question

Bearb avatar image
0 Votes"
Bearb asked DaisyZhou-MSFT commented

Metada cleanup error after manually Removing A Domain Controller Server

We had our domain controller 2008r2 which was in USN Rollback mode. So we decided to decommission it.
We were able to transfer the fsmo roles to the secondary domain controller.
But it was impossible to depromote the server. So we followed the following tuto:

https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-manually-removing-a-domain-controller-server/ba-p/280564

everything was OK except the command to remove the domain controller 2008 :

109512-erreur-dc-2008-1.png

Because of this, we can not increase the level of the forest:

109524-erreur-dc-2008-2.png

Thanks in advance


windows-server
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello @Bearb,

Thank you for your update.

Please check if there is any deny entry under "Permissions" tab in the same screenshot below.

111122-deny1.png



For example:
111133-de1.png


If there is any Deny entry for one group, and Administrator is in this group, you can delete this Deny entry and try delete the old DC again to see if you can.


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.



deny1.png (202.0 KiB)
de1.png (34.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Bearb avatar image
0 Votes"
Bearb answered

Thank you, Patrick but i already tried thoses links.

By following this link :

https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-manually-removing-a-domain-controller-server/ba-p/280564

I have this error :

109538-image.png


I have also already checked the option : "protect object from accidental deletion"

109557-image.png




image.png (43.5 KiB)
image.png (27.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered DSPatrick edited

Not sure I understand the screenshot, looks like you're in the wrong location to check accidental deletion. Should be in ADSS, also check that the account you're using has permissions to delete objects here.

109598-image.png


then while you're there do the cleanup via GUI
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup#clean-up-server-metadata-using-activedirectory-sites-and-services

--please don't forget to upvote and Accept as answer if the reply is helpful--






image.png (52.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @Bearb,

Thank you for posting here.

Would you please tell us what account you are using to log on the Domain Controller above and you perform the metadata cleanup command and then you receive the error message "Access is denied"?

We suggest you can use Domain Administrator to log on this DC and try to perform these commands again.

Would you please check if you can see this old domain controller 2008 object you want to remove in AD Users and Computers or in AD sites and services or ADSI edit or ldp.exe.

1-If so, please right click this old AD object and check if this domain account (the account you log on the DC to perform the commands above) has permission to delete this old object.

For example:

In AD Users and Computers, right this old DC object.

109683-adss1.png

109608-adss.png


2.In AD Sites and Services, right this old DC object (or NTDS setting object).

109676-aa0.png

109637-aa.png

3-In ADSI Edit and find this old object and check if the domain account (the account you log on the DC to perform the commands above) has delete permission to delete it.

4.Delete this old object through LDP.exe.
109713-ldp1.png

109638-ldp2.png

109655-ldp3.png


Or you can change a domain admin account that has permission to delete this object to log on one DC and try to perform these commands above if needed.


Hope the information above is helpful.

If anything is unclear or should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.



adss1.png (55.0 KiB)
adss.png (108.2 KiB)
aa0.png (29.5 KiB)
aa.png (37.9 KiB)
ldp1.png (12.6 KiB)
ldp2.png (19.7 KiB)
ldp3.png (36.7 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Bearb avatar image
0 Votes"
Bearb answered DaisyZhou-MSFT commented

Hi thank you for your help @DaisyZhou-MSFT

But i tried everything you gave me :

I deleted the server from ADSS & ADSI edit but there is always a trace of the old domain controller in the replication section of the new DC :


110222-image.png

there remains a trace in ADSI EDIT in the folder of the new DC :

110110-image.png

No trace in LDP.exe :

110241-image.png

The error whit NTDSUTIL :

110158-image.png

The FSMO roles are amready moved on another DC :

110203-image.png

Thank you



image.png (70.1 KiB)
image.png (263.7 KiB)
image.png (120.8 KiB)
image.png (103.5 KiB)
image.png (15.9 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @Bearb,

Thank you for your update.

Have you check the permissions as I mentioned above?

If anything is unclear or should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.


0 Votes 0 ·
Bearb avatar image
0 Votes"
Bearb answered

Hi @DaisyZhou-MSFT

Thank you for the follow-up

The DCdiag result :

110262-dcdiag.txt

Yes, i already deleted the old 2k8 DC from the list :

110224-image.png

And i checked the permission (i use a "Entrepise Admins" account)


dcdiag.txt (67.8 KiB)
image.png (49.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
1 Vote"
DSPatrick answered

This tool may help to find more remnants.
https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer

--please don't forget to upvote and Accept as answer if the reply is helpful--


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.