none
Cannot delete DC Windows 2008 after DCPROMO /Forceremoval -- Urgent Help Please RRS feed

  • Question

  •  

    Windows 2008 giving a problem when try to delete the Additional Domain Controller after running dcrpomo /forceremoval

    When I go to the DC containers in Active Directory, I cannot deleted, even if you uncheck the NTDS settings "Object protected from accidental removal".

    The problem I have is, after I restored the Additional Domain Controller, I cannot restore the Directory Service Mode because the Password I don't have it which was set by another Admin and his not here...

    I forcibly demoted it the ADC, but the problem I cannot delete the object using Metadata Cleanup nor I can deleted manually or even using the same name to be rejoined to the domain and run the DCPROMO to promote it as Additional Domain Controller to take the same name...

     

    Deleting using metedata cleanup, I got access denied.


    Is it possible to re-run DCPROMO and re-add it as an Additional Domain Controller? Or first I need to join it to the domain using the same name?


    Any help ?

    Wednesday, July 20, 2011 6:27 AM

Answers

  • Can you verify the permission using security tab for the account used for performing metadata cleanup, it should be member of Enterprise/Domain Admin. The OU which contains the DC object has "Objected protected from accidental deletion" enabled & objects kept under is inheriting the policy, disable the inheritance as well as untick the accidental deletion & see if it works. Verify the account from the security tab that it has full control or deletion option ticked.

    Since, metadata cleanup has not been completed, you can't reuse the same hostname/IP, you need to remove all the traces from the AD, allow it to replicate & once its confirmed there is no traces left, you can go ahead & use same name.

    You don't need to join the server in the domain first to make it DC. Run dcpromo directly on the server, it will automatically join machine to the domain & then promote it as an DC. Verify the machine going to be DC has local DNS specified in its NIC.

    Removing a Domain Controller from a Domain

    http://technet.microsoft.com/en-us/library/cc771844%28WS.10%29.aspx

    Metadata Cleanup of a Domain controller

    http://awinish.wordpress.com/2011/05/08/metadata-cleanup-of-a-domain-controller/ 

     

    Regards


    Awinish Vishwakarma

    MVP-Directory Services

    MY BLOG:  http://awinish.wordpress.com

    This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by hms_24 Wednesday, July 27, 2011 4:49 AM
    Wednesday, July 20, 2011 6:38 AM
    Moderator
  • Hello,

    The problem I have is, after I restored the Additional Domain Controller, I cannot restore the Directory Service Mode because the Password I don't have it which was set by another Admin and his not here...

    you can change the DSRM password.

    Go on the DC and run ntdsutil, after that run reset password on server null and then specify the new password.

    For the deletion, what is the exact error message? If the protection on the NTDS settings is unchecked then check the used user permissions. Make sure that its belongs to domain admins / enterprise admins group.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator

    • Marked as answer by hms_24 Wednesday, July 27, 2011 4:49 AM
    Wednesday, July 20, 2011 6:51 AM
  • Yes, you can but make sure there is no references left, because metadata cleanup doesn't remove all the references from the AD especially from all the sub folder inside _msdcs folder. You can manually delete those entries using below article & once you are configrmed there is no more references of removed DC, you can use same hostname/IP but give some time to replicate the changes to other DC's in the domain. You can force the replication to all the DC's using repadmin /syncall /APed

    Metadata Cleanup of a Domain controller

    http://awinish.wordpress.com/2011/05/08/metadata-cleanup-of-a-domain-controller/

     

    Regards


    Awinish Vishwakarma

    MVP-Directory Services

    MY BLOG:  http://awinish.wordpress.com 

    This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by hms_24 Wednesday, July 27, 2011 4:49 AM
    Wednesday, July 20, 2011 7:11 AM
    Moderator

All replies

  • Can you verify the permission using security tab for the account used for performing metadata cleanup, it should be member of Enterprise/Domain Admin. The OU which contains the DC object has "Objected protected from accidental deletion" enabled & objects kept under is inheriting the policy, disable the inheritance as well as untick the accidental deletion & see if it works. Verify the account from the security tab that it has full control or deletion option ticked.

    Since, metadata cleanup has not been completed, you can't reuse the same hostname/IP, you need to remove all the traces from the AD, allow it to replicate & once its confirmed there is no traces left, you can go ahead & use same name.

