=LOCAL to server yyyy.xxxx.LOCAL.
    12/07/2010 12:13:16 [INFO] Completing DN reference scavenging...
    12/07/2010 12:13:16 [INFO] Replicating remaining updates in directory partition

    CN=Schema,CN=Configuration,DC=xxxx,DC=LOCAL to Active Directory Domain Controller yyyy.xxxx.LOCAL...
    12/07/2010 12:13:16 [INFO] Replicated off remaining updates in partition

    CN=Schema,CN=Configuration,DC=xxxx,DC=LOCAL to Active Directory Domain Controller yyyy.xxxx.LOCAL.
    12/07/2010 12:13:16 [INFO] Active Directory Domain Services successfully transferred the remaining data in

    directory partition CN=Schema,CN=Configuration,DC=xxxx,DC=LOCAL to Active Directory Domain Controller

    yyyy.xxxx.LOCAL.
    12/07/2010 12:13:16 [INFO] Searching for other replicas of directory partition CN=Configuration,DC=xxxx,DC=LOCAL on

    the network...
    12/07/2010 12:13:16 [INFO] Transferring remaining data in directory partition CN=Configuration,DC=xxxx,DC=LOCAL to

    Active Directory Domain Controller yyyy.xxxx.LOCAL...
    12/07/2010 12:13:16 [INFO] Transferring operations master roles owned by this Active Directory Domain Controller in

    directory partition CN=Configuration,DC=xxxx,DC=LOCAL to Active Directory Domain Controller yyyy.xxxx.LOCAL...
    12/07/2010 12:13:16 [INFO] Transferred Operation Master roles owned by this server in partition

    CN=Configuration,DC=xxxx,DC=LOCAL to server yyyy.xxxx.LOCAL.
    12/07/2010 12:13:16 [INFO] Completing DN reference scavenging...
    12/07/2010 12:13:16 [INFO] Replicating remaining updates in directory partition CN=Configuration,DC=xxxx,DC=LOCAL

    to Active Directory Domain Controller yyyy.xxxx.LOCAL...
    12/07/2010 12:13:16 [INFO] Replicated off remaining updates in partition CN=Configuration,DC=xxxx,DC=LOCAL to

    Active Directory Domain Controller yyyy.xxxx.LOCAL.
    12/07/2010 12:13:16 [INFO] Active Directory Domain Services successfully transferred the remaining data in

    directory partition CN=Configuration,DC=xxxx,DC=LOCAL to Active Directory Domain Controller yyyy.xxxx.LOCAL.
    12/07/2010 12:13:16 [INFO] Searching for other replicas of directory partition DC=xxxx,DC=LOCAL on the network...
    12/07/2010 12:13:16 [INFO] Transferring remaining data in directory partition DC=xxxx,DC=LOCAL to Active Directory

    Domain Controller yyyy.xxxx.LOCAL...
    12/07/2010 12:13:16 [INFO] Transferring operations master roles owned by this Active Directory Domain Controller in

    directory partition DC=xxxx,DC=LOCAL to Active Directory Domain Controller yyyy.xxxx.LOCAL...
    12/07/2010 12:13:16 [INFO] Transferred Operation Master roles owned by this server in partition DC=xxxx,DC=LOCAL to

    server yyyy.xxxx.LOCAL.
    12/07/2010 12:13:16 [INFO] Completing DN reference scavenging...
    12/07/2010 12:13:16 [INFO] Replicating remaining updates in directory partition DC=xxxx,DC=LOCAL to Active

    Directory Domain Controller yyyy.xxxx.LOCAL...
    12/07/2010 12:13:16 [INFO] Replicated off remaining updates in partition DC=xxxx,DC=LOCAL to Active Directory

    Domain Controller yyyy.xxxx.LOCAL.
    12/07/2010 12:13:16 [INFO] Active Directory Domain Services successfully transferred the remaining data in

    directory partition DC=xxxx,DC=LOCAL to Active Directory Domain Controller yyyy.xxxx.LOCAL.
    12/07/2010 12:13:16 [INFO] Searching for other replicas of directory partition DC=DomainDnsZones,DC=xxxx,DC=LOCAL

    on the network...
    12/07/2010 12:13:16 [INFO] Transferring remaining data in directory partition DC=DomainDnsZones,DC=xxxx,DC=LOCAL to

