Error trying to demote via dcpromo legacy 2012 R2 DCs

Hi,

I am in the process of trying to assist a customer upgrade their 2 x DCs from 2012 R2 to 2022. I have built the 2 x new 2022 servers and they are domain joined so I am at the point where I am about to demote the first 2012 R2 DC.

At this point, I have 

• Made sure that AD is healthy and there are no issues with replication
• accionvegana all FSMO roles to the other DC in this environment meaning that the DC I am working on is hosting nothing
• DNS is synching fine

At a high level, everything looks like it should so proceeding to demote the first DC and got the following error during demote process through dcpromo.exe

Error - The Active Directory Domain Services Installation Wizard (Dcpromo.exe) could not configure the computer account DC2$ on the remote Active Directory Domain Controller DC1.REC.LAN.

Verify that the user running Dcpromo.exe is granted the "Enable computer and user accounts to be trusted for delegation" user right in the Default Domain Controllers Policy.

For more information, see the resolution section of http://go.microsoft.com/fwlink/?LinkId=178406."

Now I have looked at the MS KB and I can see from this in this environment, it could be exactly what is stated and / or the fact that the DC computer objects are protected from accidental deletion. The second option is easy to fix but given the error specifically calls out the "Enable computer and user accounts to be trusted for delegation" I wanted to look at this. The user account that was running dcpromo.exe at this time has Domain Admin membership and when I checked this right through whoami /all, it stated this right was disabled. Looking at the Default Domain Controller Policy (which is applying to the Domain Controller OU) BUILTIN\Administrators (which Domain Admin are a part of) should be getting this right assigned to them.

Does anyone know what is going on here or can provide assistance? I can't raise a partner support case for the customer as it is affecting 2012 R2. 

From DCPROMO.LOG

"

2/17/2024 13:12:36 [INFO] Removing Active Directory Domain Services objects that refer to the local Active Directory Domain Controller from the remote Active Directory Domain Controller DC1.REC.LAN...
12/17/2024 13:12:36 [INFO] Error - The Active Directory Domain Services Installation Wizard (Dcpromo.exe) could not configure the computer account DC2$ on the remote Active Directory Domain Controller DC1.REC.LAN.

Verify that the user running Dcpromo.exe is granted the "Enable computer and user accounts to be trusted for delegation" user right in the Default Domain Controllers Policy.

For more information, see the resolution section of http://go.microsoft.com/fwlink/?LinkId=178406.

The error was: (5)
12/17/2024 13:12:36 [INFO] NtdsDemote returned 5
12/17/2024 13:12:36 [INFO] DsRolepDemoteDs returned 5
12/17/2024 13:12:36 [ERROR] Failed to demote the directory service (5)"

Any help would be much appreciated.