I have an 2008 R2 RODC whose NTFS.DIT has become corrupted. The server wouldnt boot. Logged in with directory services restore mode and ran ESENTUTL and attempted to repair the NTFS.DIT file. It still show errors when I run with /Integrity but the server does boot now.
All additional attempts to repair it using ESENTUTL have failed saying its corrupt. So what I would like to do is demote the DC and the promote it again. I have a second DC at the site to handle logins, but because of some of the setup on the server I REALLY do not want to install Windows again.
running DC Promo with or without /forceremoval fails, it keeps prompting me to provide credentials to access "DFSR". I am using the Domain Admin account.
:24:46 [INFO] Performing Forced Demotion04/28/2013 23:24:46 [INFO] Reading domain policy from the local machine
04/28/2013 23:24:46 [INFO] Error - DFS Replication: Access is denied. (5)
04/28/2013 23:24:46 Failed to get computer name (5)
The DFSAPI log in the Windows\Debug directory has these entries
4620 SAPI 152 DfsrPrepareForDemotionUsingCredW Prepare Demotion:
4620 SVOL 265 SysVol::Prepare Get fully qualified DN
4620 SVOL 97 CallBack::Error Error Callback Message: DFS Replication: Access is denied.
4620 SVOL 436 SysVol::Prepare Prepare Failed
4620 SAPI 187 DfsrPrepareForDemotionUsingCredW Prepare Demotion Failed. Error:
+ [Error:5(0x5) SysVol::Prepare sysvol.cpp:441 4620 W Access is denied.]
+ [Error:5(0x5) SysVol::Prepare sysvol.cpp:302 4620 W Access is denied.]
I have checked the whole sysvol folder and all seem to have System and Administrators with full access.
Stuck as to what to do if /forceremoval doesn't work.
Need some guru help :)