dcpromo fails
in [Windows Servers]
|
From: KHGiese on 8 Jan 2007 16:17 I am trying to remove a DC in a child domain. I am a member of the Enterprise Admins group for the forest. When i run the dcrpomo to demote the dc I get the follwing in my dcpromo.log 01/08 14:51:41 [INFO] Request for demotion of domain controller 01/08 14:51:41 [INFO] DnsDomainName (NULL) 01/08 14:51:41 [INFO] ServerRole 1 01/08 14:51:41 [INFO] Account (NULL) Options 128 01/08 14:51:41 [INFO] LastDcInDomain FALSE 01/08 14:51:41 [INFO] Forced Demote FALSE 01/08 14:51:41 [INFO] Start the worker task 01/08 14:51:41 [INFO] Request for demotion returning 0 01/08 14:51:41 [INFO] Reading domain policy from the local machine 01/08 14:51:41 [INFO] Searching for a domain controller for the domain es.hickorytech.local 01/08 14:51:41 [INFO] Searching for a domain controller for the domain es.hickorytech.local that contains the account ESDC1$ 01/08 14:51:41 [INFO] Located domain controller esdc2.es.hickorytech.local for domain es.hickorytech.local 01/08 14:51:41 [INFO] Support Dc in es.hickorytech.local is esdc2.es.hickorytech.local 01/08 14:51:41 [INFO] Located domain controller esdc2.es.hickorytech.local for domain es.hickorytech.local 01/08 14:51:41 [INFO] Preparing the directory service for demotion 01/08 14:51:41 [INFO] Searching for other replicas of directory partition CN=Schema,CN=Configuration,DC=hickorytech,DC=local on the network… 01/08 14:51:41 [INFO] Transferring remaining data in directory partition CN=Schema,CN=Configuration,DC=hickorytech,DC=local to domain controller esdc2.es.hickorytech.local… 01/08 14:51:41 [INFO] Transferring operations master roles owned by this domain controller in directory partition CN=Schema,CN=Configuration,DC=hickorytech,DC=local to domain controller esdc2.es.hickorytech.local… 01/08 14:51:41 [INFO] Transferred FSMO roles owned by this server in partition CN=Schema,CN=Configuration,DC=hickorytech,DC=local to server esdc2.es.hickorytech.local. 01/08 14:51:41 [INFO] Completing DN reference scavenging... 01/08 14:51:41 [INFO] Replicating remaining updates in directory partition CN=Schema,CN=Configuration,DC=hickorytech,DC=local to domain controller esdc2.es.hickorytech.local… 01/08 14:51:41 [INFO] Replicated off remaining updates in partition CN=Schema,CN=Configuration,DC=hickorytech,DC=local to server esdc2.es.hickorytech.local. 01/08 14:51:41 [INFO] Active Directory successfully transferred the remaining data in directory partition CN=Schema,CN=Configuration,DC=hickorytech,DC=local to domain controller esdc2.es.hickorytech.local. 01/08 14:51:41 [INFO] Searching for other replicas of directory partition CN=Configuration,DC=hickorytech,DC=local on the network… 01/08 14:51:41 [INFO] Transferring remaining data in directory partition CN=Configuration,DC=hickorytech,DC=local to domain controller esdc2.es.hickorytech.local… 01/08 14:51:41 [INFO] Transferring operations master roles owned by this domain controller in directory partition CN=Configuration,DC=hickorytech,DC=local to domain controller esdc2.es.hickorytech.local… 01/08 14:51:41 [INFO] Transferred FSMO roles owned by this server in partition CN=Configuration,DC=hickorytech,DC=local to server esdc2.es.hickorytech.local. 01/08 14:51:41 [INFO] Completing DN reference scavenging... 01/08 14:51:41 [INFO] Replicating remaining updates in directory partition CN=Configuration,DC=hickorytech,DC=local to domain controller esdc2.es.hickorytech.local… 01/08 14:51:42 [INFO] Replicated off remaining updates in partition CN=Configuration,DC=hickorytech,DC=local to server esdc2.es.hickorytech.local. 01/08 14:51:42 [INFO] Active Directory successfully transferred the remaining data in directory partition CN=Configuration,DC=hickorytech,DC=local to domain controller esdc2.es.hickorytech.local. 01/08 14:51:42 [INFO] Searching for other replicas of directory partition DC=es,DC=hickorytech,DC=local on the network… 01/08 14:51:42 [INFO] Transferring remaining data in directory partition DC=es,DC=hickorytech,DC=local to domain controller esdc2.es.hickorytech.local… 01/08 14:51:42 [INFO] Transferring operations master roles owned by this domain controller in directory partition DC=es,DC=hickorytech,DC=local to domain controller esdc2.es.hickorytech.local… 01/08 14:51:42 [INFO] Transferred FSMO roles owned by this server in partition DC=es,DC=hickorytech,DC=local to server esdc2.es.hickorytech.local. 01/08 14:51:42 [INFO] Completing DN reference scavenging... 01/08 14:51:42 [INFO] Replicating remaining updates in directory partition DC=es,DC=hickorytech,DC=local to domain controller esdc2.es.hickorytech.local… 01/08 14:51:42 [INFO] Replicated off remaining updates in partition DC=es,DC=hickorytech,DC=local to server esdc2.es.hickorytech.local. 