Announcement

Collapse
No announcement yet.

Unsuccessfull domain controller demotion - ntdsutil error 0x5(access is denied)

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Unsuccessfull domain controller demotion - ntdsutil error 0x5(access is denied)

    Hi everyone,

    We had a Windows Server 2003 infrastructure with two domains within a forest: DomainA was managed by DC1 and DomainB by DC2.

    DC1 was the first domain controller which has been created in the forest. As domainA wasn't used anymore, I've recently removed DC1 thanks to dcpromo /forceremoval (I tried to do it gracefully but I had some errors).

    Before removing, I've transferred the two needed fsmo roles for the forest (Schema master and domain naming master) from DC1 to DC2.

    In DC2, I'm trying to clean metadatas by using ntdsutil (http://support.microsoft.com/kb/324801) and i'm getting this error:

    "Transferring / Seizing FSMO roles off the selected server.
    Unable to dertermine FRS owner for role PDC.
    Unable to determine FRS owner for role RID Master.
    Unable to dertermine FRS owner for role Infrastructre Master.
    DsRemoveDsServerW error 0x5(access is denied)"

    Thanks for you help,

  • #2
    Re: Unsuccessfull domain controller demotion - ntdsutil error 0x5(access is denied)

    Are you using an Enterprise admin account?
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: Unsuccessfull domain controller demotion - ntdsutil error 0x5(access is denied)

      Thanks L4ndy to have answered me so fast.

      Actually, I think that's the problem : I'm using an admin user which belonged to the Administrators group.
      Thanks to "Users and computers" mmc console --> Member Of : I checked its members and I saw Enterprise Admins (by the way, in the Active Directory Folder column, we have :"DOMAINA\Users").

      I doubled click on it to view the members and i got this message "The following Active Directory error occured: A referral was returned from the server".

      So i'm thinking that Enterprise Admins group was located on DC1 or something like that.

      How can I do to have the rights of an Enterprise Admin ?

      I'm not sure if what i'm saying is making sense or not. I' m trying to be as clear as i can.a Sorry

      Comment


      • #4
        Re: Unsuccessfull domain controller demotion - ntdsutil error 0x5(access is denied)

        Because I'm thinking also that DomainA was the forest root domain.

        Comment


        • #5
          Re: Unsuccessfull domain controller demotion - ntdsutil error 0x5(access is denied)

          Hi,

          Was it the only forest root DC? Can you post a Dcdiag?
          Caesar's cipher - 3

          ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

          SFX JNRS FC U6 MNGR

          Comment


          • #6
            Re: Unsuccessfull domain controller demotion - ntdsutil error 0x5(access is denied)

            Hi,

            Humm.. we have only one forest and i've read that the first domain created in a forest is the automatically designated the forest root domain. So I think it was the only one.

            But you'll find below the result of the dcdiag command:

            ----------------------------------------------------------------------------------------------

            Microsoft Windows [Version 5.2.3790]
            (C) Copyright 1985-2003 Microsoft Corp.

            C:\Documents and Settings\administrator.ROUMINSUR>dcdiag

            Domain Controller Diagnosis

            Performing initial setup:
            Done gathering initial info.

            Doing initial required tests

            Testing server: Default-First-Site-Name\DC2
            Starting test: Connectivity
            ......................... DC2 passed test Connectivity

