Cannot Demote 2008 R2 RODC, get a DFSR Access Denied Error

Hello,
I have an 2008 R2 RODC whose NTFS.DIT has become corrupted.  The server wouldnt boot.  Logged in with directory services restore mode and ran ESENTUTL and attempted to repair the NTFS.DIT file.  It still show errors when I run with /Integrity but the server does boot now.

All additional attempts to repair it using ESENTUTL have failed saying its corrupt.  So what I would like to do is demote the DC and the promote it again.  I have a second DC at the site to handle logins, but because of some of the setup on the server I REALLY do not want to install Windows again.

running DC Promo with or without /forceremoval fails, it keeps prompting me to provide credentials to access "DFSR".  I am using the Domain Admin account.

:24:46 [INFO] Performing Forced Demotion04/28/2013 23:24:46 [INFO] Reading domain policy from the local machine
04/28/2013 23:24:46 [INFO] Error - DFS Replication: Access is denied.  (5)
04/28/2013 23:24:46 Failed to get computer name (5)

The DFSAPI log in the Windows\Debug directory has these entries

4620 SAPI   152 DfsrPrepareForDemotionUsingCredW Prepare Demotion:
4620 SVOL   265 SysVol::Prepare Get fully qualified DN
4620 SVOL    97 CallBack::Error Error Callback Message: DFS Replication: Access is denied.
4620 SVOL   436 SysVol::Prepare Prepare Failed
4620 SAPI   187 DfsrPrepareForDemotionUsingCredW Prepare Demotion Failed. Error:
+      [Error:5(0x5) SysVol::Prepare sysvol.cpp:441 4620 W Access is denied.]
+      [Error:5(0x5) SysVol::Prepare sysvol.cpp:302 4620 W Access is denied.]

I have checked the whole sysvol folder and all seem to have System and Administrators with full access.

Stuck as to what to do if /forceremoval doesn't work.

Need some guru help :)
LVL 2
KConner32Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

KConner32Author Commented:
Ok, some additional observations, the whole AD system is flaky, DNS searches work as expected, but DNS snap it fails, says it cannot load zone (for the domain).  There are a lot of DFSR "Access Denied" errors in the log, but I am not sure what that means (never really states what it is trying to access).  

Ok, and please dont laugh at me but...... I have another RODC server at the same site.  Is it possible to take the NTDS.DIT file from the functional one, put it on the unfunctional one, and then attempt to demote the non functional one, or does the NTFS.DIT file contain computer specific information.  I.E. all the NTFS.DIT files for all sites the same? or are they computer specific?
0
Ayman BakrSenior ConsultantCommented:
Is the corrupted server part of DFS replication? Then first remove it from DFS then try demoting it.
0
KConner32Author Commented:
How do I remove it from replication.  Because it is corrupted, it is not replicating, so I cannot update the config from the partner side.  Because of the corruption, I cannot access it in DFS replication settings on the local machine.
0
Ayman BakrSenior ConsultantCommented:
Try this on the rogue RODC:

1. net stop dfs
2. Open the registry:
    a.Delete Volumes folder and any subfolders under HKLM\SOFTWARE\Microsoft\DfsHost.
    b.Delete all subfolders under HKLM\SYSTEM\CurrentControlSet\Services\DfsDriver\LocalVolumes, leaving LocalVolumes intact
0
Leon FesterSenior Solutions ArchitectCommented:
Stuck as to what to do if /forceremoval doesn't work.

Your easiest option to get rid of the failed RODC is to treat it like a DEAD DC and remove it from Active directory via Metadata cleanup task.
Metadata cleanup is a required procedure after a forced removal of Active Directory Domain Services (AD DS). You perform metadata cleanup on a domain controller in the domain of the domain controller that you forcibly removed. Metadata cleanup removes data from AD DS that identifies a domain controller to the replication system. Metadata cleanup also removes File Replication Service (FRS) and Distributed File System (DFS) Replication connections and attempts to transfer or seize any operations master (also known as flexible single master operations or FSMO) roles that the retired domain controller holds
http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

Once the RODC is removed from AD, you can then rebuild it and promote it again.

Regarding the flaky AD issues you found, start with:
dcdiag /fix
netdiag /fix

Then run dcdiag /e /v /c /f:dcdiag.txt and check for errors.
Post the results if you need any assistance.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.