“Access Denied” Error when Depromoting a Domain Controller

Active Directory Microsoft Windows

When depromoting a domain controller I started to get this error:

“The operation failed because Active Directory could not configure the computer account <COMPUTERNAME>$, on the remote domain controller <COMPUTERNAME>$ “Access is denied.”

What I did to try and fix it:

·          Verified the “protect from accidental deletion” tick box not set on the computer object properties “object” tab, in this case it wasn’t.

·          On the “Security” tab of the computer object clicked on “Default” to reset the permissions, also ensured that there were no deny permissions applied. Also ran an effective permissions check on the computer object against the account I was using for the DCPROMO, again full rights, no denies listed.

When it DCPROMOs out, it moves the computer object from “Domain Controllers” OU to the “Computers” container, this had these deny permissions set on it. So when the computer object was being depromoted and moved from “Domain Controllers” to “Computers” container it was getting access denied. http://www.winvistatips.com/re-dcpromo-fails-t561703.htmlSolution: Was to remove the “deny” permission from the container as shown above, then rebooted and retried the DCPROMO again and it worked fine.