Solved

How to remove Domain Controller after failed AD CA removal and failed DCPromo /Forceremoval

Posted on 2016-08-17
6
41 Views
Last Modified: 2016-09-17
I'm trying to decommission an SBS2008 server, and have finished moving all data and services off of it (including uninstalling Exchange). However, when I tried to remove the AD Cert Authority role, I got an error about the cert store being corrupt. Since i can't remove that, I can't demote the DC even with /ForceRemoval. What should my next step be? I've read that you can run a metadata cleanup, but is that all I have to do? Turn the server off and run a metadata cleanup through ndtsutil? Or is there more to it? Any and all help is appreciated.
0
Comment
Question by:StrategicData
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 41

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41760376
You *can* do it that way, just make sure all the FSMO roles are off the SBS server before doing so. You'll also want to make sure the AD CA attributes in AD are removed. Also be aware that there may be some SBS artifacts in AD after removing the server. https://support.microsoft.com/en-us/kb/889250 has instructions on running a manual uninstall of the Enterprise CA role. Try to run through that before forcibly removing the SBS server to see if it resolves your issue. Otherwise, complete Step 6 in that link after removing the SBS server forcibly.
0
 

Author Comment

by:StrategicData
ID: 41760383
I actually can't get into the Certutil at all after the failed removal. It throws an error about a file missing.

So by "forcibly remove the SBS server" do you mean I can just turn it off and go from there? All FSMO roles were moved to the new AD box so this old one isn't actually doing anything anymore.
0
 
LVL 41

Assisted Solution

by:Adam Brown
Adam Brown earned 500 total points
ID: 41760386
Yes, you can do that if the whole thing fails outright. Just make sure to clear anything for the bad CA in AD or you'll run into issues later should you decide to implement a new Enterprise CA.
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 

Author Comment

by:StrategicData
ID: 41760396
So turn off the old DC, then start at step 6 on the new DC, then do a metadata cleanup? Sorry for so many followup questions but I want to make sure I get everything 100% right. I've never had a removal fail like this.
0
 
LVL 41

Expert Comment

by:Adam Brown
ID: 41760458
SBS is a monster. I'm kinda glad MS ditched the SKU entirely. Anyway, clear the DC metadata, then run through step 6. You'll want to make sure the old DC is fully removed before making too many changes to AD.
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 41802878
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- Adam Brown (https:#a41760376)
-- Adam Brown (https:#a41760386)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question