    Active Directory Domain Controller \\yyyy.xxxx.LOCAL...
    12/07/2010 12:13:16 [INFO] Transferring operations master roles owned by this Active Directory Domain Controller in

    directory partition DC=DomainDnsZones,DC=xxxx,DC=LOCAL to Active Directory Domain Controller \\yyyy.xxxx.LOCAL...
    12/07/2010 12:13:16 [INFO] Transferred Operation Master roles owned by this server in partition

    DC=DomainDnsZones,DC=xxxx,DC=LOCAL to server \\yyyy.xxxx.LOCAL.
    12/07/2010 12:13:16 [INFO] Completing DN reference scavenging...
    12/07/2010 12:13:16 [INFO] Replicating remaining updates in directory partition DC=DomainDnsZones,DC=xxxx,DC=LOCAL

    to Active Directory Domain Controller \\yyyy.xxxx.LOCAL...
    12/07/2010 12:13:16 [INFO] Replicated off remaining updates in partition DC=DomainDnsZones,DC=xxxx,DC=LOCAL to

    Active Directory Domain Controller \\yyyy.xxxx.LOCAL.
    12/07/2010 12:13:16 [INFO] Active Directory Domain Services successfully transferred the remaining data in

    directory partition DC=DomainDnsZones,DC=xxxx,DC=LOCAL to Active Directory Domain Controller \\yyyy.xxxx.LOCAL.
    12/07/2010 12:13:16 [INFO] Searching for other replicas of directory partition DC=ForestDnsZones,DC=xxxx,DC=LOCAL

    on the network...
    12/07/2010 12:13:16 [INFO] Transferring remaining data in directory partition DC=ForestDnsZones,DC=xxxx,DC=LOCAL to

    Active Directory Domain Controller \\yyyy.xxxx.LOCAL...
    12/07/2010 12:13:16 [INFO] Transferring operations master roles owned by this Active Directory Domain Controller in

    directory partition DC=ForestDnsZones,DC=xxxx,DC=LOCAL to Active Directory Domain Controller \\yyyy.xxxx.LOCAL...
    12/07/2010 12:13:16 [INFO] Transferred Operation Master roles owned by this server in partition

    DC=ForestDnsZones,DC=xxxx,DC=LOCAL to server \\yyyy.xxxx.LOCAL.
    12/07/2010 12:13:16 [INFO] Completing DN reference scavenging...
    12/07/2010 12:13:16 [INFO] Replicating remaining updates in directory partition DC=ForestDnsZones,DC=xxxx,DC=LOCAL

    to Active Directory Domain Controller \\yyyy.xxxx.LOCAL...
    12/07/2010 12:13:16 [INFO] Replicated off remaining updates in partition DC=ForestDnsZones,DC=xxxx,DC=LOCAL to

    Active Directory Domain Controller \\yyyy.xxxx.LOCAL.
    12/07/2010 12:13:16 [INFO] Active Directory Domain Services successfully transferred the remaining data in

