"access denied" when trying to remove DC from domain
Greetings.
I am trying to remove a DC from our domain. There is a total of 3 domain controllers, 2 are windows 2008, and the PDC is windows 2008 R2.
When I run dcpromo on the server 2008 R1 domain controller It errors out.
The error is ,"Error - Active Directory Domain Services could not configure the computer account zzzz$ on the remote Active Directory Domain Controller yyyy.xxxx.LOCAL"
I have logged in using the domain admin account, as well as my own account (I am also a domain admin). I have confirmed that the group policy "Enable computer and user accounts to be trusted for delegation" has the administrators group, as well as the domain admin and myself in the list. I have run dcdiag and it seems to be OK. I will post the dcpromo log as well as the dcdiag log.
Any thoughts?
Re: "access denied" when trying to remove DC from domain
I have found and fixed the problem. I will post what I found in case others end up here in a search.
I have 3 domain controllers, one 2008R2 PDC, and two 2008R1 Dc. I want to remove one of the 2008R1 dc.
I checked all of the FSMO roles to make sure that the DC in question wasn't listed. Turns out that all but one were on the correct PDC, my single 2008R2 server. BUT the schema master was on my other 2008R1 DC. NOT the one I am trying to remove, but one I will keep for now.
I moved the schema master to the PDC 2008R2 server.
The day before I had checked in active directory to see if the server I was trying to remove was marked "prevent accidental deletion", and it was not.
I was SURE that I had checked to see if the "prevent accidental deletion" was checked on the computer in active directory. A coworker had also checked this this morning and confirmed that it was NOT checked. I believe that is the secret to this problem. Because the schema master was a 2008 R1, it wasn't reporting this setting correctly. If I remember correctly, this feature wasn't available until 2008R2. Once I moved the schema master to a 2008R2 machine, AD was correctly reporting this "feature" and that indeed my server was marked to prevent accidental deletion. does this make sense?
The bottom line is that once I moved the schema master to the 2008R2 PDC the dc I have been trying to remove was marked "prevent accidental deletion" and thus preventing me from removing it.
Active directory was "lying" to me by incorrectly reporting that it was NOT checked to prevent accidental deletion.
Mike