Solved

Removing Failed AD 2008 DC

Posted on 2014-01-16
9
819 Views
Last Modified: 2014-03-12
Server 2008 DC in a 2003 Domain. (schema upgraded)  three x DC

One of my servers failed after a single drive died in a raid 6+hotspare.  HP will be replacing the raid card once I have cleaned up the mess.

After the raid rebuild with a new drive, the only thing at the time that was broke was the certificate services store was corrupt.  Email (exchange 2010) was still running fine.

All mailboxes were moved to a new server and now in the process of cleaning up.

DCpromo fails as it requires AD Cert Services to be removed first, but Cert services can not be removed due to error
Attempt to un-install Certification Authority failed with error code 0x80073712. The component store has been corrupted

I get a similar error when I try to remove DNS
Attempt to un-install DNS Server failed with error code 0x80073712. The component store has been corrupted


Additionally, I can not remove the Exchange services from this server as it says it can not find itself as a DC.  It can reach and communicate with two other DC but seems to only worry about locating itself.

Any clues as to the best way forward with this?

regards
0
Comment
Question by:metroit
  • 6
  • 3
9 Comments
 

Author Comment

by:metroit
ID: 39785703
Isnt that just for the Server 2008 R2 version, and not server 2008 sp2 which I have.  At least I have not seen DISM available for 2008 sp2.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39786401
For Windows Server 2008 SP2 or Windows Vista SP2, there is tool called Windows Component Clean Tool (COMPCLN.EXE). which is already available with SP2
Refer to: Windows Component Clean Tool
http://technet.microsoft.com/en-us/library/dd351467(v=WS.10).aspx#BKMK_COMPCLN

If above option is also failed then you are forced to remove \ format server and do the metadata cleanup for AD, certificate services and MS Exchange as well

http://support.microsoft.com/kb/889250 - CA cleanup for 2008 CA

Mahesh
0
 

Author Comment

by:metroit
ID: 39786423
I had already run compln.exe  Just reports that it has already been run and applied the settings.   Exchange is now off the server so just need to try and gracefully remove the server.

I had looked at metadata cleanup but that fails with a No Access permissions.   The server is not set to protected from Deletion in AD
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39786496
Just try to remove certificate services 1st gracefully \ forcefully according to above KB article so that it will allow you to demote server
Alternatively, Since this is 2008 server, you can start server in directory service mode and from there can run "dcpromo / forceremoval" to forcefully demote AD from the server.

Then just format \ rebuild the server and good to go

Mahesh
0
 

Author Comment

by:metroit
ID: 39786539
dcpromo /forceremoval still requires that cert services are removed first

The actual Cert Service error on un install is
Attempt to un-install Certification Authority failed with error code 0x80073712.  The component store has been corrupted
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39786566
You can try forcefully removal of CA server through AD as mentioned in above KB

Since exchange is wiped out already. you can format server and do the metadata cleanup for AD
and for certificate services check above KB article

Mahesh
0
 

Author Comment

by:metroit
ID: 39786605
I have been through that KB before and the private keys are not listed the same way, this is what I get

C:\Users\TEMP>certutil -shutdown
CertUtil: No local Certification Authority; use -config option
CertUtil: No more data is available.

C:\Users\TEMP>certutil -key
Microsoft Strong Cryptographic Provider:
  888888888888888-4691-902f-3e6c032aed6c
  888888888888888e88189d796777a72_7ce87e3f-fd83-4953-891c-5cc6f3ad0344
    AT_KEYEXCHANGE

  888888888888888-4833-ae69-f47dd3769fbb
  888888888888888d658f1d6f29f73d4c_7ce87e3f-fd83-4953-891c-5cc6f3ad0344
    AT_KEYEXCHANGE

  888888888888888-46f6-8068-b3c7915bf8b4
  888888888888888c7037e494b06acf9_7ce87e3f-fd83-4953-891c-5cc6f3ad0344
    AT_KEYEXCHANGE

  888888888888888-4539-993c-95e7eb922d1e
  888888888888888607f1bef70cd5c477_7ce87e3f-fd83-4953-891c-5cc6f3ad0344
    AT_KEYEXCHANGE
 888888888888888-4539-993c-95e7eb922d1e
 888888888888888607f1bef70cd5c477_7ce87e3f-fd83-4953-891c-5cc6f3ad0344
   AT_KEYEXCHANGE

 888888888888888-4a02-a63b-45a7ce8cb910
 888888888888888f78e017c467910781_7ce87e3f-fd83-4953-891c-5cc6f3ad0344
   AT_KEYEXCHANGE

 iisConfigurationKey
 8888888888888881ec4e9e8b34824aa2_7ce87e3f-fd83-4953-891c-5cc6f3ad0344
   AT_KEYEXCHANGE

 888888888888888-4d8b-b4b5-60f4d3a80bea
 8888888888888884d8112f5511eb14fe_7ce87e3f-fd83-4953-891c-5cc6f3ad0344
   AT_KEYEXCHANGE

 iisWasKey
 888888888888888b9590521c2e8815a_7ce87e3f-fd83-4953-891c-5cc6f3ad0344
   AT_KEYEXCHANGE

 MS IIS DCOM Server
 88888888888888869f48a894af2fe9a1_7ce87e3f-fd83-4953-891c-5cc6f3ad0344
   AT_KEYEXCHANGE, AT_SIGNATURE
0
 

Accepted Solution

by:
metroit earned 0 total points
ID: 39912258
I ended up moving the server to new hardware and re-utilising the old server elsewhere.
0
 

Author Closing Comment

by:metroit
ID: 39922878
Solved by clean install
0

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now