    directory partition DC=ForestDnsZones,DC=xxxx,DC=LOCAL to Active Directory Domain Controller \\yyyy.xxxx.LOCAL.
    12/07/2010 12:13:31 [INFO] Started system volume demotion on enterprise
    12/07/2010 12:13:31 [INFO] Read the LSA policy information from the local machine
    12/07/2010 12:13:31 [INFO] Informed NETLOGON to deregister records
    12/07/2010 12:13:31 [INFO] Stopping service NETLOGON
    12/07/2010 12:13:32 [INFO] Configuring service NETLOGON to 1 returned 0
    12/07/2010 12:13:32 [INFO] Stopped NETLOGON
    12/07/2010 12:13:32 [INFO] Configuring service NTDS
    12/07/2010 12:13:32 [INFO] Configuring service NTDS to 2112 returned 0
    12/07/2010 12:13:32 [INFO] Stopping service IsmServ
    12/07/2010 12:13:33 [INFO] Configuring service IsmServ to 577 returned 0
    12/07/2010 12:13:33 [INFO] Stopping service kdc
    12/07/2010 12:13:35 [INFO] Configuring service kdc to 65 returned 0
    12/07/2010 12:13:35 [INFO] Stopping service NETLOGON
    12/07/2010 12:13:36 [INFO] Configuring service NETLOGON to 273 returned 0
    12/07/2010 12:13:36 [INFO] Configuring service NtFrs
    12/07/2010 12:13:36 [INFO] Configuring service NtFrs to 2304 returned 0
    12/07/2010 12:13:36 [INFO] Configuring service DFSR
    12/07/2010 12:13:36 [INFO] Configuring service DFSR to 2304 returned 0
    12/07/2010 12:13:36 [INFO] Configured domain controller services
    12/07/2010 12:13:36 [INFO] Uninstalling the Directory Service
    12/07/2010 12:13:36 [INFO] Invoking NtdsDemote
    12/07/2010 12:13:36 [INFO] Preparing the security account manager (SAM) and Active Directory Domain Services for

    demotion...
    12/07/2010 12:13:36 [INFO] Validating the removal of this Active Directory Domain Controller...
    12/07/2010 12:13:36 [INFO] Authenticating supplied credentials
    12/07/2010 12:13:36 [INFO] Creating new local account information...
    12/07/2010 12:13:36 [INFO] Creating a new local security account manager (SAM) database...
    12/07/2010 12:13:36 [INFO] Setting the new Local Security Authority (LSA) account information...
    12/07/2010 12:13:36 [INFO] Removing Active Directory Domain Services objects that refer to the local Active

    Directory Domain Controller from the remote Active Directory Domain Controller yyyy.xxxx.LOCAL...
    12/07/2010 12:13:36 [INFO] Error - Active Directory Domain Services could not configure the computer account zzzz$

    on the remote Active Directory Domain Controller yyyy.xxxx.LOCAL. (5)
    12/07/2010 12:13:36 [INFO] NtdsDemote returned 5
    12/07/2010 12:13:36 [INFO] DsRolepDemoteDs returned 5
    12/07/2010 12:13:36 [ERROR] Failed to demote the directory service (5)
    12/07/2010 12:13:46 [INFO] Starting service NETLOGON
    12/07/2010 12:13:46 [INFO] Configuring service NETLOGON to 2 returned 0
    12/07/2010 12:13:46 [INFO] Configuring service NTDS
    12/07/2010 12:13:46 [INFO] Configuring service NTDS to 16 returned 0
    12/07/2010 12:13:46 [INFO] Starting service IsmServ
    12/07/2010 12:13:46 [INFO] Configuring service IsmServ to 18 returned 0
    12/07/2010 12:13:46 [INFO] Starting service kdc
    12/07/2010 12:13:46 [INFO] Configuring service kdc to 18 returned 0
    12/07/2010 12:13:46 [INFO] Configuring service NETLOGON
    12/07/2010 12:13:46 [INFO] Configuring service NETLOGON to 144 returned 0
    12/07/2010 12:13:46 [INFO] Configuring service NtFrs
    12/07/2010 12:13:47 [INFO] Configuring service NtFrs to 144 returned 0
    12/07/2010 12:13:47 [INFO] Configuring service DFSR
    12/07/2010 12:13:47 [INFO] Configuring service DFSR to 144 returned 0
    12/07/2010 12:13:47 [INFO] The attempted domain controller operation has completed
    12/07/2010 12:13:47 [INFO] DsRolepSetOperationDone returned 0
    Reply With Quote Reply With Quote
  3. 08-12-2010 #3
    Full_Throttle
    Full_Throttle is offline Member
    Join Date
    Dec 2010
    Posts
    4

    DCDIAG log

    Here is the DCDIAG /v log:

    Microsoft Windows [Version 6.0.6002]
    Copyright (c) 2006 Microsoft Corporation. All rights reserved.

