AD 2008 - trying to remove failed DC, getting error DsRemoveDsServerW error 0x5(Access is denied.)
Hello all,
I'm trying to remove failed DC from Active Directory. The AD is at windows 2008 functional level.
The domain controller has crashed and at this point is beyond repair. I cleanup up all of the references to the old box from DNS.
Right now the old server is listed under AD sites and Services in Default-Site-Name under servers.
Alone with the failed DC i have 2 other domain controllers on the network with one of them acting as GC and another one is Schema master, Naming Master, and PDC.
When running ndsutil metadata cleanup, where i select failed dc as an operation target, while trying to execute "remove selected server" - I get the following:
Transfering / Seizing FSMO roles off the selected server.
DsRemoveDsServerW error 0x5(Access denied.)
While running metadata cleanup i'm logged in and connected to the PDC using Enterprise admin account.
Thanks for your help.
I'm trying to remove failed DC from Active Directory. The AD is at windows 2008 functional level.
The domain controller has crashed and at this point is beyond repair. I cleanup up all of the references to the old box from DNS.
Right now the old server is listed under AD sites and Services in Default-Site-Name under servers.
Alone with the failed DC i have 2 other domain controllers on the network with one of them acting as GC and another one is Schema master, Naming Master, and PDC.
When running ndsutil metadata cleanup, where i select failed dc as an operation target, while trying to execute "remove selected server" - I get the following:
Transfering / Seizing FSMO roles off the selected server.
DsRemoveDsServerW error 0x5(Access denied.)
While running metadata cleanup i'm logged in and connected to the PDC using Enterprise admin account.
Thanks for your help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I found a solution. Thanks to both of you guys. Stephan the link you have sent me pointed me in the direction of "Accidental deletion protection", and ARK-DS gave me a push towards the corrupted security descriptors.
The server i was trying to remove in AD Sites and Services, did not have the "Protect from accidental deletion " checks, however checking it off and then un-checking it again solved the problem. So it looks like i've had a corrupt attribute. This action simply rewrote attributes and the server cleaned up nicely.
No access denied errors.
Thank you guys.
The server i was trying to remove in AD Sites and Services, did not have the "Protect from accidental deletion " checks, however checking it off and then un-checking it again solved the problem. So it looks like i've had a corrupt attribute. This action simply rewrote attributes and the server cleaned up nicely.
No access denied errors.
Thank you guys.
ASKER
thanks for your help
ASKER
As to ARK-DS's response: I've tried using the second DC as well while running metadata cleanup - with the same exact result - access denied. Would it be beneficial to temporarily create another Enterprise Admin account and use to in ntdsutil for cleanup? I'm not sure i follow the PAC suggestion - can you elaborate on this?
Thanks.