            Doing primary tests

            Testing server: Default-First-Site-Name\DC2
            Starting test: Replications
            [Replications Check,DC2] A recent replication attempt failed:
            From DC1 to DC2
            Naming Context: DC=ForestDnsZones,DC=moldavinsur,DC=com
            The replication generated an error (1256):
            The remote system is not available. For information about network tr
            oubleshooting, see Windows Help.
            The failure occurred at 2009-09-24 07:51:41.
            The last success occurred at 2009-09-22 17:59:23.
            38 failures have occurred since the last success.
            [DC1] DsBindWithSpnEx() failed with error 1753,
            There are no more endpoints available from the endpoint mapper..
            [Replications Check,DC2] A recent replication attempt failed:
            From DC1 to DC2
            Naming Context: CN=Schema,CN=Configuration,DC=moldavinsur,DC
            =com
            The replication generated an error (1753):
            There are no more endpoints available from the endpoint mapper.
            The failure occurred at 2009-09-24 07:51:41.
            The last success occurred at 2009-09-22 17:51:38.
            38 failures have occurred since the last success.
            The directory on DC1 is in the process.
            of starting up or shutting down, and is not available.
            Verify machine is not hung during boot.
            [Replications Check,DC2] A recent replication attempt failed:
            From DC1 to DC2
            Naming Context: CN=Configuration,DC=moldavinsur,DC=com
            The replication generated an error (1753):
            There are no more endpoints available from the endpoint mapper.
            The failure occurred at 2009-09-24 07:51:41.
            The last success occurred at 2009-09-22 17:51:37.
            38 failures have occurred since the last success.
            The directory on DC1 is in the process.
            of starting up or shutting down, and is not available.
            Verify machine is not hung during boot.
            [Replications Check,DC2] A recent replication attempt failed:
            From DC1 to DC2
            Naming Context: DC=moldavinsur,DC=com
            The replication generated an error (1256):
            The remote system is not available. For information about network tr
            oubleshooting, see Windows Help.
            The failure occurred at 2009-09-24 07:51:41.
            The last success occurred at 2009-09-22 18:06:52.
            38 failures have occurred since the last success.
            REPLICATION-RECEIVED LATENCY WARNING
            DC2: Current time is 2009-09-24 08:28:09.
            DC=ForestDnsZones,DC=moldavinsur,DC=com
            Last replication recieved from DC1 at 2009-09-22 17:59:23
            .
            CN=Schema,CN=Configuration,DC=moldavinsur,DC=com
            Last replication recieved from DC1 at 2009-09-22 17:51:38
            .
            CN=Configuration,DC=moldavinsur,DC=com
            Last replication recieved from DC1 at 2009-09-22 17:51:37
            .
            DC=moldavinsur,DC=com
            Last replication recieved from DC1 at 2009-09-22 18:06:52
            .
            ......................... DC2 passed test Replications
            Starting test: NCSecDesc
            ......................... DC2 passed test NCSecDesc
            Starting test: NetLogons
            ......................... DC2 passed test NetLogons
            Starting test: Advertising
            ......................... DC2 passed test Advertising
            Starting test: KnowsOfRoleHolders
            ......................... DC2 passed test KnowsOfRoleHolders
            Starting test: RidManager
            ......................... DC2 passed test RidManager
            Starting test: MachineAccount
            ......................... DC2 passed test MachineAccount
            Starting test: Services
            ......................... DC2 passed test Services
            Starting test: ObjectsReplicated
            ......................... DC2 passed test ObjectsReplicated
            Starting test: frssysvol
            ......................... DC2 passed test frssysvol
            Starting test: frsevent
            ......................... DC2 passed test frsevent
            Starting test: kccevent
            ......................... DC2 passed test kccevent
            Starting test: systemlog
            ......................... DC2 passed test systemlog
            Starting test: VerifyReferences
            ......................... DC2 passed test VerifyReferences

            Running partition tests on : DomainDnsZones
            Starting test: CrossRefValidation
            ......................... DomainDnsZones passed test CrossRefValidation

            Starting test: CheckSDRefDom
            ......................... DomainDnsZones passed test CheckSDRefDom

            Running partition tests on : roumaninsur
            Starting test: CrossRefValidation
            ......................... roumaninsur passed test CrossRefValidatio
            n
            Starting test: CheckSDRefDom
            ......................... roumaninsur passed test CheckSDRefDom

            Running partition tests on : ForestDnsZones
            Starting test: CrossRefValidation
            ......................... ForestDnsZones passed test CrossRefValidation

            Starting test: CheckSDRefDom
            ......................... ForestDnsZones passed test CheckSDRefDom

            Running partition tests on : Schema
            Starting test: CrossRefValidation
            ......................... Schema passed test CrossRefValidation
            Starting test: CheckSDRefDom
            ......................... Schema passed test CheckSDRefDom

            Running partition tests on : Configuration
            Starting test: CrossRefValidation
            ......................... Configuration passed test CrossRefValidation
            Starting test: CheckSDRefDom
            ......................... Configuration passed test CheckSDRefDom

            Running enterprise tests on : moldavinsur.com
            Starting test: Intersite
            ......................... moldavinsur.com passed test Intersite

            Starting test: FsmoCheck
            ......................... moldavinsur.com passed test FsmoCheck


            C:\Documents and Settings\administrator.ROUMINSUR>

            -------------------------------------------------------------------------------------------

            I think that the differents problems of replication is because of the ungraceful removal of DC1.

            Thanks,

            Comment


            • #7
              Re: Unsuccessfull domain controller demotion - ntdsutil error 0x5(access is denied)

              Originally posted by James&Co. View Post
              Humm.. we have only one forest and i've read that the first domain created in a forest is the automatically designated the forest root domain. So I think it was the only one.
              DC stands for Domain controller. You can have more than one DC per domain, In fact you should have more than one.

              Now I am not entirely sure what the impact is if the only root DC has been demoted forcefully (Which seems to be the case here) but I suspect you'll have to try bringing back/restoring the root domain (Hopefully you keep regular backups).
              Caesar's cipher - 3

              ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

              SFX JNRS FC U6 MNGR

              Comment


              • #8
                Re: Unsuccessfull domain controller demotion - ntdsutil error 0x5(access is denied)

                Ok thanks. I think you're right. I'll have to bring back the root dc for the moment.

                So that means if I want DomainB to be a forest root domain , i'll have certainly to create a new forest and a new domain named as domainB, and then import all users from the old one to the new one. right ?


                Because we really want to demote dc1 and so remove this domain: it's not used anymore.

                Thanks.

                Comment

                Working...
                X