Solved

How to remove Domain Controller after failed AD CA removal and failed DCPromo /Forceremoval

Posted on 2016-08-17
6
39 Views
Last Modified: 2016-09-17
I'm trying to decommission an SBS2008 server, and have finished moving all data and services off of it (including uninstalling Exchange). However, when I tried to remove the AD Cert Authority role, I got an error about the cert store being corrupt. Since i can't remove that, I can't demote the DC even with /ForceRemoval. What should my next step be? I've read that you can run a metadata cleanup, but is that all I have to do? Turn the server off and run a metadata cleanup through ndtsutil? Or is there more to it? Any and all help is appreciated.
0
Comment
Question by:StrategicData
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 41

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41760376
You *can* do it that way, just make sure all the FSMO roles are off the SBS server before doing so. You'll also want to make sure the AD CA attributes in AD are removed. Also be aware that there may be some SBS artifacts in AD after removing the server. https://support.microsoft.com/en-us/kb/889250 has instructions on running a manual uninstall of the Enterprise CA role. Try to run through that before forcibly removing the SBS server to see if it resolves your issue. Otherwise, complete Step 6 in that link after removing the SBS server forcibly.
0
 

Author Comment

by:StrategicData
ID: 41760383
I actually can't get into the Certutil at all after the failed removal. It throws an error about a file missing.

So by "forcibly remove the SBS server" do you mean I can just turn it off and go from there? All FSMO roles were moved to the new AD box so this old one isn't actually doing anything anymore.
0
 
LVL 41

Assisted Solution

by:Adam Brown
Adam Brown earned 500 total points
ID: 41760386
Yes, you can do that if the whole thing fails outright. Just make sure to clear anything for the bad CA in AD or you'll run into issues later should you decide to implement a new Enterprise CA.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:StrategicData
ID: 41760396
So turn off the old DC, then start at step 6 on the new DC, then do a metadata cleanup? Sorry for so many followup questions but I want to make sure I get everything 100% right. I've never had a removal fail like this.
0
 
LVL 41

Expert Comment

by:Adam Brown
ID: 41760458
SBS is a monster. I'm kinda glad MS ditched the SKU entirely. Anyway, clear the DC metadata, then run through step 6. You'll want to make sure the old DC is fully removed before making too many changes to AD.
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 41802878
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- Adam Brown (https:#a41760376)
-- Adam Brown (https:#a41760386)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question