metroit
asked on
Removing Failed AD 2008 DC
Server 2008 DC in a 2003 Domain. (schema upgraded) three x DC
One of my servers failed after a single drive died in a raid 6+hotspare. HP will be replacing the raid card once I have cleaned up the mess.
After the raid rebuild with a new drive, the only thing at the time that was broke was the certificate services store was corrupt. Email (exchange 2010) was still running fine.
All mailboxes were moved to a new server and now in the process of cleaning up.
DCpromo fails as it requires AD Cert Services to be removed first, but Cert services can not be removed due to error
Attempt to un-install Certification Authority failed with error code 0x80073712. The component store has been corrupted
I get a similar error when I try to remove DNS
Attempt to un-install DNS Server failed with error code 0x80073712. The component store has been corrupted
Additionally, I can not remove the Exchange services from this server as it says it can not find itself as a DC. It can reach and communicate with two other DC but seems to only worry about locating itself.
Any clues as to the best way forward with this?
regards
One of my servers failed after a single drive died in a raid 6+hotspare. HP will be replacing the raid card once I have cleaned up the mess.
After the raid rebuild with a new drive, the only thing at the time that was broke was the certificate services store was corrupt. Email (exchange 2010) was still running fine.
All mailboxes were moved to a new server and now in the process of cleaning up.
DCpromo fails as it requires AD Cert Services to be removed first, but Cert services can not be removed due to error
Attempt to un-install Certification Authority failed with error code 0x80073712. The component store has been corrupted
I get a similar error when I try to remove DNS
Attempt to un-install DNS Server failed with error code 0x80073712. The component store has been corrupted
Additionally, I can not remove the Exchange services from this server as it says it can not find itself as a DC. It can reach and communicate with two other DC but seems to only worry about locating itself.
Any clues as to the best way forward with this?
regards
For Windows Server 2008 SP2 or Windows Vista SP2, there is tool called Windows Component Clean Tool (COMPCLN.EXE). which is already available with SP2
Refer to: Windows Component Clean Tool
http://technet.microsoft.com/en-us/library/dd351467(v=WS.10).aspx#BKMK_COMPCLN
If above option is also failed then you are forced to remove \ format server and do the metadata cleanup for AD, certificate services and MS Exchange as well
http://support.microsoft.com/kb/889250 - CA cleanup for 2008 CA
Mahesh
Refer to: Windows Component Clean Tool
http://technet.microsoft.com/en-us/library/dd351467(v=WS.10).aspx#BKMK_COMPCLN
If above option is also failed then you are forced to remove \ format server and do the metadata cleanup for AD, certificate services and MS Exchange as well
http://support.microsoft.com/kb/889250 - CA cleanup for 2008 CA
Mahesh
ASKER
I had already run compln.exe Just reports that it has already been run and applied the settings. Exchange is now off the server so just need to try and gracefully remove the server.
I had looked at metadata cleanup but that fails with a No Access permissions. The server is not set to protected from Deletion in AD
I had looked at metadata cleanup but that fails with a No Access permissions. The server is not set to protected from Deletion in AD
Just try to remove certificate services 1st gracefully \ forcefully according to above KB article so that it will allow you to demote server
Alternatively, Since this is 2008 server, you can start server in directory service mode and from there can run "dcpromo / forceremoval" to forcefully demote AD from the server.
Then just format \ rebuild the server and good to go
Mahesh
Alternatively, Since this is 2008 server, you can start server in directory service mode and from there can run "dcpromo / forceremoval" to forcefully demote AD from the server.
Then just format \ rebuild the server and good to go
Mahesh
ASKER
dcpromo /forceremoval still requires that cert services are removed first
The actual Cert Service error on un install is
Attempt to un-install Certification Authority failed with error code 0x80073712. The component store has been corrupted
The actual Cert Service error on un install is
Attempt to un-install Certification Authority failed with error code 0x80073712. The component store has been corrupted
You can try forcefully removal of CA server through AD as mentioned in above KB
Since exchange is wiped out already. you can format server and do the metadata cleanup for AD
and for certificate services check above KB article
Mahesh
Since exchange is wiped out already. you can format server and do the metadata cleanup for AD
and for certificate services check above KB article
Mahesh
ASKER
I have been through that KB before and the private keys are not listed the same way, this is what I get
C:\Users\TEMP>certutil -shutdown
CertUtil: No local Certification Authority; use -config option
CertUtil: No more data is available.
