Active Directory, DNS, Windows, Windows Servers

DC Promo Failure -access denied

We have been de promoting one of our DC today
DC hardware was out of support and required decommissioning.
We deployed new DC, swapped the IP address with the one required to be decommission.
This ensured the clients doesn’t needs to be replaced with new IP address.
We got below Error message when we tried to run DCpromo on the decommissioning DC
“Active directory domain services could not configure the computer account %s on the remote active directory domain controller %s, access is denied”
For some reason DCpromo failed multiple times though I have been trying with Domain admin permissions
Quick search in the google showed the error message can be from lack of delegated user right permission. The user required “Enable computer and user accounts to be trusted for delegation” user right.
Checking the GPO showed the domain admin already have this permission. So that is not the case.
During the DCPROMO processs it could be some reason AD object is not permitted to move from the Domain Controllers OU.
I just remembered it could be AD Object protection
We have enabled AD object protection for all our DCs.
Removed the protection tick mark and DC depromotion went through successfully.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s