none
DsRemoveDsServerW error 0x5(Access is denied.) when removing failed 2003 DC using NTDSUtil

    Question

  • Hi,

    I have a failed 2003 SP2 DC (hardware failure) and I've already seized the FSMO roles onto another DC.  Currently, we have two functioning DC's.  The ones still functioning are 2003 SP2 and a 2008 RTM SP2 in a Windows 2003 domain functional level.

    I've read through this link and I'm having the same issue, but I'd rather use the metadata cleanup if I can to make sure it's properly removed.  I am going to reuse the same hostname and IP if possible.

    Remove the orphaned DC failed-
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/5dcf30ce-e5d5-4f9b-81e4-d0a49651da06

    I've checked to make sure the failed DC's object option for "Protect this object from accidental delettion" is unchecked.  I've even toggled this to see if that was the problem.  I'm also using a user account which is a member of the domain admins, enterprise admins, and schema admins group.  Just to be sure, I've created a new account and added it to those 3 groups, but still no luck and receive the same error.

    I've only ran the ntdsutil on the 2008 DC, but will try running it on the 2003.  I doubt this would matter, though?

    Any ideas?

    metadata cleanup: remove selected server
    Transferring / Seizing FSMO roles off the selected server.
    Removing FRS metadata for the selected server.
    Searching for FRS members under "CN=CLAY-DC2,OU=Domain Controllers,DC=CLAY,DC=CN
    TY".
    Deleting subtree under "CN=CLAY-DC2,OU=Domain Controllers,DC=CLAY,DC=CNTY".
    The attempt to remove the FRS settings on CN=CLAY-DC2,CN=Servers,CN=Default-Firs
    t-Site-Name,CN=Sites,CN=Configuration,DC=CLAY,DC=CNTY failed because "Element no
    t found.";
    metadata cleanup is continuing.
    DsRemoveDsServerW error 0x5(Access is denied.)

    Rory Schmitz
    • Edited by RorySchmitz Wednesday, February 9, 2011 3:12 PM Forgot to add command syntax
    Wednesday, February 9, 2011 3:05 PM

Answers

  • Hi,

     

    This can happen if you are logged on using a user ID that doesn't have permissions to delete the computer object and NTDS settings object of that DC.

     

    I would like to confirm that have you tried the suggestions “Awinish” mentioned? If not, please try the following suggestions.

     

    1) Log onto Windows as the ENTERPRISE ADMIN.

    or

    2) Within NTDSUTIL do the following steps:

    a) Type "metadata cleanup" (without the quotation marks), and then press ENTER.

    b) Type "connections" (without the quotation marks) and press ENTER.

    c) Type "set creds <domain name> <username> <password>" (without the quotation marks) and press ENTER.

    d) Type "connect to server <servername>" (without the quotation marks) and press ENTER. For a null password, type "null" (without the quotation marks) for the password parameter. (Of course, if your ENTERPRISE ADMIN has a null password, you really need to consider another line of work.)

     

    If the issue persists, you may also modify the security permissions and delete them via ADSI Edit manually.

     

    Regards,

     

    Arthur Li

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by RorySchmitz Friday, February 24, 2017 8:43 PM
    Thursday, February 10, 2011 4:48 AM
    Moderator
  • You need to uncheck all the subtreee of the failed dc, then only while doing metadata cleanup would succeed.The error is because of that, when you delete failed dc, all the subtree should be deleted, the reason is we are trying to tell AD, this dc is no more ,so remove the dc & all its references from the database,so dc will remove the object & it would not log any error in event.

    Nothing happens, if you follow the process & its normal to your concern, if you are doing the first time.

    On the failed dc name & its subtree, make sure you uncheck all the option "protect from accidental deletion".

    You need to have enterprise admin(as told by Arthur_Li) membership, verify from the security tab of the account you are using has got full control checked.

    Open the ADSIEDIT.MSC cn=configuration,dc=domain,dc=com >cn=sites>CN=Default-First-Site-Name>cn=servers delete the failed dc server under cn=servers, right click failed dc name i.e cn=servername


    Regards,


    Awinish Vishwakarma

    Blog : http://awinish.wordpress.com

    Disclaimer : This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Marked as answer by RorySchmitz Friday, February 24, 2017 8:43 PM
    Thursday, February 10, 2011 6:35 AM
    Moderator
  • Hello,

    make sure that you remove all DNS enries manual from the zones, the zone properties name server tab and all folders under the _msdcs.domain.com and domain.com zones. Especially this should be controlled if you like to use the same machine name again.

