Force removal and meta cleanup of Domain Controller but get Access is Denied

I have a Win 2008 server Domain Controller that I need to remove since it has stopped replicating for the past 2 years apparently.
Problem is I don't have the local user Admin account enabled nor its password.
I am a domain admin in the domain the DC is in, however I'm getting Access is Denied and "C:\Windows\system32\dcpromo.exe - Windows cannot access the specified device, path, or file.  You may not have the appropriate permissions to access the item." when I try to run dcpromo on the box.

What's a way I can get rid of this DC gracefully and so I can make room to add another DC to DCPromo?
garryshapeAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
If you can't run dcpromo then take the server offline and clean me data information by removing the affected server from AD. Rebuild the server, add it to the domain and promote it as a DC.  Refer to links below:

https://technet.microsoft.com/en-us/library/cc816907%28v=ws.10%29.aspx
http://support.microsoft.com/en-us/kb/216498

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Will SzymkowskiSenior Solution ArchitectCommented:
If the DC has not been replicating properly for 2 years then it is a high probability that you are going to have to remove this DC manually.

If dcpromo /forceremoval does not work, then I would simply do the following...
- Power off the DC
- Update your DHCP scopes and remove this DC from DNS
- Login to another DC, launch NTDSUtil
- Remove the DC that are you having issues with
- complete the removal process and perform a metadata cleanup
- Make sure that the computer account is removed from the Domain Controllers OU
- Open DNS Console, expand yourdomain.com
- expand _msdcs.yourdomain.com
- Expand all folder i.e gc/pdc/domainDNS/ForestDNS and delete any SRV records that are from the old DC
- Open Sites and Services and delete the computer object for this DC as well

If this DC is holding any of the FSMO roles you will have to Seize these to another DC using NTDSUtil. If it is not holding any FSMO roles then just perform the steps above.

Will.
LearnctxEngineerCommented:
As Will suggested you will need to perform a metadata cleanup. Very straight forward. Follow the guide below, it should have most of what needs to be done.

http://www.petri.com/delete_failed_dcs_from_ad.htm

Before doing this I would suggest seizing any FSMO roles (I doubt it had any but check anyway: netdom query fsmo).

Some other things to cleanup is if you're using it as a DFS target at all clean that up. I also suggest checking replication before and after. If you have any replication issues other than this DC being a replication problem then fix those up before proceeding.
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

garryshapeAuthor Commented:
Sorry got a duplicate thread going here but technically they are two issues.

I'm reading the "Active Directory" book by O'Reilly, and it says when manually removing a domain controller from Active Directory, if it's not a FSMO, you can simply select the DC within Active Directory Users and Computers MMC and delete it. It says after you do that, the metadata cleanup steps are performed automatically. (Chapter 18: Backup, Recovery and Maintenance).

Only on Windows Server 2003 does it mention having to go into ntdsutil and running commands and stuff.

Is that ok then? So if I'm just deleting it from AD, do I need to shut down the DC first? It's a Virtual Machine -- can I just power it off then delete it from AD?
Will SzymkowskiSenior Solution ArchitectCommented:
Regardless if a DC is holding the FSMO roles or not, I always check/perform a metadata cleanup. This way I can ensure that all info from this DC is removed and this is a double check.

I personally would make it a part of your steps to just follow the metadata cleanup and ensure all remnants are removed.

It is never a wise thing to "assume" and always validate your changes.

Will.
LearnctxEngineerCommented:
Yes, you can since server 2008 delete a Domain Controller directly from ADUC and it will be force removed from Active Directory. Personally I do not trust this process and prefer to stick with a metadata cleanup using ntdsutil, same as Will. I also find deleting from ADUC can leave remnants particularly in DNS (at least this has been my experience); so would recommend manually checking DNS has been correctly cleaned up. Almost all AD replication problems I come across are typically DNS related (almost all :p).
garryshapeAuthor Commented:
So if I run the ntdsutil on another DC it will prompt me to enter the name of another DC to remove?
Will SzymkowskiSenior Solution ArchitectCommented:
So if I run the ntdsutil on another DC it will prompt me to enter the name of another DC to remove?

It does not matter what DC you run it on, as long as it is a read/write DC you'll be fine. When you go through the steps you will need to specifically select the DC to removed.

Will.
garryshapeAuthor Commented:
Great input guys ty this is the way I have to go.
garryshapeAuthor Commented:
Yeah just checking back, everything's good. Old DC is gone, metadata cleanup took place automatically but I still followed up  with the command line route to be sure.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.