Event ID - 12296

Event Id12296
SourceSAM
DescriptionThe SAM database attempted to clear the directory %1 in order to remove files that were once used by Active Directory Domain Services. The error is in record data. Please have an administrator delete these files.
Event InformationAccording to Microsoft :
Cause :
This event is logged when the SAM database attempted to clear the directory in order to remove files that were once used by Active Directory Domain Services.
Resolution :
Delete the directory manually
The Security Accounts Manager (SAM) was not able to delete the folder that was referred to in the Event Viewer event text. Perform the following procedure on the computer logging the event to be resolved.
To perform this procedure, you must have membership in Domain Admins or you must have been delegated the appropriate authority.
Go to the folder location that is referred to in the Event Viewer event text in the file system, and then delete the folder. If you are not able to delete the folder, try again after you restart the computer.
To manually delete the directory:
  1. Type the path to the directory in the Run box. For example, if the directory to be deleted is C:\Windows\SYSVOL, click Start, click Run, type c:\Windows, and then press ENTER.
  2. Right-click the folder named SYSVOL, and then click Delete.
Note : As an alternative, you can type del C:\Windows\SYSVOL /q at a command prompt.
Verify :
To ensure that the domain controller demotion was successful, verify that the Active Directory database files were removed and that the computer account is no longer in the Domain Controllers organizational unit (OU) or in the Domain Controllers group in Active Directory Users and Computers. Perform the following procedures using a domain member computer that has domain administrative tools installed.
To perform these procedures, you must have membership in Domain Admins or you must have been delegated the appropriate authority.
Verify that the Active Directory database files were removed
To verify that the Active Directory database files were removed:
  1. Open a command prompt as an administrator. To open a command prompt as administrator, click Start. In Start Search, type Command Prompt. At the top of the Start Menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. At the command prompt, type cd /d %windir%\ntds, and then press ENTER. (If you installed Active Directory to a nondefault folder when you installed this domain controller, substitute that folder name and path for %windir%\ntds). If the result of this command is File not found, the files were deleted successfully.
Verify that the computer account is no longer in the Domain Controllers OU or the Domain Controllers group
To verify that the computer account is no longer in the Domain Controllers OU or the Domain Controllers group:
  1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start. In Start Search, type dsa.msc, and then press ENTER.
  2. Expand the domain object, if necessary, and then click the Domain Controllers OU. If the computer account is not in this container, the removal of the computer account from the OU was successful.
  3. Right-click the domain object, and then click Find.
  4. In Name, type Domain Controllers, and then click Find Now. The Domain Controllers group appears in Search results.
  5. Right-click the Domain Controllers group, and then click Properties.
  6. On the Members tab, ensure that the computer account is not listed.
Reference LinksEvent ID 12296 from Source SAM

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.
 Refresh