AD 2008 - trying to remove failed DC, getting error DsRemoveDsServerW error 0x5(Access is denied.)

Posted on 2009-12-23
Last Modified: 2012-06-22
Hello all,

I'm trying to remove failed DC from Active Directory. The AD is at windows 2008 functional level.
The domain controller has crashed and at this point is beyond repair. I cleanup up all of the references to the old box from DNS.
Right now the old server is listed under AD sites and Services in Default-Site-Name under servers.

Alone with the failed DC i have 2 other domain controllers on the network with one of them acting as GC and another one is Schema master, Naming Master, and PDC.

When running ndsutil metadata cleanup, where i select failed dc as an operation target, while trying to execute "remove selected server" - I get the following:
Transfering / Seizing FSMO roles off the selected server.
DsRemoveDsServerW error 0x5(Access denied.)

While running metadata cleanup i'm logged in and connected to the PDC using Enterprise admin account.

Thanks for your help.
Question by:cbttrans
    LVL 9

    Accepted Solution

    LVL 7

    Assisted Solution


    Generally this happens due to permissions issue. As you have told that the user is an enterprise admin, I would suggest to execute this process (MetaData Cleanup) on any other DC. May be the security database on the PDC has gone corrupt OR may be the PAC (in the access token) in not correct.

    Please try it and let us know the result.

    Author Comment

    Thanks Stephan, i did look at the link you have provided in the past and it wasn't much help.

    As to ARK-DS's response: I've tried using the second DC as well while running metadata cleanup - with the same exact result - access denied. Would it be beneficial to temporarily create another Enterprise Admin account and use to in ntdsutil for cleanup? I'm not sure i follow the PAC suggestion - can you elaborate on this?


    Author Comment

    I found a solution. Thanks to both of you guys. Stephan the link you have sent me pointed me in the direction of "Accidental deletion protection", and ARK-DS gave me a push towards the corrupted security descriptors.

    The server i was trying to remove in AD Sites and Services, did not have the "Protect from accidental deletion " checks, however checking it off and then un-checking it again solved the problem. So it looks like i've had a corrupt attribute. This action simply rewrote attributes and the server cleaned up nicely.

    No access denied errors.

    Thank you guys.

    Author Closing Comment

    thanks for your help

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Many admins will agree: WSUS is is a nice invention but using it on the client side when updating a newly installed computer is still time consuming as you have to do several reboots and furthermore, the procedure of installing updates, rebooting an…
    The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
    Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
    In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now