01/08 14:51:42 [INFO] Active Directory successfully transferred the remaining data in directory partition DC=es,DC=hickorytech,DC=local to domain controller esdc2.es.hickorytech.local. 01/08 14:52:01 [INFO] Started system volume demotion on enterprise 01/08 14:52:01 [INFO] Read the LSA policy information from the local machine 01/08 14:52:01 [INFO] Informed NETLOGON to deregister records 01/08 14:52:01 [INFO] Stopping service NETLOGON 01/08 14:53:01 [INFO] Configuring service NETLOGON to 1 returned 0 01/08 14:53:01 [INFO] Stopped NETLOGON 01/08 14:53:01 [INFO] Stopping service RPCLOCATOR 01/08 14:53:01 [INFO] Configuring service RPCLOCATOR to 33 returned 0 01/08 14:53:01 [INFO] Stopping service IsmServ 01/08 14:53:16 [INFO] Configuring service IsmServ to 577 returned 0 01/08 14:53:16 [INFO] Stopping service kdc 01/08 14:53:26 [INFO] Configuring service kdc to 65 returned 0 01/08 14:53:26 [INFO] Stopping service TrkSvr 01/08 14:53:26 [INFO] Configuring service TrkSvr to 33 returned 0 01/08 14:53:26 [INFO] Stopping service NETLOGON 01/08 14:53:26 [INFO] Configuring service NETLOGON to 273 returned 0 01/08 14:53:26 [INFO] Configured domain controller services 01/08 14:53:26 [INFO] Uninstalling the Directory Service 01/08 14:53:26 [INFO] Invoking NtdsDemote 01/08 14:53:26 [INFO] Preparing the security account manager (SAM) and Active Directory for demotion… 01/08 14:53:26 [INFO] Validating the demotion of this domain controller in the forest… 01/08 14:53:26 [INFO] Authenticating supplied credentials 01/08 14:53:26 [INFO] Creating new local account information... 01/08 14:53:26 [INFO] Creating a new local security account manager (SAM) database… 01/08 14:53:27 [INFO] Setting the new Local Security Authority (LSA) account information… 01/08 14:53:27 [INFO] Removing Active Directory objects that refer to the local domain controller from the remote domain controller esdc2.es.hickorytech.local… 01/08 14:53:27 [INFO] Error - Active Directory could not configure the computer account ESDC1$ on the remote domain controller esdc2.es.hickorytech.local. (5) 01/08 14:53:28 [INFO] NtdsDemote returned 5 01/08 14:53:28 [INFO] DsRolepDemoteDs returned 5 01/08 14:53:28 [ERROR] Failed to demote the directory service (5) 01/08 14:53:36 [INFO] Starting service NETLOGON 01/08 14:53:36 [INFO] Configuring service NETLOGON to 2 returned 0 01/08 14:53:36 [INFO] Configuring service RPCLOCATOR 01/08 14:53:36 [INFO] Configuring service RPCLOCATOR to 32 returned 0 01/08 14:53:36 [INFO] Starting service IsmServ 01/08 14:53:36 [INFO] Configuring service IsmServ to 18 returned 0 01/08 14:53:36 [INFO] Starting service kdc 01/08 14:53:37 [INFO] Configuring service kdc to 18 returned 0 01/08 14:53:37 [INFO] Configuring service TrkSvr 01/08 14:53:37 [INFO] Configuring service TrkSvr to 64 returned 0 01/08 14:53:37 [INFO] Configuring service NETLOGON 01/08 14:53:37 [INFO] Configuring service NETLOGON to 144 returned 0 01/08 14:53:37 [INFO] The attempted domain controller operation has completed 01/08 14:53:37 [INFO] DsRolepSetOperationDone returned 0 the error displayed in the dcpromo wizard is as follows: The operation failed because: Active Directory could not configure the computer account ESDC1$ on the remote domain controller esdc2.es.hickorytech.local. "Access is denied." I appreciate any help I came get here. Thanks,
From: Glenn L on 8 Jan 2007 22:39 I'm curious, are you demoting it because of a technical problem? It is odd that the box seemly can replicate off its changes and transfer FSMO roles, but cannot update the computer object. 01/08 14:53:27 [INFO] Error - Active Directory could not configure the computer account ESDC1$ on the remote domain controller esdc2.es.hickorytech.local. (5) This operation is where it changes the useraccountcontrol attribute and moves the computer object to the computer container. error 5 = access denied. If your goal is to simply demote the box, then you can force demote it and cleanup the metadata after demotion. dcpromo /forceremoval then KB216498 If your goal is to get to the bottom of why the access denied, then you need to look at the ACLS on the computer object, the computers container, and the user rights being applied to the ESDC2 DC. "KHGiese" wrote: > I am trying to remove a DC in a child domain. I am a member of the Enterprise > Admins group for the forest. > When i run the dcrpomo to demote the dc I get the follwing in my dcpromo.log > > 01/08 14:51:41 [INFO] Request for demotion of domain controller > 01/08 14:51:41 [INFO] DnsDomainName (NULL) > 01/08 14:51:41 [INFO] ServerRole 1 > 01/08 14:51:41 [INFO] Account (NULL) Options 128 > 01/08 14:51:41 [INFO] LastDcInDomain FALSE > 01/08 14:51:41 [INFO] Forced Demote FALSE > 01/08 14:51:41 [INFO] Start the worker task > 01/08 14:51:41 [INFO] Request for demotion returning 0 > 01/08 14:51:41 [INFO] Reading domain