While trying to demote an existing Windows Server 2008 R2 Domain Controllers I ran into quite the headache. After running "dcpromo" and following the first few steps of the demotion it seems to start and run just fine. But within a few seconds I was promoted for credentials with the below "access is denied" message.
I searched and searched but was not able to find a good solution so finally I gave up and ran "dcpromo /forceremoval". I then did the metadata cleanup and moved on. I then tried to remove the old DC computer object from the Domain Controllers OU and I was denied access again. I scratched my head and realized that the object was protected. Could this whole problem be that simple!? The answer is YES, it was that simple.
On my next DC demotion I re-created the same errors. I cancelled the dcpromo, went into ADUC and unchecked the "Protect object from accidental deletion" box, ran dcpromo and and everything went smooth without error!
John "Mike" Wright