    C:\Windows\system32>dcdiag /v

    Directory Server Diagnosis

    Performing initial setup:
    Trying to find home server...
    * Verifying that the local machine zzzz, is a Directory Server.
    Home Server = zzzz
    * Connecting to directory service on server zzzz.
    * Identified AD Forest.
    Collecting AD specific global data
    * Collecting site info.
    Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=xxxx,DC=LOCAL,LDAP_SCOPE_SUBTREE,(objectCateg ory=ntDSSiteSettings),.......
    The previous call succeeded
    Iterating through the sites
    Looking at base site object: CN=NTDS Site Settings,CN=xxxx,CN=Sites,CN=Configuration,DC=xxxx,DC=LOCAL
    Getting ISTG and options for the site
    * Identifying all servers.
    Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=xxxx,DC=LOCAL,LDAP_SCOPE_SUBTREE,(objectClass =ntDSDsa),.......
    The previous call succeeded....
    The previous call succeeded
    Iterating through the list of servers
    Getting information for the server CN=NTDS Settings,CN=zzzz,CN=Servers,CN=xxxx,CN=Sites,CN=Configuration,DC=xxxx,DC=LOCAL
    objectGuid obtained
    InvocationID obtained
    dnsHostname obtained
    site info obtained
    All the info for the server collected
    Getting information for the server CN=NTDS Settings,CN=yyyy,CN=Servers,CN=xxxx,CN=Sites,CN=Configuration,DC=xxxx,DC=LOCAL
    objectGuid obtained
    InvocationID obtained
    dnsHostname obtained
    site info obtained
    All the info for the server collected
    Getting information for the server CN=NTDS Settings,CN=wwww,CN=Servers,CN=xxxx,CN=Sites,CN=Configuration,DC=xxxx,DC=LOCAL
    objectGuid obtained
    InvocationID obtained
    dnsHostname obtained
    site info obtained
    All the info for the server collected
    * Identifying all NC cross-refs.
    * Found 3 DC(s). Testing 1 of them.
    Done gathering initial info.

    Doing initial required tests

    Testing server: xxxx\zzzz
    Starting test: Connectivity
    * Active Directory LDAP Services Check
    Determining IP4 connectivity
    Determining IP6 connectivity
    * Active Directory RPC Services Check
    ......................... zzzz passed test Connectivity

    Doing primary tests

    Testing server: xxxx\zzzz
    Starting test: Advertising
    The DC zzzz is advertising itself as a DC and having a DS.
    The DC zzzz is advertising as an LDAP server
    The DC zzzz is advertising as having a writeable directory
    The DC zzzz is advertising as a Key Distribution Center
    The DC zzzz is advertising as a time server
    ......................... zzzz passed test Advertising
    Test omitted by user request: CheckSecurityError
    Test omitted by user request: CutoffServers
    Starting test: FrsEvent
    * The File Replication Service Event log test
    There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems.
    An Warning Event occurred. EventID: 0x800034FD
    Time Generated: 12/07/2010 11:19:53
    Event String:
    File Replication Service is initializing the system volume with data from another domain controller. Computer zzzz cannot become a domain controller until this process is complete. The sys
    tem volume will then be shared as SYSVOL.

    To check for the SYSVOL share, at the command prompt, type:
    net share

    When File Replication Service completes the initialization process, the SYSVOL share will appear.

    The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replicat
    ion interval between domain controllers.
    An Warning Event occurred. EventID: 0x800034FD
    Time Generated: 12/07/2010 11:20:08
    Event String:
    File Replication Service is initializing the system volume with data from another domain controller. Computer zzzz cannot become a domain controller until this process is complete. The sys
    tem volume will then be shared as SYSVOL.

    To check for the SYSVOL share, at the command prompt, type:
    net share

    When File Replication Service completes the initialization process, the SYSVOL share will appear.

    The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replicat
    ion interval between domain controllers.
    An Warning Event occurred. EventID: 0x800034FD
    Time Generated: 12/07/2010 12:13:30
    Event String:
    File Replication Service is initializing the system volume with data from another domain controller. Computer zzzz cannot become a domain controller until this process is complete. The sys
    tem volume will then be shared as SYSVOL.

    To check for the SYSVOL share, at the command prompt, type:
    net share

    When File Replication Service completes the initialization process, the SYSVOL share will appear.

