AD 2008 - trying to remove failed DC, getting error DsRemoveDsServerW error 0x5(Access is denied.)

Hello all,

I'm trying to remove failed DC from Active Directory. The AD is at windows 2008 functional level.
The domain controller has crashed and at this point is beyond repair. I cleanup up all of the references to the old box from DNS.
Right now the old server is listed under AD sites and Services in Default-Site-Name under servers.

Alone with the failed DC i have 2 other domain controllers on the network with one of them acting as GC and another one is Schema master, Naming Master, and PDC.

When running ndsutil metadata cleanup, where i select failed dc as an operation target, while trying to execute "remove selected server" - I get the following:
Transfering / Seizing FSMO roles off the selected server.
DsRemoveDsServerW error 0x5(Access denied.)

While running metadata cleanup i'm logged in and connected to the PDC using Enterprise admin account.

Thanks for your help.
Who is Participating?
Stephan_SchrandtConnect With a Mentor Commented:
ARK-DSConnect With a Mentor Commented:

Generally this happens due to permissions issue. As you have told that the user is an enterprise admin, I would suggest to execute this process (MetaData Cleanup) on any other DC. May be the security database on the PDC has gone corrupt OR may be the PAC (in the access token) in not correct.

Please try it and let us know the result.
cbttransAuthor Commented:
Thanks Stephan, i did look at the link you have provided in the past and it wasn't much help.

As to ARK-DS's response: I've tried using the second DC as well while running metadata cleanup - with the same exact result - access denied. Would it be beneficial to temporarily create another Enterprise Admin account and use to in ntdsutil for cleanup? I'm not sure i follow the PAC suggestion - can you elaborate on this?

cbttransAuthor Commented:
I found a solution. Thanks to both of you guys. Stephan the link you have sent me pointed me in the direction of "Accidental deletion protection", and ARK-DS gave me a push towards the corrupted security descriptors.

The server i was trying to remove in AD Sites and Services, did not have the "Protect from accidental deletion " checks, however checking it off and then un-checking it again solved the problem. So it looks like i've had a corrupt attribute. This action simply rewrote attributes and the server cleaned up nicely.

No access denied errors.

Thank you guys.
cbttransAuthor Commented:
thanks for your help
All Courses

From novice to tech pro — start learning today.