Solved

Metadata cleanup failed

Posted on 2012-12-24
4
1,404 Views
Last Modified: 2012-12-26
Hi,


My DC is down so I reinstall Windows 2003.

During the process of metadata cleanup with NTDSUTIL I got err msg at the end when I did: remove selected server

I got this msg:
-------------------------------------------------------------------------------------
LDAP error 0x32(50 (Insufficient Rights).
Ldap extended error message is 00000005: SecErr: DSID-03151D15, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x5(Access is denied.)

-------------------------------------------------------------------------------------

Now my problem I can't delete the DC in ADUC, it keeps telling me:

Access is denied.


If try to run metadata cleanup again it doesn't work because the server is not in site anymore. It seems the first metadata cleanup do the job but did not finish...

What can I do now?
0
Comment
Question by:SAM2009
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 18

Accepted Solution

by:
Sarang Tinguria earned 300 total points
ID: 38719697
Check the security rights on that  DC from ADUC and assign ur self full permission if its not there

Make sure u have enterprise admin rights
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 100 total points
ID: 38720247
Typically you only need domain admins, unless somebody has removed permissions from this group.

So agreed that you try the enterprise admin group.

You mention that this is a Win2K3 DC, but what level is your AD?
If you're running Win2K8 DC's then it could be that this object is protected from accidental delete.

Check the properties of the computer object to confirm if it can be deleted.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 100 total points
ID: 38720594
Ensuer that you are using domain/enterprise/schema admin user rights user id.If the server is not listed in ntdutil then this indicates that the same is deleted.However also ensure that the faulty DC instances are removed from ADsites and services,DC OU & DNS.

How to remove data in Active Directory after an unsuccessful domain controller demotion
http://support.microsoft.com/kb/216498?wa=wsignin1.0

Delete Failed DCs from Active Directory
http://sandeshdubey.wordpress.com/2011/10/12/metadata-cleanup-of-a-domain-controller/

Once the instances are remove run dcdiag /q and repadmin /replsum to check the health of online DC if error is reported post the same.

Note:If faulty DC is FSMO role holder you need to seize the FSMO on other DC.Also ensure Authorative time server is configured on PDC role holder server.

Seize FSMO role: http://www.petri.co.il/seizing_fsmo_roles.htm

Configuring the time service on the PDC Emulator FSMO role holder
http://msmvps.com/blogs/acefekay/archive/2009/09/18/configuring-the-windows-time-service-for-windows-server.aspx

Hope this helps
0
 
LVL 1

Author Closing Comment

by:SAM2009
ID: 38721959
Thanks everybody! In fact, even if Enterprise admins have full right in the DC OU someone restrict the rights on the DC object itself. After checking full right on the object, it works!

Thanks again for all you suggestions!
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question