policy from the local machine > > 01/08 14:51:41 [INFO] Searching for a domain controller for the domain > es.hickorytech.local > > 01/08 14:51:41 [INFO] Searching for a domain controller for the domain > es.hickorytech.local that contains the account ESDC1$ > > 01/08 14:51:41 [INFO] Located domain controller esdc2.es.hickorytech.local > for domain es.hickorytech.local > > 01/08 14:51:41 [INFO] Support Dc in es.hickorytech.local is > esdc2.es.hickorytech.local > 01/08 14:51:41 [INFO] Located domain controller esdc2.es.hickorytech.local > for domain es.hickorytech.local > > 01/08 14:51:41 [INFO] Preparing the directory service for demotion > > 01/08 14:51:41 [INFO] Searching for other replicas of directory partition > CN=Schema,CN=Configuration,DC=hickorytech,DC=local on the network… > 01/08 14:51:41 [INFO] Transferring remaining data in directory partition > CN=Schema,CN=Configuration,DC=hickorytech,DC=local to domain controller > esdc2.es.hickorytech.local… > 01/08 14:51:41 [INFO] Transferring operations master roles owned by this > domain controller in directory partition > CN=Schema,CN=Configuration,DC=hickorytech,DC=local to domain controller > esdc2.es.hickorytech.local… > 01/08 14:51:41 [INFO] Transferred FSMO roles owned by this server in > partition CN=Schema,CN=Configuration,DC=hickorytech,DC=local to server > esdc2.es.hickorytech.local. > 01/08 14:51:41 [INFO] Completing DN reference scavenging... > 01/08 14:51:41 [INFO] Replicating remaining updates in directory partition > CN=Schema,CN=Configuration,DC=hickorytech,DC=local to domain controller > esdc2.es.hickorytech.local… > 01/08 14:51:41 [INFO] Replicated off remaining updates in partition > CN=Schema,CN=Configuration,DC=hickorytech,DC=local to server > esdc2.es.hickorytech.local. > 01/08 14:51:41 [INFO] Active Directory successfully transferred the > remaining data in directory partition > CN=Schema,CN=Configuration,DC=hickorytech,DC=local to domain controller > esdc2.es.hickorytech.local. > 01/08 14:51:41 [INFO] Searching for other replicas of directory partition > CN=Configuration,DC=hickorytech,DC=local on the network… > 01/08 14:51:41 [INFO] Transferring remaining data in directory partition > CN=Configuration,DC=hickorytech,DC=local to domain controller > esdc2.es.hickorytech.local… > 01/08 14:51:41 [INFO] Transferring operations master roles owned by this > domain controller in directory partition > CN=Configuration,DC=hickorytech,DC=local to domain controller > esdc2.es.hickorytech.local… > 01/08 14:51:41 [INFO] Transferred FSMO roles owned by this server in > partition CN=Configuration,DC=hickorytech,DC=local to server > esdc2.es.hickorytech.local. > 01/08 14:51:41 [INFO] Completing DN reference scavenging... > 01/08 14:51:41 [INFO] Replicating remaining updates in directory partition > CN=Configuration,DC=hickorytech,DC=local to domain controller > esdc2.es.hickorytech.local… > 01/08 14:51:42 [INFO] Replicated off remaining updates in partition > CN=Configuration,DC=hickorytech,DC=local to server esdc2.es.hickorytech.local. > 01/08 14:51:42 [INFO] Active Directory successfully transferred the > remaining data in directory partition > CN=Configuration,DC=hickorytech,DC=local to domain controller > esdc2.es.hickorytech.local. > 01/08 14:51:42 [INFO] Searching for other replicas of directory partition > DC=es,DC=hickorytech,DC=local on the network… > 01/08 14:51:42 [INFO] Transferring remaining data in directory partition > DC=es,DC=hickorytech,DC=local to domain controller esdc2.es.hickorytech.local… > 01/08 14:51:42 [INFO] Transferring operations master roles owned by this > domain controller in directory partition DC=es,DC=hickorytech,DC=local to > domain controller esdc2.es.hickorytech.local… > 01/08 14:51:42 [INFO] Transferred FSMO roles owned by this server in > partition DC=es,DC=hickorytech,DC=local to server esdc2.es.hickorytech.local. > 01/08 14:51:42 [INFO] Completing DN reference scavenging... > 01/08 14:51:42 [INFO] Replicating remaining updates in directory partition > DC=es,DC=hickorytech,DC=local to domain controller esdc2.es.hickorytech.local… > 01/08 14:51:42 [INFO] Replicated off remaining updates in partition > DC=es,DC=hickorytech,DC=local to server esdc2.es.hickorytech.local. > 01/08 14:51:42 [INFO] Active Directory successfully transferred the > remaining data in directory partition DC=es,DC=hickorytech,DC=local to domain > controller esdc2.es.hickorytech.local. > 01/08 14:52:01 [INFO] Started system volume demotion on enterprise > 01/08 14:52:01 [INFO] Read the LSA policy information from the local machine > 01/08 14:52:01 [INFO] Informed NETLOGON to deregister records > 01/08 14:52:01 [INFO] Stopping service NETLOGON > > 01/08 14:53:01 [INFO] Configuring service NETLOGON to 1 returned 0 > 01/08 14:53:01 [INFO] Stopped NETLOGON > 01/08 14:53:01 [INFO] Stopping service RPCLOCATOR > > 01/08 14:53:01 [INFO] Configuring service RPCLOCATOR to 33 returned 0 > 01/08 14:53:01 [INFO] Stopping service IsmServ > > 01/08 14:53:16 [INFO] Configuring service IsmServ to 577 returned 0 > 01/08 14:53:16 [INFO] Stopping service kdc > > 01/08 14:53:26 [INFO] Configuring service kdc to 65 returned 0 > 01/08 14:53:26 [INFO] Stopping service TrkSvr > > 01/08 14:53:26 [INFO] Configuring service TrkSvr to 33 returned 0 > 01/08 14:53:26 [INFO] Stopping service NETLOGON > > 01/08 14:53:26 [INFO] Configuring service NETLOGON to 273 returned 0 > 01/08 14:53:26 [INFO] Configured domain controller services > 01/08 14:53:26 [INFO] Uninstalling the Directory Service > > 01/08 14:53:26 [INFO] Invoking NtdsDemote > 01/08 14:53:26 [INFO] Preparing the security account manager (SAM) and > Active Directory for demotion… > 01/08 14:53:26 [INFO] Validating the demotion of this domain controller in > the forest… > 01/08 14:53:26 [INFO] Authenticating supplied credentials > 01/08 14:53:26 [INFO] Creating new local account information... > 01/08 14:53:26 [INFO] Creating a new local security account manager (SAM) > database… > 01/08 14:53:27 [INFO] Setting the new Local Security Authority (LSA) account > information… > 01/08 14:53:27 [INFO] Removing Active Directory objects that refer to the > local domain controller from the remote domain controller > esdc2.es.hickorytech.local… > 01/08 14:53:27 [INFO] Error - Active Directory could not configure the > computer account ESDC1$ on the remote domain controller > esdc2.es.hickorytech.local. (5) > 01/08 14:53:28 [INFO] NtdsDemote returned 5 > 01/08 14:53:28 [INFO] DsRolepDemoteDs returned 5 > 01/08 14:53:28 [ERROR] Failed to demote the directory service (5) > 01/08 14:53:36 [INFO] Starting service NETLOGON > > 01/08 14:53:36 [INFO] Configuring service NETLOGON to 2 returned 0 > 01/08 14:53:36 [INFO] Configuring service RPCLOCATOR > > 01/08 14:53:36 [INFO] Configuring service RPCLOCATOR to 32 returned 0 > 01/08 14:53:36 [INFO] Starting service IsmServ > > 01/08 14:53:36 [INFO] Configuring service IsmServ to 18 returned 0 > 01/08 14:53:36 [INFO] Starting service kdc > > 01/08 14:53:37 [INFO] Configuring service kdc to 18 returned 0 > 01/08 14:53:37 [INFO] Configuring service TrkSvr > > 01/08 14:53:37 [INFO] Configuring service TrkSvr to 64 returned 0 > 01/08 14:53:37 [INFO] Configuring service NETLOGON > > 01/08 14:53:37 [INFO] Configuring service NETLOGON to 144 returned 0 > 01/08 14:53:37 [INFO] The attempted domain controller operation has completed > > 01/08 14:53:37 [INFO] DsRolepSetOperationDone returned 0 > > the error displayed in the dcpromo wizard is as follows: > The operation failed because: Active Directory could not configure the > computer account ESDC1$ on the remote domain controller > esdc2.es.hickorytech.local. "Access is denied." > > I appreciate any help I came get here. > Thanks,
From: KHGiese on 9 Jan 2007 08:33 Thanks for your post Glen. We are demoting the DC as the child domain is no longer needed. We sold that part of the company. I was hoping the problem would be a little simpler and that maybe I had over looked something. I have read the article that you refer too but have never attempted it. "Glenn L" wrote: > I'm curious, are you demoting it because of a technical problem? > > It is odd that the box seemly can replicate off its changes and transfer > FSMO roles, but cannot update the computer object. > 01/08 14:53:27 [INFO] Error - Active Directory could not configure the > computer account ESDC1$ on the remote domain controller > esdc2.es.hickorytech.local. (5) > > This operation is where it changes the useraccountcontrol attribute and > moves the computer object to the computer container. > error 5 = access denied. > > If your goal is to simply demote the box, then you can force demote it and > cleanup the metadata after demotion. > dcpromo /forceremoval then KB216498 > > If your goal is to get to the bottom of why the access denied, then you need > to look at the ACLS on the computer object, the computers container, and the > user rights being applied to the ESDC2 DC. > > > > "KHGiese" wrote: > > > I am trying to remove a DC in a child domain. I am a member of the Enterprise > > Admins group for the forest. > > When i run the dcrpomo to demote the dc I get the follwing in my dcpromo.log > > > > 01/08 14:51:41 [INFO] Request for demotion of domain controller > > 01/08 14:51:41 [INFO] DnsDomainName (NULL) > > 01/08 14:51:41 [INFO] ServerRole 1 > > 01/08 14:51:41 [INFO] Account (NULL) Options 128 > > 01/08 14:51:41 [INFO] LastDcInDomain FALSE > > 01/08 14:51:41 [INFO] Forced Demote FALSE > > 01/08 14:51:41 [INFO] Start the worker task > > 01/08 14:51:41 [INFO] Request for demotion returning 0 > > 01/08 14:51:41 [INFO] Reading domain policy from the local machine > > > > 01/08 14:51:41 [INFO] Searching for a domain controller for the domain > > es.hickorytech.local > > > > 01/08 14:51:41 [INFO] Searching for a domain controller for the domain > > es.hickorytech.local that contains the account ESDC1$ > > > > 01/08 14:51:41 [INFO] Located domain controller esdc2.es.hickorytech.local > > for domain es.hickorytech.local > > > > 01/08 14:51:41 [INFO] Support Dc in es.hickorytech.local is > > esdc2.es.hickorytech.local > > 01/08 14:51:41 [INFO] Located domain controller esdc2.es.hickorytech.local > > for domain es.hickorytech.local > > > > 01/08 14:51:41 [INFO] Preparing the directory service for demotion > > > > 01/08 14:51:41 [INFO] Searching for other replicas of directory partition > > CN=Schema,CN=Configuration,DC=hickorytech,DC=local on the network… > > 01/08 14:51:41 [INFO] Transferring remaining data in directory partition > > CN=Schema,CN=Configuration,DC=hickorytech,DC=local to domain controller > > esdc2.es.hickorytech.local… > > 01/08 14:51:41 [INFO] Transferring operations master roles owned by this > > domain controller in directory partition > > CN=Schema,CN=Configuration,DC=hickorytech,DC=local to domain controller > > esdc2.es.hickorytech.local… > > 01/08 14:51:41 [INFO] Transferred FSMO roles owned by this server in > > partition CN=Schema,CN=Configuration,DC=hickorytech,DC=local to server > > esdc2.es.hickorytech.local. > > 01/08 14:51:41 [INFO] Completing DN reference scavenging... > > 01/08 14:51:41 [INFO] Replicating remaining updates in directory partition > > CN=Schema,CN=Configuration,DC=hickorytech,DC=local to domain controller > > esdc2.es.hickorytech.local… > > 01/08 14:51:41 [INFO] Replicated off remaining updates in partition > > CN=Schema,CN=Configuration,DC=hickorytech,DC=local to server > > esdc2.es.hickorytech.local. > > 01/08 14:51:41 [INFO] Active Directory successfully transferred the > > remaining data in directory partition > > CN=Schema,CN=Configuration,DC=hickorytech,DC=local to domain controller > > esdc2.es.hickorytech.local. > > 01/08 14:51:41 [INFO] Searching for other replicas of directory partition > > CN=Configuration,DC=hickorytech,DC=local on the network… > > 01/08 14:51:41 [INFO] Transferring remaining data in directory partition > > CN=Configuration,DC=hickorytech,DC=local to domain controller > > esdc2.es.hickorytech.local… > > 01/08 14:51:41 [INFO] Transferring operations master roles owned by this > > domain controller in directory partition > > CN=Configuration,DC=hickorytech,DC=local to domain controller > > esdc2.es.hickorytech.local… > > 01/08 14:51:41 [INFO] Transferred FSMO roles owned by this server in > > partition CN=Configuration,DC=hickorytech,DC=local to server > > esdc2.es.hickorytech.local. > > 01/08 14:51:41 [INFO] Completing DN reference scavenging... > > 01/08 14:51:41 [INFO] Replicating remaining updates in directory partition > > CN=Configuration,DC=hickorytech,DC=local to domain controller > > esdc2.es.hickorytech.local… > > 01/08 14:51:42 [INFO] Replicated off remaining updates in partition > > CN=Configuration,DC=hickorytech,DC=local to server esdc2.es.hickorytech.local. > > 01/08 14:51:42 [INFO] Active Directory successfully transferred the > > remaining data in directory partition > > CN=Configuration,DC=hickorytech,DC=local to domain controller > > esdc2.es.hickorytech.local. > > 01/08 14:51:42 [INFO] Searching for other replicas of directory partition > > DC=es,DC=hickorytech,DC=local on the network… > > 01/08 14:51:42 [INFO] Transferring remaining data in directory partition > > DC=es,DC=hickorytech,DC=local to domain controller esdc2.es.hickorytech.local… > > 01/08 14:51:42 [INFO] Transferring operations master roles owned by this > > domain controller in directory partition DC=es,DC=hickorytech,DC=local to > > domain controller esdc2.es.hickorytech.local… > > 01/08 14:51:42 [INFO] Transferred FSMO roles owned by this server in > > partition DC=es,DC=hickorytech,DC=local to server esdc2.es.hickorytech.local. > > 01/08 14:51:42 [INFO] Completing DN reference scavenging... > > 01/08 14:51:42 [INFO] Replicating remaining updates in directory partition > > DC=es,DC=hickorytech,DC=local to domain controller esdc2.es.hickorytech.local… > > 01/08 14:51:42 [INFO] Replicated off remaining updates in partition > > DC=es,DC=hickorytech,DC=local to server esdc2.es.hickorytech.local. > > 01/08 14:51:42 [INFO] Active Directory successfully transferred the > > remaining data in directory partition DC=es,DC=hickorytech,DC=local to domain > > controller esdc2.es.hickorytech.local. > > 01/08 14:52:01 [INFO] Started system volume demotion on enterprise > > 01/08 14:52:01 [INFO] Read the LSA policy information from the local machine > > 01/08 14:52:01 [INFO] Informed NETLOGON