Solved

How to remove Domain Controller after failed AD CA removal and failed DCPromo /Forceremoval

Posted on 2016-08-17
6
27 Views
Last Modified: 2016-09-17
I'm trying to decommission an SBS2008 server, and have finished moving all data and services off of it (including uninstalling Exchange). However, when I tried to remove the AD Cert Authority role, I got an error about the cert store being corrupt. Since i can't remove that, I can't demote the DC even with /ForceRemoval. What should my next step be? I've read that you can run a metadata cleanup, but is that all I have to do? Turn the server off and run a metadata cleanup through ndtsutil? Or is there more to it? Any and all help is appreciated.
0
Comment
Question by:StrategicData
  • 3
  • 2
6 Comments
 
LVL 38

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41760376
You *can* do it that way, just make sure all the FSMO roles are off the SBS server before doing so. You'll also want to make sure the AD CA attributes in AD are removed. Also be aware that there may be some SBS artifacts in AD after removing the server. https://support.microsoft.com/en-us/kb/889250 has instructions on running a manual uninstall of the Enterprise CA role. Try to run through that before forcibly removing the SBS server to see if it resolves your issue. Otherwise, complete Step 6 in that link after removing the SBS server forcibly.
0
 

Author Comment

by:StrategicData
ID: 41760383
I actually can't get into the Certutil at all after the failed removal. It throws an error about a file missing.

So by "forcibly remove the SBS server" do you mean I can just turn it off and go from there? All FSMO roles were moved to the new AD box so this old one isn't actually doing anything anymore.
0
 
LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 500 total points
ID: 41760386
Yes, you can do that if the whole thing fails outright. Just make sure to clear anything for the bad CA in AD or you'll run into issues later should you decide to implement a new Enterprise CA.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:StrategicData
ID: 41760396
So turn off the old DC, then start at step 6 on the new DC, then do a metadata cleanup? Sorry for so many followup questions but I want to make sure I get everything 100% right. I've never had a removal fail like this.
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 41760458
SBS is a monster. I'm kinda glad MS ditched the SKU entirely. Anyway, clear the DC metadata, then run through step 6. You'll want to make sure the old DC is fully removed before making too many changes to AD.
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 41802878
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- Adam Brown (https:#a41760376)
-- Adam Brown (https:#a41760386)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now