    You don't need to join the server in the domain first to make it DC. Run dcpromo directly on the server, it will automatically join machine to the domain & then promote it as an DC. Verify the machine going to be DC has local DNS specified in its NIC.

    Removing a Domain Controller from a Domain

    http://technet.microsoft.com/en-us/library/cc771844%28WS.10%29.aspx

    Metadata Cleanup of a Domain controller

    http://awinish.wordpress.com/2011/05/08/metadata-cleanup-of-a-domain-controller/ 

     

    Regards


    Awinish Vishwakarma

    MVP-Directory Services

    MY BLOG:  http://awinish.wordpress.com

    This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by hms_24 Wednesday, July 27, 2011 4:49 AM
    Wednesday, July 20, 2011 6:38 AM
    Moderator
  • Hello Awinisih,

    Thanks for your quick reply. I managed to delete the computer object from the Domain Controller OU. I checked also the metadata and the server is not available any more.

    Now, can I joined back to the domain using the same name, install DNS on it but without configuring any Zones and promote it again as an Additional Domain Controller?

     

    Thanks,

     

     

    Wednesday, July 20, 2011 6:49 AM
  • Hello,

    The problem I have is, after I restored the Additional Domain Controller, I cannot restore the Directory Service Mode because the Password I don't have it which was set by another Admin and his not here...

    you can change the DSRM password.

    Go on the DC and run ntdsutil, after that run reset password on server null and then specify the new password.

    For the deletion, what is the exact error message? If the protection on the NTDS settings is unchecked then check the used user permissions. Make sure that its belongs to domain admins / enterprise admins group.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator

    • Marked as answer by hms_24 Wednesday, July 27, 2011 4:49 AM
    Wednesday, July 20, 2011 6:51 AM
  • Yes, you can but make sure there is no references left, because metadata cleanup doesn't remove all the references from the AD especially from all the sub folder inside _msdcs folder. You can manually delete those entries using below article & once you are configrmed there is no more references of removed DC, you can use same hostname/IP but give some time to replicate the changes to other DC's in the domain. You can force the replication to all the DC's using repadmin /syncall /APed

    Metadata Cleanup of a Domain controller

    http://awinish.wordpress.com/2011/05/08/metadata-cleanup-of-a-domain-controller/

     

    Regards


    Awinish Vishwakarma

    MVP-Directory Services

    MY BLOG:  http://awinish.wordpress.com 

    This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by hms_24 Wednesday, July 27, 2011 4:49 AM
    Wednesday, July 20, 2011 7:11 AM
    Moderator
  • Hello Awinish,

    In this domain I have two Domain Controllers, physical Server which is holding all the FSMO roles and the Additional Domain Controller which is VM. This VM the one which got a problem and when I attempt to restore it, it gives me the AD Erros, authauthentication error, blah blah...

    Now I managed to deleted it and I got a WARNING to delete all sub-tree objects, which selected and removed all the objects.. I will go through the given article and make sure everything is cleared from the metadata before I reuse the same name and IP Address.

    Thanks for your support.

     

     

    Wednesday, July 20, 2011 7:26 AM
  • In this domain I have two Domain Controllers, physical Server which is holding all the FSMO roles and the Additional Domain Controller which is VM. This VM the one which got a problem and when I attempt to restore it, it gives me the AD Erros, authauthentication error, blah blah...

    Looks like that you used snapshots / images for restore. This practices is not supported and causes USN rollbacks.

    You have to force its demoting, perform a metadata cleanup and promote it again.

    For backups, use AD-Aware backups.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator

    Wednesday, July 20, 2011 7:30 AM
  • Hello Mr X,

    No, i didn't use snapshot, I use Veeam Backup which is using VSS to backup SQL, Exchange and DC well. But the problem happened with VSS, the last backup I took it didn't commit the Directory Services problerly and when I tried to restored it after the problem happened, I got with the AD replication and DNS issue on all the client and servers.

    Now, I will make sure the metadata database clean and will reuse the same IP and hostname to be promot to join the domain as an Additional Domain Controller.

     

    Thanks again for your quick help.

     

    Wednesday, July 20, 2011 7:56 AM
  • Hello Mr X,

    No, i didn't use snapshot, I use Veeam Backup which is using VSS to backup SQL, Exchange and DC well. But the problem happened with VSS, the last backup I took it didn't commit the Directory Services problerly and when I tried to restored it after the problem happened, I got with the AD replication and DNS issue on all the client and servers.

