Dcpromo issue. checking AD/Group policy health
we have 3 domain controllers all running windows 2003 (DC with FMSO roles has SP1 and the other 2 have SP2). One of the SP2 DC's is about to suffer an imminent hard drive failure and I wanted to decommission it before it dies. We have also had intermittent issues with some workstations on the domain not picking up policies and correctly logging people on. I suspect that these PC's are trying to authenticate to this dodgy DC and the communication between the two isn't happening.
The problem is I tryed to DCpromo this server yesterday and couldn't remove it as a DC. when I ran dcpromo it seemed like it was going to decommision itself until I got the following error:
The operation failed because: Active Directory could not configure the computer account SERVER$ on the remote domain controller firstDCindomain.domain.com. "Access is denied."
Specify an account with Enterprise Adminstrator privileges to the forest, home.domain.com.
I have checked thisI keep getting the same error message over and over. Its odd because I have done various promotion and decommison of DC's and never had this trouble in the past. In fact a year ago I had to decommision this exact server and repromote this exact server after some maintenance and never had a problem.
My worry is I have got a feeling that either active directory may be in a slight mess or its related to group policy objects. I have seen a few issues appearing on some of our workstations which relate to not picking up gpo objects.
I have read that i can do a dcpromo/force removal and this is likely to work, my worry is this could cause issues as I have to use a util called ntsdutil to clear out active direcory, this sounds scary and I am not comfortable with doing this method in case I make the problem worse.
Is there something I could run which could check active directory and group policy for all the DC's to help me identify the problem. I have run dcdiag on all 3 domain controllers and the problem server did bring up more issues than the other 2, and it was pointing to the File replication service and replication issues. Its like it cannot communicate with the other DC's. I have manually tried to do replication through sites and services and this works without any errors.
So I am confused.