to deregister records > > 01/08 14:52:01 [INFO] Stopping service NETLOGON > > > > 01/08 14:53:01 [INFO] Configuring service NETLOGON to 1 returned 0 > > 01/08 14:53:01 [INFO] Stopped NETLOGON > > 01/08 14:53:01 [INFO] Stopping service RPCLOCATOR > > > > 01/08 14:53:01 [INFO] Configuring service RPCLOCATOR to 33 returned 0 > > 01/08 14:53:01 [INFO] Stopping service IsmServ > > > > 01/08 14:53:16 [INFO] Configuring service IsmServ to 577 returned 0 > > 01/08 14:53:16 [INFO] Stopping service kdc > > > > 01/08 14:53:26 [INFO] Configuring service kdc to 65 returned 0 > > 01/08 14:53:26 [INFO] Stopping service TrkSvr > > > > 01/08 14:53:26 [INFO] Configuring service TrkSvr to 33 returned 0 > > 01/08 14:53:26 [INFO] Stopping service NETLOGON > > > > 01/08 14:53:26 [INFO] Configuring service NETLOGON to 273 returned 0 > > 01/08 14:53:26 [INFO] Configured domain controller services > > 01/08 14:53:26 [INFO] Uninstalling the Directory Service > > > > 01/08 14:53:26 [INFO] Invoking NtdsDemote > > 01/08 14:53:26 [INFO] Preparing the security account manager (SAM) and > > Active Directory for demotion… > > 01/08 14:53:26 [INFO] Validating the demotion of this domain controller in > > the forest… > > 01/08 14:53:26 [INFO] Authenticating supplied credentials > > 01/08 14:53:26 [INFO] Creating new local account information... > > 01/08 14:53:26 [INFO] Creating a new local security account manager (SAM) > > database… > > 01/08 14:53:27 [INFO] Setting the new Local Security Authority (LSA) account > > information… > > 01/08 14:53:27 [INFO] Removing Active Directory objects that refer to the > > local domain controller from the remote domain controller > > esdc2.es.hickorytech.local… > > 01/08 14:53:27 [INFO] Error - Active Directory could not configure the > > computer account ESDC1$ on the remote domain controller > > esdc2.es.hickorytech.local. (5) > > 01/08 14:53:28 [INFO] NtdsDemote returned 5 > > 01/08 14:53:28 [INFO] DsRolepDemoteDs returned 5 > > 01/08 14:53:28 [ERROR] Failed to demote the directory service (5) > > 01/08 14:53:36 [INFO] Starting service NETLOGON > > > > 01/08 14:53:36 [INFO] Configuring service NETLOGON to 2 returned 0 > > 01/08 14:53:36 [INFO] Configuring service RPCLOCATOR > > > > 01/08 14:53:36 [INFO] Configuring service RPCLOCATOR to 32 returned 0 > > 01/08 14:53:36 [INFO] Starting service IsmServ > > > > 01/08 14:53:36 [INFO] Configuring service IsmServ to 18 returned 0 > > 01/08 14:53:36 [INFO] Starting service kdc > > > > 01/08 14:53:37 [INFO] Configuring service kdc to 18 returned 0 > > 01/08 14:53:37 [INFO] Configuring service TrkSvr > > > > 01/08 14:53:37 [INFO] Configuring service TrkSvr to 64 returned 0 > > 01/08 14:53:37 [INFO] Configuring service NETLOGON > > > > 01/08 14:53:37 [INFO] Configuring service NETLOGON to 144 returned 0 > > 01/08 14:53:37 [INFO] The attempted domain controller operation has completed > > > > 01/08 14:53:37 [INFO] DsRolepSetOperationDone returned 0 > > > > the error displayed in the dcpromo wizard is as follows: > > The operation failed because: Active Directory could not configure the > > computer account ESDC1$ on the remote domain controller > > esdc2.es.hickorytech.local. "Access is denied." > > > > I appreciate any help I came get here. > > Thanks,
From: KHGiese on 10 Jan 2007 10:48 The problem was in the child domain Default domain policy. under computer configuration, windows settings, security settings, local policies, user rights assignment, Enable computer and user accounts to be trusted for delegation had no value yet was checked as defined. I added the Administrators for the child domain and authorized users to this policy setting. This allowed me to demote the second DC in the child domain with no errors. I have not tested it yet, but I believe that if this policy is set to undefined I would also be able to do the demotion with out any problems. Since the policy was checked as define and no values populated it denied access. Thanks for all those who helped out in resolving this issue. "KHGiese" wrote: > Thanks for your post Glen. > We are demoting the DC as the child domain is no longer needed. We sold that > part of the company. > I was hoping the problem would be a little simpler and that maybe I had over > looked something. > I have read the article that you refer too but have never attempted it. > > > "Glenn L" wrote: > > > I'm curious, are you demoting it because of a technical problem? > > > > It is odd that the box seemly can replicate off its changes and transfer > > FSMO roles, but cannot update the computer object. > > 01/08 14:53:27 [INFO] Error - Active Directory could not configure the > > computer account ESDC1$ on the remote domain controller > > esdc2.es.hickorytech.local. (5) > > > > This operation is where it changes the useraccountcontrol