    Now, I will make sure the metadata database clean and will reuse the same IP and hostname to be promot to join the domain as an Additional Domain Controller.

     

    Thanks again for your quick help.

     

    Okay, then make sure that you are using DSRM mode for restore next time.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator

    Wednesday, July 20, 2011 8:05 AM
  • Okay, then make sure that you are using DSRM mode for restore next time.

     

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator

     

    Sure yes, but I have to reset the password for the DSRM which a tip you already provided.
    Wednesday, July 20, 2011 8:24 AM
  • Awinish,

    I have quoted this in your Article :


    Note: Once you perform the metadata cleanup of DC, don’t immediately reuse the same Hostname/IP of failed DC to configure it back to a new DC, because you have to allow changes to be replicated to all other domain controllers in the forest by allowing & waiting for atleast one replication to run. But if you got few DC’s & good bandwidth, you can force the replication using repadmin /syncall /Aped

    I have one DC in my environment now, Do I need to run the readmin or no need as there is replication partner?

    Thanks,
    S.Hussain

    Wednesday, July 20, 2011 8:25 AM
  • No, you doesn't require to run this command, its required in case you deal with multiple DC's. Just verify there is no traces that's it.

    Note: Don't use snapshot/images/cloning for configuring DC or for restoration.Preferably, use system state backup(Ntbackup/Wbadmin) or AD aware backup solution for restoring the DC.

    If you don't know or remember the DSRM mode password, you can reset it w/o remembering old one.

    http://technet.microsoft.com/en-us/library/cc754363%28WS.10%29.aspx

     

    Regards


    Awinish Vishwakarma

    MVP-Directory Services

    MY BLOG:  awinish.wordpress.com

    This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Wednesday, July 20, 2011 8:42 AM
    Moderator
  • Whatever password I put it gives me Invalid Syntax:

     

    NTDSUTIL:

    set dsrm administrator password

    Reset DSRM Administrator Password: whatever password i give it gives me Invalid Syntax

     

    Wednesday, July 20, 2011 8:59 AM
  • Got it,

    NTDSUTIL:

    reset password on server null:

    Please type password for DS Restore mode Administrator Account: *******

    Please confirm new password: *******

    Password has been set successfully.

     

    Thanks for your quick support.

    Wednesday, July 20, 2011 9:12 AM
  • I will promote the ADC not after changing reverting back the IP Address and computer name... Stay tuned for more updates.

     

    Thanks,

    Wednesday, July 20, 2011 11:44 AM
  • Hello,

    I have promote it and replication is successful for AD and DNS. But I have noticed another thing which is not related to this thread. I'm using Veeam Backup, before I promote it to a ADC, the veeam backup working fine. But as soon as I promote it ADC, and run the backup again, I got an error pointing to the NTDS and VSS.

     

     

    Freezing guest operating system
    Unfreeze error: [Backup job failed.
    Cannot create a shadow copy of the volumes containing writer's data.
    A VSS critical writer has failed. Writer name: [NTDS]. Class ID: [{b2014c9e-8711-4c5c-a5a9-3cf384484757}]. Instance ID: [{09a7195f-395c-41ed-a8ad-673912e57163}]. Writer's state: [VSS_WS_FAILED_AT_POST_SNAPSHOT]. Error code: [0x800423f4].]

     

    Volume Shadow Copy Service error: Unexpected error calling routine ConvertStringSidToSid. hr = 0x80070539.
    
    Operation:
      OnIdentify event
      Gathering Writer Data
    
    Context:
      Execution Context: Shadow Copy Optimization Writer
      Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}
      Writer Name: Shadow Copy Optimization Writer
      Writer Instance ID: {3b07efc9-e6ec-42e7-b4e9-4590234f42ea}
    
    

    lsass (584) Unable to write to logfile \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\edb.log. Error -1032 (0xfffffbf8).


    Thanks,

     

    Wednesday, July 20, 2011 12:42 PM
  • Hello,

    as this doesn't belong to the DS forums please use the Windows server general forum:

    http://social.technet.microsoft.com/Forums/en/winservergen/threads

    And also contact the vendor if this isn't a known problem belonging to their software.

    Additional check: http://social.technet.microsoft.com/Forums/en/winserverfiles/thread/7b52f7c1-a783-409e-9af3-da64567676df


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Saturday, July 23, 2011 8:30 AM