    The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replicat
    ion interval between domain controllers.
    An Warning Event occurred. EventID: 0x800034FD
    Time Generated: 12/07/2010 12:13:45
    Event String:
    File Replication Service is initializing the system volume with data from another domain controller. Computer zzzz cannot become a domain controller until this process is complete. The sys
    tem volume will then be shared as SYSVOL.

    To check for the SYSVOL share, at the command prompt, type:
    net share

    When File Replication Service completes the initialization process, the SYSVOL share will appear.

    The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replicat
    ion interval between domain controllers.
    ......................... zzzz passed test FrsEvent
    Starting test: DFSREvent
    The DFS Replication Event Log.
    ......................... zzzz passed test DFSREvent
    Starting test: SysVolCheck
    * The File Replication Service SYSVOL ready test
    File Replication Service's SYSVOL is ready
    ......................... zzzz passed test SysVolCheck
    Starting test: KccEvent
    * The KCC Event log test
    Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
    ......................... zzzz passed test KccEvent
    Starting test: KnowsOfRoleHolders
    Role Schema Owner = CN=NTDS Settings,CN=yyyy,CN=Servers,CN=xxxx,CN=Sites,CN=Configuration,DC=xxxx,DC=LOCAL
    Role Domain Owner = CN=NTDS Settings,CN=wwww,CN=Servers,CN=xxxx,CN=Sites,CN=Configuration,DC=xxxx,DC=LOCAL
    Role PDC Owner = CN=NTDS Settings,CN=wwww,CN=Servers,CN=xxxx,CN=Sites,CN=Configuration,DC=xxxx,DC=LOCAL
    Role Rid Owner = CN=NTDS Settings,CN=wwww,CN=Servers,CN=xxxx,CN=Sites,CN=Configuration,DC=xxxx,DC=LOCAL
    Role Infrastructure Update Owner = CN=NTDS Settings,CN=wwww,CN=Servers,CN=xxxx,CN=Sites,CN=Configuration,DC=xxxx,DC=LOCAL
    ......................... zzzz passed test KnowsOfRoleHolders
    Starting test: MachineAccount
    Checking machine account for DC zzzz on DC zzzz.
    * SPN found :LDAP/zzzz.xxxx.LOCAL/xxxx.LOCAL
    * SPN found :LDAP/zzzz.xxxx.LOCAL
    * SPN found :LDAP/zzzz
    * SPN found :LDAP/zzzz.xxxx.LOCAL/xxxx
    * SPN found :LDAP/cd441f59-1c97-4cfd-b228-24bc89cf84db._msdcs.xxxx.LOCAL
    * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/cd441f59-1c97-4cfd-b228-24bc89cf84db/xxxx.LOCAL
    * SPN found :HOST/zzzz.xxxx.LOCAL/xxxx.LOCAL
    * SPN found :HOST/zzzz.xxxx.LOCAL
    * SPN found :HOST/zzzz
    * SPN found :HOST/zzzz.xxxx.LOCAL/xxxx
    * SPN found :GC/zzzz.xxxx.LOCAL/xxxx.LOCAL
    ......................... zzzz passed test MachineAccount
    Starting test: NCSecDesc
    * Security Permissions check for all NC's on DC zzzz.
    * Security Permissions Check for
    DC=ForestDnsZones,DC=xxxx,DC=LOCAL
    (NDNC,Version 3)
    * Security Permissions Check for
    DC=DomainDnsZones,DC=xxxx,DC=LOCAL
    (NDNC,Version 3)
    * Security Permissions Check for
    CN=Schema,CN=Configuration,DC=xxxx,DC=LOCAL
    (Schema,Version 3)
    * Security Permissions Check for
    CN=Configuration,DC=xxxx,DC=LOCAL
    (Configuration,Version 3)
    * Security Permissions Check for
    DC=xxxx,DC=LOCAL
    (Domain,Version 3)
    Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
    Replicating Directory Changes In Filtered Set
    access rights for the naming context:
    DC=xxxx,DC=LOCAL
    ......................... zzzz failed test NCSecDesc
