Error – Active Directory Domain Services could not configure the computer account demoteDC$ on the remote Active Directory Domain Controller otherDC$. (5)

You’re having issues demoting a DC (without using the force and metadata cleanup)

You see something similar to this in your dcpromo.log

There’s a lot of stuff about checking to see if Protect from Accidental Deletion is set on NTDS and in ADUC. Our issue turned out — and would have been more apparent if we had read the Microsoft KB on it more closely — Enable computer and user accounts to be trusted for delegation in the Default Domain Policy wasn’t set under User Rights Management in the Default Domain Policy.

This must have been removed for “Security” reasons; so being an Enterprise, Schema, or KingOfKings Admin didn’t make a difference in the world.

Had some unnecessary fun digging around in ADSI for FSMO roles on this one just to make sure I wasn’t losing my mind.

Leave a Reply

Your email address will not be published. Required fields are marked *