dcpromo fails to demote domain controller

[Dan Varozza]

We have a single forest, single domain, windows 2000 SP4
Active directory domain with two domain controllers. Both
are Global Catalog servers. SERVER1 has all the FSMO
roles. I am trying to demote SERVER2 into a member server.

I run dcpromo.exe and the wizard runs for a bit, stopping
services, etc. Then it comes up with a prompt to
authenticate with different credentials that have
Enterprise Administrator priveledges to the forest.:

"The operation failed because: The attempt to configure
the machine account SERVER2$ on SERVER1.domainname.com
failed. Access is Denied"

I have tried several accounts that I have confirmed to be
Enterprise Admis.

Any ideas?

 

[Guest]

Possibly a secure channel issue, but you should be seeing more errors in
Event Viewer or a replication monitor tool.

Netdom is the tool you will want to use to reset the secure channel.

 

[Brian]

Were getting the exact same problem when trying to
install active directory on a new server. The microsoft
kb article 232070 does not fix the problem. I've
reinstalled the entire OS on the server. DNS is working
fine and passes netdiag /test:dns.

I am also using an account that has the permissions to
change the computer account type from a member server to
a domain controller as i am using the Enterprise admins
account.

I do not have anything in the event log that seems to be
applicable so I am at a loss of what to try next.

Brian.

-----Original Message-----
Possibly a secure channel issue, but you should be seeing more errors in
Event Viewer or a replication monitor tool.

Netdom is the tool you will want to use to reset the secure channel.

--
James Brandt [MSFT]

We have a single forest, single domain, windows 2000 SP4
Active directory domain with two domain controllers. Both
are Global Catalog servers. SERVER1 has all the FSMO
roles. I am trying to demote SERVER2 into a member server.

I run dcpromo.exe and the wizard runs for a bit, stopping
services, etc. Then it comes up with a prompt to
authenticate with different credentials that have
Enterprise Administrator priveledges to the forest.:

"The operation failed because: The attempt to configure
the machine account SERVER2$ on SERVER1.domainname.com
failed. Access is Denied"

I have tried several accounts that I have confirmed to be
Enterprise Admis.

Any ideas?

.

 

[Guest]

I ran "netdom verify SERVERNAME /d:domainname" from both
domain controllers and netdom reported "the secure channel
from SERVERNAME to the DOMAINNAME has been verified."

So it appears that the secure channel is not the problem?

-----Original Message-----
Were getting the exact same problem when trying to
install active directory on a new server. The microsoft
kb article 232070 does not fix the problem. I've
reinstalled the entire OS on the server. DNS is working
fine and passes netdiag /test:dns.

I am also using an account that has the permissions to
change the computer account type from a member server to
a domain controller as i am using the Enterprise admins
account.

I do not have anything in the event log that seems to be
applicable so I am at a loss of what to try next.

Brian.

-----Original Message-----
Possibly a secure channel issue, but you should be seeing more errors in
Event Viewer or a replication monitor tool.

Netdom is the tool you will want to use to reset the secure channel.

--
James Brandt [MSFT]

We have a single forest, single domain, windows 2000 SP4
Active directory domain with two domain controllers. Both
are Global Catalog servers. SERVER1 has all the FSMO
roles. I am trying to demote SERVER2 into a member server.

I run dcpromo.exe and the wizard runs for a bit, stopping
services, etc. Then it comes up with a prompt to
authenticate with different credentials that have
Enterprise Administrator priveledges to the forest.:

"The operation failed because: The attempt to configure
the machine account SERVER2$ on SERVER1.domainname.com
failed. Access is Denied"

I have tried several accounts that I have confirmed to be
Enterprise Admis.

Any ideas?

.

.

 

[Resonate]

Not sure if its related but i had the same problem when trying to add a DC

http://support.microsoft.com/?kbid=250874 fixed it for me

This bit

Verify that the current domain controllers in the domain have applied
security policy and the Enable computer and users accounts to be trusted for
delegation user right is granted to the Administrators Group in the domain
controllers policy (click Computer Configuration, click Windows Settings,
click Security Settings, click Local Policies, and then click User Rights
Assignment).


Hope this helps