Recently, we had a Windows Server 2008 domain controller die before it could be demoted using dcpromo. We needed to clean up” the old domain controller to prevent domain controller related issues. I was searching the web all posts talked about deleting the domain controller from Active Directory Users and Computers and/or cleaning up the metadata either by using ntdsutil or by navigating through Active Directory Sites and Services. However, whenever I tried to do anything, I kept receiving a message I dread all the time –
“Access is denied.”
It seemed odd that my account, which was a direct copy of the “administrator” account, constantly got access denied errors. However, while this fix doesn’t seem obvious based on the error message, it is an easy fix! To stop the “access is denied” errors do the following;
- Open up Active Directory Sites and Services.
- Expand the Sites folder, expand the site name where the DC you want to delete is, expand the Servers folder and finally expand the DC you want to delete.
- Right click on NTDS Settings for the DC you want to delete.
- Click on the Object tab.
- Uncheck the “Protect object from accidental deletion” checkbox.
- Click OK to save your changes.
- Now you will be able to delete the domain controller from Active Directory Users and Computers.