    Before adding the new DC iw ould use the support tools to check the domain for problems.

    dcdiag /v /c /d /e /s:dcname >c:\dcdiag.txt
    repadmin /showrepl dc* /verbose /all /intersite >c:\repl.txt  ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)]
    dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Thursday, February 10, 2011 6:28 PM

All replies

  • Check & Uncheck Protect this object from accidental deletion.Take a look at below link.

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/4da56473-2e76-4b05-83bb-e905a199d4f6/

     

    Regards,


    Awinish Vishwakarma

    Blog : http://awinish.wordpress.com

    Disclaimer : This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Wednesday, February 9, 2011 4:17 PM
    Moderator
  • Take a look at below article, if you are planning to resue the DC hostname.

    http://thelaith.net/2010/05/05/why-not-to-re-use-dc-names/

     

    Regards,


    Awinish Vishwakarma

    Blog : http://awinish.wordpress.com

    Disclaimer : This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Wednesday, February 9, 2011 4:34 PM
    Moderator
  • I had already tried the check and uncheck 'protect this object from accidental deletion.'  That didn't seem to work.  I did try the metadata cleanup process from the 2003 DC, and it did remove the computer object from the domain, but still giving me the same access denied error for the rest of the process.  I see this process isn't going to happen easily so I've manually went into AD Sites and Services and tried to delete the failed DC from the Default-First-Site-Name site.  I'm not familiar with what will happen if I check the "Use Delete Subtree server control" option so I haven't checked that yet during this process.

    This is turning into a big mess.


    Rory Schmitz
    Wednesday, February 9, 2011 4:54 PM
  • Hi,

     

    This can happen if you are logged on using a user ID that doesn't have permissions to delete the computer object and NTDS settings object of that DC.

     

    I would like to confirm that have you tried the suggestions “Awinish” mentioned? If not, please try the following suggestions.

     

    1) Log onto Windows as the ENTERPRISE ADMIN.

    or

    2) Within NTDSUTIL do the following steps:

    a) Type "metadata cleanup" (without the quotation marks), and then press ENTER.

    b) Type "connections" (without the quotation marks) and press ENTER.

    c) Type "set creds <domain name> <username> <password>" (without the quotation marks) and press ENTER.

    d) Type "connect to server <servername>" (without the quotation marks) and press ENTER. For a null password, type "null" (without the quotation marks) for the password parameter. (Of course, if your ENTERPRISE ADMIN has a null password, you really need to consider another line of work.)

     

    If the issue persists, you may also modify the security permissions and delete them via ADSI Edit manually.

     

    Regards,

     

    Arthur Li

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by RorySchmitz Friday, February 24, 2017 8:43 PM
    Thursday, February 10, 2011 4:48 AM
    Moderator
  • You need to uncheck all the subtreee of the failed dc, then only while doing metadata cleanup would succeed.The error is because of that, when you delete failed dc, all the subtree should be deleted, the reason is we are trying to tell AD, this dc is no more ,so remove the dc & all its references from the database,so dc will remove the object & it would not log any error in event.

    Nothing happens, if you follow the process & its normal to your concern, if you are doing the first time.

    On the failed dc name & its subtree, make sure you uncheck all the option "protect from accidental deletion".

    You need to have enterprise admin(as told by Arthur_Li) membership, verify from the security tab of the account you are using has got full control checked.

    Open the ADSIEDIT.MSC cn=configuration,dc=domain,dc=com >cn=sites>CN=Default-First-Site-Name>cn=servers delete the failed dc server under cn=servers, right click failed dc name i.e cn=servername


    Regards,


    Awinish Vishwakarma

    Blog : http://awinish.wordpress.com

    Disclaimer : This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Marked as answer by RorySchmitz Friday, February 24, 2017 8:43 PM
    Thursday, February 10, 2011 6:35 AM
    Moderator
  • Hello,

    please make sure the the NTDSSettings object is not marked with "protected for accidential deletion". Use the Windows server 2008 DC to control it with AD sites and services.

