asked on

Metadata Cleanup issues

I'm having major issues removing a Domain Controller (its name got changed) from my domain such as:

LDAP error 0x32(50 (Insufficient Rights).
Ldap extended error message is 00000005: SecErr: DSID-031520B2, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x5(Access is denied.)
)
The attempt to remove the FRS settings on CN=<MyServer>,CN=Servers,CN=Default-
First-Site-Name,CN=Sites,CN=Configuration,DC=<MyDomain>,DC=local failed beca
use "Element not found.";
metadata cleanup is continuing.
"CN=<MyServer>,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration
,DC=<MyDomain>,DC=local" removed from server "<MainDC>"

I verified that my account is part of the Schema Admins group and also made the Domain Admins group a member of the Schema Admins.

On a side note, I did notice that the Schema Admins group is located in the User container in ADUC.

I need to remove this domain but conventional methods are not working. Is there any other way I can remove this DC from the domain?

ASKER CERTIFIED SOLUTION

Renato Montenegro Rustici

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

40hz

ASKER

Thank you for the advice rmrustice. Unfortunately I've followed that article a hundred times over with no success. After much frustration though I was able to demote the DC and cleanup the Metadata.

A regular run of dcpromo did not work. I then ran dcpromo /forceremoval in CMD which succeeded in removing the DC from the domain.

After it was removed, I followed your article to remove any instance of the server as a DC.

I'm not sure why dcpromo /forceremoval worked at all but glad it did.

Thank you once again for the quick reply and help.

Renato Montenegro Rustici

Yes, if you cant remove the DC by using the regular dcpromo command line, you should use /forceremoval and then do the cleanup.

You will only use the cleanup process directly when your DC is already dead.