attribute and > > moves the computer object to the computer container. > > error 5 = access denied. > > > > If your goal is to simply demote the box, then you can force demote it and > > cleanup the metadata after demotion. > > dcpromo /forceremoval then KB216498 > > > > If your goal is to get to the bottom of why the access denied, then you need > > to look at the ACLS on the computer object, the computers container, and the > > user rights being applied to the ESDC2 DC. > > > > > > > > "KHGiese" wrote: > > > > > I am trying to remove a DC in a child domain. I am a member of the Enterprise > > > Admins group for the forest. > > > When i run the dcrpomo to demote the dc I get the follwing in my dcpromo.log > > > > > > 01/08 14:51:41 [INFO] Request for demotion of domain controller > > > 01/08 14:51:41 [INFO] DnsDomainName (NULL) > > > 01/08 14:51:41 [INFO] ServerRole 1 > > > 01/08 14:51:41 [INFO] Account (NULL) Options 128 > > > 01/08 14:51:41 [INFO] LastDcInDomain FALSE > > > 01/08 14:51:41 [INFO] Forced Demote FALSE > > > 01/08 14:51:41 [INFO] Start the worker task > > > 01/08 14:51:41 [INFO] Request for demotion returning 0 > > > 01/08 14:51:41 [INFO] Reading domain policy from the local machine > > > > > > 01/08 14:51:41 [INFO] Searching for a domain controller for the domain > > > es.hickorytech.local > > > > > > 01/08 14:51:41 [INFO] Searching for a domain controller for the domain > > > es.hickorytech.local that contains the account ESDC1$ > > > > > > 01/08 14:51:41 [INFO] Located domain controller esdc2.es.hickorytech.local > > > for domain es.hickorytech.local > > > > > > 01/08 14:51:41 [INFO] Support Dc in es.hickorytech.local is > > > esdc2.es.hickorytech.local > > > 01/08 14:51:41 [INFO] Located domain controller esdc2.es.hickorytech.local > > > for domain es.hickorytech.local > > > > > > 01/08 14:51:41 [INFO] Preparing the directory service for demotion > > > > > > 01/08 14:51:41 [INFO] Searching for other replicas of directory partition > > > CN=Schema,CN=Configuration,DC=hickorytech,DC=local on the network… > > > 01/08 14:51:41 [INFO] Transferring remaining data in directory partition > > > CN=Schema,CN=Configuration,DC=hickorytech,DC=local to domain controller > > > esdc2.es.hickorytech.local… > > > 01/08 14:51:41 [INFO] Transferring operations master roles owned by this > > > domain controller in directory partition > > > CN=Schema,CN=Configuration,DC=hickorytech,DC=local to domain controller > > > esdc2.es.hickorytech.local… > > > 01/08 14:51:41 [INFO] Transferred FSMO roles owned by this server in > > > partition CN=Schema,CN=Configuration,DC=hickorytech,DC=local to server > > > esdc2.es.hickorytech.local. > > > 01/08 14:51:41 [INFO] Completing DN reference scavenging... > > > 01/08 14:51:41 [INFO] Replicating remaining updates in directory partition > > > CN=Schema,CN=Configuration,DC=hickorytech,DC=local to domain controller > > > esdc2.es.hickorytech.local… > > > 01/08 14:51:41 [INFO] Replicated off remaining updates in partition > > > CN=Schema,CN=Configuration,DC=hickorytech,DC=local to server > > > esdc2.es.hickorytech.local. > > > 01/08 14:51:41 [INFO] Active Directory successfully transferred the > > > remaining data in directory partition > > > CN=Schema,CN=Configuration,DC=hickorytech,DC=local to domain controller > > > esdc2.es.hickorytech.local. > > > 01/08 14:51:41 [INFO] Searching for other replicas of directory partition > > > CN=Configuration,DC=hickorytech,DC=local on the network… > > > 01/08 14:51:41 [INFO] Transferring remaining data in directory partition > > > CN=Configuration,DC=hickorytech,DC=local to domain controller > > > esdc2.es.hickorytech.local… > > > 01/08 14:51:41 [INFO] Transferring operations master roles owned by this > > > domain controller in directory partition > > > CN=Configuration,DC=hickorytech,DC=local to domain controller > > > esdc2.es.hickorytech.local… > > > 01/08 14:51:41 [INFO] Transferred FSMO roles owned by this server in > > > partition CN=Configuration,DC=hickorytech,DC=local to server > > > esdc2.es.hickorytech.local. > > > 01/08 14:51:41 [INFO] Completing DN reference scavenging... > > > 01/08 14:51:41 [INFO] Replicating remaining updates in directory partition > > > CN=Configuration,DC=hickorytech,DC=local to domain controller > > > esdc2.es.hickorytech.local… > > > 01/08 14:51:42 [INFO] Replicated off remaining updates in partition > > > CN=Configuration,DC=hickorytech,DC=local to server esdc2.es.hickorytech.local. > > > 01/08 14:51:42 [INFO] Active Directory successfully transferred the > > > remaining data in directory partition > > > CN=Configuration,DC=hickorytech,DC=local to domain controller > > > esdc2.es.hickorytech.local. > > > 01/08 14:51:42 [INFO] Searching for other replicas of directory partition > > > DC=es,DC=hickorytech,DC=local on