    Starting test: NetLogons
    * Network Logons Privileges Check
    Verified share \\zzzz\netlogon
    Verified share \\zzzz\sysvol
    ......................... zzzz passed test NetLogons
    Starting test: ObjectsReplicated
    zzzz is in domain DC=xxxx,DC=LOCAL
    Checking for CN=zzzz,OU=Domain Controllers,DC=xxxx,DC=LOCAL in domain DC=xxxx,DC=LOCAL on 1 servers
    Object is up-to-date on all servers.
    Checking for CN=NTDS Settings,CN=zzzz,CN=Servers,CN=xxxx,CN=Sites,CN=Configuration,DC=xxxx,DC=LOCAL in domain CN=Configuration,DC=xxxx,DC=LOCAL on 1 servers
    Object is up-to-date on all servers.
    ......................... zzzz passed test ObjectsReplicated
    Test omitted by user request: OutboundSecureChannels
    Starting test: Replications
    * Replications Check
    * Replication Latency Check
    DC=ForestDnsZones,DC=xxxx,DC=LOCAL
    Latency information for 19 entries in the vector were ignored.
    19 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
    DC=DomainDnsZones,DC=xxxx,DC=LOCAL
    Latency information for 19 entries in the vector were ignored.
    19 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
    CN=Schema,CN=Configuration,DC=xxxx,DC=LOCAL
    Latency information for 32 entries in the vector were ignored.
    32 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
    CN=Configuration,DC=xxxx,DC=LOCAL
    Latency information for 32 entries in the vector were ignored.
    32 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
    DC=xxxx,DC=LOCAL
    Latency information for 32 entries in the vector were ignored.
    32 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
    ......................... zzzz passed test Replications
    Starting test: RidManager
    * Available RID Pool for the Domain is 16105 to 1073741823
    * wwww.xxxx.LOCAL is the RID Master
    * DsBind with RID Master was successful
    * rIDAllocationPool is 14605 to 15104
    * rIDPreviousAllocationPool is 14605 to 15104
    * rIDNextRID: 14806
    ......................... zzzz passed test RidManager
    Starting test: Services
    * Checking Service: EventSystem
    * Checking Service: RpcSs
    * Checking Service: NTDS
    * Checking Service: DnsCache
    * Checking Service: DFSR
    * Checking Service: IsmServ
    * Checking Service: kdc
    * Checking Service: SamSs
    * Checking Service: LanmanServer
    * Checking Service: LanmanWorkstation
    * Checking Service: w32time
    * Checking Service: NETLOGON
    ......................... zzzz passed test Services
    Starting test: SystemLog
    * The System Event log test
    Found no errors in "System" Event log in the last 60 minutes.
    ......................... zzzz passed test SystemLog
    Test omitted by user request: Topology
    Test omitted by user request: VerifyEnterpriseReferences
    Starting test: VerifyReferences
    The system object reference (serverReference) CN=zzzz,OU=Domain Controllers,DC=xxxx,DC=LOCAL and backlink on CN=zzzz,CN=Servers,CN=xxxx,CN=Sites,CN=Configuration,DC=xxxx,DC=LOCAL
    are correct.
    The system object reference (serverReferenceBL) CN=zzzz,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=xxxx,DC=LOCAL and backlink on
    CN=NTDS Settings,CN=zzzz,CN=Servers,CN=xxxx,CN=Sites,CN=Configuration,DC=xxxx,DC=LOCAL are correct.
    ......................... zzzz passed test VerifyReferences
    Test omitted by user request: VerifyReplicas

