Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

How to remove Domain Controller after failed AD CA removal and failed DCPromo /Forceremoval

Posted on 2016-08-17
6
36 Views
Last Modified: 2016-09-17
I'm trying to decommission an SBS2008 server, and have finished moving all data and services off of it (including uninstalling Exchange). However, when I tried to remove the AD Cert Authority role, I got an error about the cert store being corrupt. Since i can't remove that, I can't demote the DC even with /ForceRemoval. What should my next step be? I've read that you can run a metadata cleanup, but is that all I have to do? Turn the server off and run a metadata cleanup through ndtsutil? Or is there more to it? Any and all help is appreciated.
0
Comment
Question by:StrategicData
  • 3
  • 2
6 Comments
 
LVL 39

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41760376
You *can* do it that way, just make sure all the FSMO roles are off the SBS server before doing so. You'll also want to make sure the AD CA attributes in AD are removed. Also be aware that there may be some SBS artifacts in AD after removing the server. https://support.microsoft.com/en-us/kb/889250 has instructions on running a manual uninstall of the Enterprise CA role. Try to run through that before forcibly removing the SBS server to see if it resolves your issue. Otherwise, complete Step 6 in that link after removing the SBS server forcibly.
0
 

Author Comment

by:StrategicData
ID: 41760383
I actually can't get into the Certutil at all after the failed removal. It throws an error about a file missing.

So by "forcibly remove the SBS server" do you mean I can just turn it off and go from there? All FSMO roles were moved to the new AD box so this old one isn't actually doing anything anymore.
0
 
LVL 39

Assisted Solution

by:Adam Brown
Adam Brown earned 500 total points
ID: 41760386
Yes, you can do that if the whole thing fails outright. Just make sure to clear anything for the bad CA in AD or you'll run into issues later should you decide to implement a new Enterprise CA.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:StrategicData
ID: 41760396
So turn off the old DC, then start at step 6 on the new DC, then do a metadata cleanup? Sorry for so many followup questions but I want to make sure I get everything 100% right. I've never had a removal fail like this.
0
 
LVL 39

Expert Comment

by:Adam Brown
ID: 41760458
SBS is a monster. I'm kinda glad MS ditched the SKU entirely. Anyway, clear the DC metadata, then run through step 6. You'll want to make sure the old DC is fully removed before making too many changes to AD.
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 41802878
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- Adam Brown (https:#a41760376)
-- Adam Brown (https:#a41760386)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question