C:\Users\TEMP>certutil -key
Microsoft Strong Cryptographic Provider:
888888888888888-4691-902f- 3e6c032aed 6c
888888888888888e88189d7967 77a72_7ce8 7e3f-fd83- 4953-891c- 5cc6f3ad03 44
AT_KEYEXCHANGE
888888888888888-4833-ae69- f47dd3769f bb
888888888888888d658f1d6f29 f73d4c_7ce 87e3f-fd83 -4953-891c -5cc6f3ad0 344
AT_KEYEXCHANGE
888888888888888-46f6-8068- b3c7915bf8 b4
888888888888888c7037e494b0 6acf9_7ce8 7e3f-fd83- 4953-891c- 5cc6f3ad03 44
AT_KEYEXCHANGE
888888888888888-4539-993c- 95e7eb922d 1e
888888888888888607f1bef70c d5c477_7ce 87e3f-fd83 -4953-891c -5cc6f3ad0 344
AT_KEYEXCHANGE
888888888888888-4539-993c- 95e7eb922d 1e
888888888888888607f1bef70c d5c477_7ce 87e3f-fd83 -4953-891c -5cc6f3ad0 344
AT_KEYEXCHANGE
888888888888888-4a02-a63b- 45a7ce8cb9 10
888888888888888f78e017c467 910781_7ce 87e3f-fd83 -4953-891c -5cc6f3ad0 344
AT_KEYEXCHANGE
iisConfigurationKey
8888888888888881ec4e9e8b34 824aa2_7ce 87e3f-fd83 -4953-891c -5cc6f3ad0 344
AT_KEYEXCHANGE
888888888888888-4d8b-b4b5- 60f4d3a80b ea
8888888888888884d8112f5511 eb14fe_7ce 87e3f-fd83 -4953-891c -5cc6f3ad0 344
AT_KEYEXCHANGE
iisWasKey
888888888888888b9590521c2e 8815a_7ce8 7e3f-fd83- 4953-891c- 5cc6f3ad03 44
AT_KEYEXCHANGE
MS IIS DCOM Server
88888888888888869f48a894af 2fe9a1_7ce 87e3f-fd83 -4953-891c -5cc6f3ad0 344
AT_KEYEXCHANGE, AT_SIGNATURE
C:\Users\TEMP>certutil -shutdown
CertUtil: No local Certification Authority; use -config option
CertUtil: No more data is available.
C:\Users\TEMP>certutil -key
Microsoft Strong Cryptographic Provider:
888888888888888-4691-902f-
888888888888888e88189d7967
AT_KEYEXCHANGE
888888888888888-4833-ae69-
888888888888888d658f1d6f29
AT_KEYEXCHANGE
888888888888888-46f6-8068-
888888888888888c7037e494b0
AT_KEYEXCHANGE
888888888888888-4539-993c-
888888888888888607f1bef70c
AT_KEYEXCHANGE
888888888888888-4539-993c-
888888888888888607f1bef70c
AT_KEYEXCHANGE
888888888888888-4a02-a63b-
888888888888888f78e017c467
AT_KEYEXCHANGE
iisConfigurationKey
8888888888888881ec4e9e8b34
AT_KEYEXCHANGE
888888888888888-4d8b-b4b5-
8888888888888884d8112f5511
AT_KEYEXCHANGE
iisWasKey
888888888888888b9590521c2e
AT_KEYEXCHANGE
MS IIS DCOM Server
88888888888888869f48a894af
AT_KEYEXCHANGE, AT_SIGNATURE
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Solved by clean install
ASKER