the network… > > > 01/08 14:51:42 [INFO] Transferring remaining data in directory partition > > > DC=es,DC=hickorytech,DC=local to domain controller esdc2.es.hickorytech.local… > > > 01/08 14:51:42 [INFO] Transferring operations master roles owned by this > > > domain controller in directory partition DC=es,DC=hickorytech,DC=local to > > > domain controller esdc2.es.hickorytech.local… > > > 01/08 14:51:42 [INFO] Transferred FSMO roles owned by this server in > > > partition DC=es,DC=hickorytech,DC=local to server esdc2.es.hickorytech.local. > > > 01/08 14:51:42 [INFO] Completing DN reference scavenging... > > > 01/08 14:51:42 [INFO] Replicating remaining updates in directory partition > > > DC=es,DC=hickorytech,DC=local to domain controller esdc2.es.hickorytech.local… > > > 01/08 14:51:42 [INFO] Replicated off remaining updates in partition > > > DC=es,DC=hickorytech,DC=local to server esdc2.es.hickorytech.local. > > > 01/08 14:51:42 [INFO] Active Directory successfully transferred the > > > remaining data in directory partition DC=es,DC=hickorytech,DC=local to domain > > > controller esdc2.es.hickorytech.local. > > > 01/08 14:52:01 [INFO] Started system volume demotion on enterprise > > > 01/08 14:52:01 [INFO] Read the LSA policy information from the local machine > > > 01/08 14:52:01 [INFO] Informed NETLOGON to deregister records > > > 01/08 14:52:01 [INFO] Stopping service NETLOGON > > > > > > 01/08 14:53:01 [INFO] Configuring service NETLOGON to 1 returned 0 > > > 01/08 14:53:01 [INFO] Stopped NETLOGON > > > 01/08 14:53:01 [INFO] Stopping service RPCLOCATOR > > > > > > 01/08 14:53:01 [INFO] Configuring service RPCLOCATOR to 33 returned 0 > > > 01/08 14:53:01 [INFO] Stopping service IsmServ > > > > > > 01/08 14:53:16 [INFO] Configuring service IsmServ to 577 returned 0 > > > 01/08 14:53:16 [INFO] Stopping service kdc > > > > > > 01/08 14:53:26 [INFO] Configuring service kdc to 65 returned 0 > > > 01/08 14:53:26 [INFO] Stopping service TrkSvr > > > > > > 01/08 14:53:26 [INFO] Configuring service TrkSvr to 33 returned 0 > > > 01/08 14:53:26 [INFO] Stopping service NETLOGON > > > > > > 01/08 14:53:26 [INFO] Configuring service NETLOGON to 273 returned 0 > > > 01/08 14:53:26 [INFO] Configured domain controller services > > > 01/08 14:53:26 [INFO] Uninstalling the Directory Service > > > > > > 01/08 14:53:26 [INFO] Invoking NtdsDemote > > > 01/08 14:53:26 [INFO] Preparing the security account manager (SAM) and > > > Active Directory for demotion… > > > 01/08 14:53:26 [INFO] Validating the demotion of this domain controller in > > > the forest… > > > 01/08 14:53:26 [INFO] Authenticating supplied credentials > > > 01/08 14:53:26 [INFO] Creating new local account information... > > > 01/08 14:53:26 [INFO] Creating a new local security account manager (SAM) > > > database… > > > 01/08 14:53:27 [INFO] Setting the new Local Security Authority (LSA) account > > > information… > > > 01/08 14:53:27 [INFO] Removing Active Directory objects that refer to the > > > local domain controller from the remote domain controller > > > esdc2.es.hickorytech.local… > > > 01/08 14:53:27 [INFO] Error - Active Directory could not configure the > > > computer account ESDC1$ on the remote domain controller > > > esdc2.es.hickorytech.local. (5) > > > 01/08 14:53:28 [INFO] NtdsDemote returned 5 > > > 01/08 14:53:28 [INFO] DsRolepDemoteDs returned 5 > > > 01/08 14:53:28 [ERROR] Failed to demote the directory service (5) > > > 01/08 14:53:36 [INFO] Starting service NETLOGON > > > > > > 01/08 14:53:36 [INFO] Configuring service NETLOGON to 2 returned 0 > > > 01/08 14:53:36 [INFO] Configuring service RPCLOCATOR > > > > > > 01/08 14:53:36 [INFO] Configuring service RPCLOCATOR to 32 returned 0 > > > 01/08 14:53:36 [INFO] Starting service IsmServ > > > > > > 01/08 14:53:36 [INFO] Configuring service IsmServ to 18 returned 0 > > > 01/08 14:53:36 [INFO] Starting service kdc > > > > > > 01/08 14:53:37 [INFO] Configuring service kdc to 18 returned 0 > > > 01/08 14:53:37 [INFO] Configuring service TrkSvr > > > > > > 01/08 14:53:37 [INFO] Configuring service TrkSvr to 64 returned 0 > > > 01/08 14:53:37 [INFO] Configuring service NETLOGON > > > > > > 01/08 14:53:37 [INFO] Configuring service NETLOGON to 144 returned 0 > > > 01/08 14:53:37 [INFO] The attempted domain controller operation has completed > > > > > > 01/08 14:53:37 [INFO] DsRolepSetOperationDone returned 0 > > > > > > the error displayed in the dcpromo wizard is as follows: > > > The operation failed because: Active Directory could not configure the > > > computer account ESDC1$ on the remote domain controller > > > esdc2.es.hickorytech.local. "Access is denied." > > > > > > I appreciate any help I came get here. > > > Thanks,
|
Pages: 1 Prev: User Profile Deletion Next: Hardware Management Tool errors |