You are hereCannot Delete Domain Controller - Access is Denied Fix


Cannot Delete Domain Controller - Access is Denied Fix


By hagrin - Posted on 23 March 2013

Recently, we had a Windows Server 2008 R2 domain controller die before it could be demoted using dcpromo. Therefore, I was concerned with "cleaning up" the old domain controller to prevent domain controller related issues. By searching the web all posts talked about deleting the domain controller from Active Directory Users and Computers and/or cleaning up the metadata either by using ntdsutil or by navigating through Active Directory Sites and Services. However, whenever I tried to do anything, I kept receiving a message I dread all the time -

"Access is denied."

It always amazes me that my account, which has every Admin privilege available, constantly gets access denied errors. However, while this fix doesn't seem obvious based on the error message, it is an easy fix! To stop the "access is denied" errors do the following -

  1. Open up Active Directory Sites and Services.
  2. Expand the Sites folder, expand the site name where the DC you want to delete is, expand the Servers folder and finally expand the DC you want to delete.
  3. Right click on NTDS Settings for the DC you want to delete.
  4. Click on the Object tab.
  5. Uncheck the "Protect object from accidental deletion" checkbox.
  6. Click OK to save your changes.
  7. Now you will be able to delete the domain controller from Active Directory Users and Computers.

Simple fix, not readily obvious! Good luck!

Tags