[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Removing Failed AD 2008 DC

Posted on 2014-01-16
9
Medium Priority
?
972 Views
Last Modified: 2014-03-12
Server 2008 DC in a 2003 Domain. (schema upgraded)  three x DC

One of my servers failed after a single drive died in a raid 6+hotspare.  HP will be replacing the raid card once I have cleaned up the mess.

After the raid rebuild with a new drive, the only thing at the time that was broke was the certificate services store was corrupt.  Email (exchange 2010) was still running fine.

All mailboxes were moved to a new server and now in the process of cleaning up.

DCpromo fails as it requires AD Cert Services to be removed first, but Cert services can not be removed due to error
Attempt to un-install Certification Authority failed with error code 0x80073712. The component store has been corrupted

I get a similar error when I try to remove DNS
Attempt to un-install DNS Server failed with error code 0x80073712. The component store has been corrupted


Additionally, I can not remove the Exchange services from this server as it says it can not find itself as a DC.  It can reach and communicate with two other DC but seems to only worry about locating itself.

Any clues as to the best way forward with this?

regards
0
Comment
Question by:metroit
  • 6
  • 3
9 Comments
 

Author Comment

by:metroit
ID: 39785703
Isnt that just for the Server 2008 R2 version, and not server 2008 sp2 which I have.  At least I have not seen DISM available for 2008 sp2.
0
 
LVL 39

Expert Comment

by:Mahesh
ID: 39786401
For Windows Server 2008 SP2 or Windows Vista SP2, there is tool called Windows Component Clean Tool (COMPCLN.EXE). which is already available with SP2
Refer to: Windows Component Clean Tool
http://technet.microsoft.com/en-us/library/dd351467(v=WS.10).aspx#BKMK_COMPCLN

If above option is also failed then you are forced to remove \ format server and do the metadata cleanup for AD, certificate services and MS Exchange as well

http://support.microsoft.com/kb/889250 - CA cleanup for 2008 CA

Mahesh
0
 

Author Comment

by:metroit
ID: 39786423
I had already run compln.exe  Just reports that it has already been run and applied the settings.   Exchange is now off the server so just need to try and gracefully remove the server.

I had looked at metadata cleanup but that fails with a No Access permissions.   The server is not set to protected from Deletion in AD
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
LVL 39

Expert Comment

by:Mahesh
ID: 39786496
Just try to remove certificate services 1st gracefully \ forcefully according to above KB article so that it will allow you to demote server
Alternatively, Since this is 2008 server, you can start server in directory service mode and from there can run "dcpromo / forceremoval" to forcefully demote AD from the server.

Then just format \ rebuild the server and good to go

Mahesh
0
 

Author Comment

by:metroit
ID: 39786539
dcpromo /forceremoval still requires that cert services are removed first

The actual Cert Service error on un install is
Attempt to un-install Certification Authority failed with error code 0x80073712.  The component store has been corrupted
0
 
LVL 39

Expert Comment

by:Mahesh
ID: 39786566
You can try forcefully removal of CA server through AD as mentioned in above KB

Since exchange is wiped out already. you can format server and do the metadata cleanup for AD
and for certificate services check above KB article

Mahesh
0
 

Author Comment

by:metroit
ID: 39786605
I have been through that KB before and the private keys are not listed the same way, this is what I get

C:\Users\TEMP>certutil -shutdown
CertUtil: No local Certification Authority; use -config option
CertUtil: No more data is available.

C:\Users\TEMP>certutil -key
Microsoft Strong Cryptographic Provider:
  888888888888888-4691-902f-3e6c032aed6c
  888888888888888e88189d796777a72_7ce87e3f-fd83-4953-891c-5cc6f3ad0344
    AT_KEYEXCHANGE

  888888888888888-4833-ae69-f47dd3769fbb
  888888888888888d658f1d6f29f73d4c_7ce87e3f-fd83-4953-891c-5cc6f3ad0344
    AT_KEYEXCHANGE

  888888888888888-46f6-8068-b3c7915bf8b4
  888888888888888c7037e494b06acf9_7ce87e3f-fd83-4953-891c-5cc6f3ad0344
    AT_KEYEXCHANGE

  888888888888888-4539-993c-95e7eb922d1e
  888888888888888607f1bef70cd5c477_7ce87e3f-fd83-4953-891c-5cc6f3ad0344
    AT_KEYEXCHANGE
 888888888888888-4539-993c-95e7eb922d1e
 888888888888888607f1bef70cd5c477_7ce87e3f-fd83-4953-891c-5cc6f3ad0344
   AT_KEYEXCHANGE

 888888888888888-4a02-a63b-45a7ce8cb910
 888888888888888f78e017c467910781_7ce87e3f-fd83-4953-891c-5cc6f3ad0344
   AT_KEYEXCHANGE

 iisConfigurationKey
 8888888888888881ec4e9e8b34824aa2_7ce87e3f-fd83-4953-891c-5cc6f3ad0344
   AT_KEYEXCHANGE

 888888888888888-4d8b-b4b5-60f4d3a80bea
 8888888888888884d8112f5511eb14fe_7ce87e3f-fd83-4953-891c-5cc6f3ad0344
   AT_KEYEXCHANGE

 iisWasKey
 888888888888888b9590521c2e8815a_7ce87e3f-fd83-4953-891c-5cc6f3ad0344
   AT_KEYEXCHANGE

 MS IIS DCOM Server
 88888888888888869f48a894af2fe9a1_7ce87e3f-fd83-4953-891c-5cc6f3ad0344
   AT_KEYEXCHANGE, AT_SIGNATURE
0
 

Accepted Solution

by:
metroit earned 0 total points
ID: 39912258
I ended up moving the server to new hardware and re-utilising the old server elsewhere.
0
 

Author Closing Comment

by:metroit
ID: 39922878
Solved by clean install
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

590 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question