Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to remove Domain Controller after failed AD CA removal and failed DCPromo /Forceremoval

Posted on 2016-08-17
6
Medium Priority
?
44 Views
Last Modified: 2016-09-17
I'm trying to decommission an SBS2008 server, and have finished moving all data and services off of it (including uninstalling Exchange). However, when I tried to remove the AD Cert Authority role, I got an error about the cert store being corrupt. Since i can't remove that, I can't demote the DC even with /ForceRemoval. What should my next step be? I've read that you can run a metadata cleanup, but is that all I have to do? Turn the server off and run a metadata cleanup through ndtsutil? Or is there more to it? Any and all help is appreciated.
0
Comment
Question by:StrategicData
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 42

Accepted Solution

by:
Adam Brown earned 2000 total points
ID: 41760376
You *can* do it that way, just make sure all the FSMO roles are off the SBS server before doing so. You'll also want to make sure the AD CA attributes in AD are removed. Also be aware that there may be some SBS artifacts in AD after removing the server. https://support.microsoft.com/en-us/kb/889250 has instructions on running a manual uninstall of the Enterprise CA role. Try to run through that before forcibly removing the SBS server to see if it resolves your issue. Otherwise, complete Step 6 in that link after removing the SBS server forcibly.
0
 

Author Comment

by:StrategicData
ID: 41760383
I actually can't get into the Certutil at all after the failed removal. It throws an error about a file missing.

So by "forcibly remove the SBS server" do you mean I can just turn it off and go from there? All FSMO roles were moved to the new AD box so this old one isn't actually doing anything anymore.
0
 
LVL 42

Assisted Solution

by:Adam Brown
Adam Brown earned 2000 total points
ID: 41760386
Yes, you can do that if the whole thing fails outright. Just make sure to clear anything for the bad CA in AD or you'll run into issues later should you decide to implement a new Enterprise CA.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:StrategicData
ID: 41760396
So turn off the old DC, then start at step 6 on the new DC, then do a metadata cleanup? Sorry for so many followup questions but I want to make sure I get everything 100% right. I've never had a removal fail like this.
0
 
LVL 42

Expert Comment

by:Adam Brown
ID: 41760458
SBS is a monster. I'm kinda glad MS ditched the SKU entirely. Anyway, clear the DC metadata, then run through step 6. You'll want to make sure the old DC is fully removed before making too many changes to AD.
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 41802878
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- Adam Brown (https:#a41760376)
-- Adam Brown (https:#a41760386)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question