    Additional make sure to use an elevated command prompt when starting ntdsutil.

    Is CLAY-DC2 the machine you like to remove?


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Thursday, February 10, 2011 9:29 AM
  • Hi Everyone,

    Just to recap, here's what I've done:

    - The User account I'm using is member of Enterprise/Domain/Schema Admins group.  I've even created a 2nd account and added it to those 3 groups to also try.

    - Checked and Unchecked "Protect this object from accidental deletion" multiple times on the computer object in ADUC and in ADSS (NTDS Settings).  I'm not sure how long this is supposed to take (should be immediately right?), but I hit apply in between each 'check'.  The computer object is now deleted, but had to do this from the 2003 DC as the 2008 wouldn't work, even with elevated privs.  Strange...

    - I was not able to delete the failed DC (Clay-DC2) out of ADSS.  However, using ADSIEdit.msc did work as suggested.  Awinish, this seemed to work before I went to the Enterprise Admin account to verify it had Full Control of the Enterprise Admins Group.  It did not, basically everything but full control.  I did now check "Full Control" for that group.

    - Arthur_Li, did try those steps you mentioned with the "Set Cred..." in conjuntion with Daniel Petri's site instructions for ADSIUtil:  Petri.co.il  I was still not able to get NTDSUtil to remove anything as described.  Always that access denied message.

    EDIT:

    Now I have the computer object, and the sites and services (NTDS) object removed through manual methods as everyone has suggested, do I just need to remove DNS remnants, or is there additional steps to take?

    I appreciate all of the help.


    Rory Schmitz
    • Edited by RorySchmitz Thursday, February 10, 2011 3:37 PM Note under Edit section
    Thursday, February 10, 2011 3:36 PM
  • If you run metadata cleanup again, can you see the servername listed, if not, its been done but you need to check the dns records in all the folder under _msdcs folder. Since, you are going to use the same name check the article of reusing dcname too.

    I haven't witnessed or encountered any such issues in the past or till now. So, still, don't know, why it happened.

     

    Regards,


    Awinish Vishwakarma

    Blog : http://awinish.wordpress.com

    Disclaimer : This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Thursday, February 10, 2011 3:47 PM
    Moderator
  • Hi Awinish,

    Yes, the server (Clay-DC2) is missing from the list.  I will read over that link you posted earlier about reuse of the hostname/IP.

    I will wait to see if anyone else has any other comments/concerns and then I will mark the posts as answers.

    Thank you!


    Rory Schmitz
    Thursday, February 10, 2011 4:05 PM
  • Hello,

    make sure that you remove all DNS enries manual from the zones, the zone properties name server tab and all folders under the _msdcs.domain.com and domain.com zones. Especially this should be controlled if you like to use the same machine name again.

    Before adding the new DC iw ould use the support tools to check the domain for problems.

    dcdiag /v /c /d /e /s:dcname >c:\dcdiag.txt
    repadmin /showrepl dc* /verbose /all /intersite >c:\repl.txt  ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)]
    dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Thursday, February 10, 2011 6:28 PM
  • Hi,

     

    I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.

     

    Regards,

     

    Arthur Li

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, February 18, 2011 2:10 AM
    Moderator
  • You need verify AD sites and Services, select site name, expand servers folder, select server right click and select properties, in that windows select object tab, unselect the check box Protect object form accidental deletion.

    Later select NTDS Settings right click and select properties, in that windows select object tab, unselect the check box Protect object form accidental deletion, now try again to delete object in ntdsutil metada cleanup.

    that worked for me.


    Thursday, November 22, 2012 8:48 PM
  • This worked for me as well when I had the same Access Denied errror trying to remove a failed 2003 Server from our domain.
    Thursday, October 22, 2015 4:57 PM
  • Thanks.  In my case, the server objects were fine but the protection was on for the NTDS containers.
    Wednesday, September 28, 2016 5:45 PM
  • i have  delete the server object via adsi edit.

    But even though i am a member of enterprise admin and have allowed myself full access in security settings

    via adsi edit -> not able to metadata cleanup 0x5 acess denied.

    Any sugesstions!

    Friday, February 24, 2017 7:38 PM