Archive

Posts Tagged ‘Access Denied’

Decommission problem in AD

January 30th, 2017 No comments

In long time I was asked to decommission one domain controller. It’s kinda straightforward process. But, yes again, I had a problem. When decommission process started I received error stated:”The operation failed because: Active Directory Domain Services could not configure the computer account DC_ACCOUNT$ on the remote Active Directory Domain Controller DC2_ACCOUNT$: “Access Denied.””.

 

 

I have checked my account and I was domain admin. My rights were alright.

Error “Access Denied” was interesting. Problem was checkbox called “Protect object from accidental deletion” on domain controller object which denied system to delete domain controller object:

 

To see this option you need to enable Advanced Features in Active Directory Users and Computers (dsa.msa) console.

Have a nice day,

Broken ForestPrep

March 19th, 2014 1 comment

Friend of mine tried to promote Windows Server 2012 into Windows Server 2003 SBS environment. He had installed Windows Server 2012 Server. He also installed role Active Directory Domain Services. When he tried to promote new installed Windows Server 2012 into existing SBS domain he received following error:

Error was generated while Windows Server 2012 tried to do preparation of AD forest. So I have tried to do it using command line:

So same error (Adprep could not retrieve data from the server through Windows Managment Instrumentation WMI). Some problem with WMI on existing domain controller. I have tried to rebuild WMI from scratch using this article. No luck. Message saying “Access is denied” was not true, because account used to run setup.exe /forestprep was Enterprise, Domain and Schema Admin. When I read this article I found out that DCOM has to be enabled and accessible when doing domain controller promotion. So I looked into configuration of old domain controller following way:

Run command dcomcnfg.exe

Browse down to Component Services -> Computers -> My Computer. Right click and select Properties. I found that DCOM was disabled:

So I enabled it with following settings:

…and I was able to promote Windows Server 2012 as a new domain controller. No more access or WMI errors.

This was really hard one to find out 🙂