Solved

unable to delete failed DC

Posted on 2014-01-07
6
308 Views
Last Modified: 2014-01-07
Following KB: http://www.petri.co.il/delete_failed_dcs_from_ad.htm I am unable to deleted an already demoted DC.

I get DSRemoveDSServerW error 0x5(Access denied.)

I forced a DC Promo on the server and am trying to get it off our AD.

Any help would be great!
0
Comment
Question by:pstiffsae
6 Comments
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 39762645
did you run elevated command prompt before ntdsutil?
0
 

Author Comment

by:pstiffsae
ID: 39762647
right click and run as administrator, yes
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39762660
Are you on 2003 or 2008(or higher).  Just asking becuase there you just need to delete that old DC from AD.     http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

Thanks

Mike
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 39762664
If you are trying to do a metadata cleanup make sure that you have the proper permissions to perform these operations (domain admin rights). Also make sure that you are running this from an elevated command prompt as well.

Open DNS Manager
- Under domain.com zones make sure that you remove this DC under and Name Server Tab
- Under _msdcs folder make sure that this DC is not located under and subfolders related to the SRV records (if you see this DC in there simply delete the record)

This error message might also be due to "Accidental Deletion" enabled on the computer account or in Site and Services computer Object. Check this setting first, then try again.

Accidental Deletion - http://www.doitfixit.com/index.php?option=com_content&view=article&id=131:dsremovedsserverw-error-0x5access-is-denied&catid=48:active-directory&Itemid=53

Will.
0
 

Author Closing Comment

by:pstiffsae
ID: 39762693
Knew it had to be something small I was missing - unchecking the accidental deletion worked. Thanks!
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 39762708
Please run ntdsutil from an elevated CMD on the FSMO role holder:

KB 216498: http://bit.ly/11X6QYO
How to remove data in Active Directory after an unsuccessful domain controller demotion

Elevated CMD: NetDom /query FSMO

You then need to run through _every_ folder in DNS in all Forward Lookup Zones and remove ONLY the removed server.

In elevated CMD:

RepAdmin /viewlist *
RepAdmin /SyncAll
RepAdmin /KCC

The above will tell you the state of replication between your DCs.

Verify that the previous DC is removed in DSSites.msc.

If the previous DC held the FSMO Roles and they were not properly transferred or are munged you will need to run the following on your PDCe:

KB 255504 http://bit.ly/11lKTCZ
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller

BTW, if the DCPromo /ForceRemoval was done before replication was complete between all DCs you may be in a situation where your AD is inconsistent between existing DCs.

Philip
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now