    Test omitted by user request: DNS
    Test omitted by user request: DNS

    Running partition tests on : ForestDnsZones
    Starting test: CheckSDRefDom
    ......................... ForestDnsZones passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ......................... ForestDnsZones passed test CrossRefValidation

    Running partition tests on : DomainDnsZones
    Starting test: CheckSDRefDom
    ......................... DomainDnsZones passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ......................... DomainDnsZones passed test CrossRefValidation

    Running partition tests on : Schema
    Starting test: CheckSDRefDom
    ......................... Schema passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ......................... Schema passed test CrossRefValidation

    Running partition tests on : Configuration
    Starting test: CheckSDRefDom
    ......................... Configuration passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ......................... Configuration passed test CrossRefValidation

    Running partition tests on : xxxx
    Starting test: CheckSDRefDom
    ......................... xxxx passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ......................... xxxx passed test CrossRefValidation

    Running enterprise tests on : xxxx.LOCAL
    Test omitted by user request: DNS
    Test omitted by user request: DNS
    Starting test: LocatorCheck
    GC Name: \\wwww.xxxx.LOCAL
    Locator Flags: 0xe00033fd
    PDC Name: \\wwww.xxxx.LOCAL
    Locator Flags: 0xe00033fd
    Time Server Name: \\zzzz.xxxx.LOCAL
    Locator Flags: 0xe00013f8
    Preferred Time Server Name: \\zzzz.xxxx.LOCAL
    Locator Flags: 0xe00013f8
    KDC Name: \\zzzz.xxxx.LOCAL
    Locator Flags: 0xe00013f8
    ......................... xxxx.LOCAL passed test LocatorCheck
    Starting test: Intersite
    Skipping site xxxx, this site is outside the scope provided by the command line arguments provided.
    ......................... xxxx.LOCAL passed test Intersite

    C:\Windows\system32>
    Reply With Quote Reply With Quote
  4. 08-12-2010 #4
    Full_Throttle
    Full_Throttle is offline Member
    Join Date
    Dec 2010
    Posts
    4

    Re: "access denied" when trying to remove DC from domain

    I have found and fixed the problem. I will post what I found in case others end up here in a search.

    I have 3 domain controllers, one 2008R2 PDC, and two 2008R1 Dc. I want to remove one of the 2008R1 dc.
    I checked all of the FSMO roles to make sure that the DC in question wasn't listed. Turns out that all but one were on the correct PDC, my single 2008R2 server. BUT the schema master was on my other 2008R1 DC. NOT the one I am trying to remove, but one I will keep for now.

    I moved the schema master to the PDC 2008R2 server.
    The day before I had checked in active directory to see if the server I was trying to remove was marked "prevent accidental deletion", and it was not.

    I was SURE that I had checked to see if the "prevent accidental deletion" was checked on the computer in active directory. A coworker had also checked this this morning and confirmed that it was NOT checked. I believe that is the secret to this problem. Because the schema master was a 2008 R1, it wasn't reporting this setting correctly. If I remember correctly, this feature wasn't available until 2008R2. Once I moved the schema master to a 2008R2 machine, AD was correctly reporting this "feature" and that indeed my server was marked to prevent accidental deletion. does this make sense?

    The bottom line is that once I moved the schema master to the 2008R2 PDC the dc I have been trying to remove was marked "prevent accidental deletion" and thus preventing me from removing it.

    Active directory was "lying" to me by incorrectly reporting that it was NOT checked to prevent accidental deletion.


    Mike
    Reply With Quote Reply With Quote
« "Event Log Readers" group for domain controllers | AD domain name change/migration »

Similar Threads

  1. "Access denied" error in a subfolder that the user has "full-control
    By Justvicks in forum Active Directory
    Replies: 1
    Last Post: 19-10-2009, 09:48 AM
  2. When you run Dcpromo.exe on Windows 2008 to create a replica domain controller, you receive a message "The operation failed because: A domain controller could not be contacted ... "Access is denied."
    By John Wu in forum Active Directory
    Replies: 4
    Last Post: 15-05-2009, 11:48 AM
  3. How to remove a running process that gives you "access denied" when you try to kill it
    By maketu in forum Window 2000 Help
    Replies: 3
    Last Post: 13-05-2009, 08:49 AM
  4. "Cannot Install This Hardware" "Access is Denied"
    By Daigle in forum XP Hardware
    Replies: 2
    Last Post: 24-05-2007, 11:20 PM
  5. "Location is Not Available" -- "Access is Denied."
    By BlackSunReyes in forum Vista Setup and Install
    Replies: 3
    Last Post: 29-04-2007, 10:09 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules

Page generated in 1,713,534,117.89921 seconds with 17 queries