Solved

Removing failed 2008R2 DC from ADUC after running /forceremoval

Posted on 2014-11-14
5
14 Views
Last Modified: 2016-06-23
DCDIAG reported a DC had exceeded its replication tombstone. We attempted to gracefully remove AD using DCPROMO with no luck. So we disconnected it from the network, ran /forceremoval (worked), then went into AD to remove the remnants. Took it out of ADS&S no problem, removed all DNS records no problem, but attempted to remove it from the Domain Controllers container in ADUC and got a pop-up that said:

Windows cannot delete object [server name] because:
Directory Object not found

Do I need to use ADSIUTIL now to manually clean this up? The server is permanently offline.
0
Comment
Question by:214-042308
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 40443166
Did you run a metadata cleanup?

http://www.petri.com/delete_failed_dcs_from_ad.htm
0
 
LVL 1

Author Comment

by:214-042308
ID: 40443227
No good. Got to "list servers in site" after selecting the site it existed in and "Found 0 servers" but the artifact remains in ADUC. So, looks like using ADSIEDIT and not NTDSUTIL?
0
 
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 500 total points
ID: 40443390
Yes you need to find the server in ADSI Edit and expand it and delete the child objects from it first.
0
 
LVL 1

Accepted Solution

by:
214-042308 earned 0 total points
ID: 40443663
Apparently it's true that Windows Server 2008R2 will automatically remove metadata - the object is now gone from ADUC without my further intervention. I will still run ADSIUTIL to see if I have any vestigial metadata, but it appears AD is now clean.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question