How to Remove Ghost DC from AD

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

A hardware problem forced us to remove a DC-controller from our network.
The roles were taken by other DCs and as a gracefully demotion couldn't be
performed, we had to clean-up the metadata following instructions from:

http://www.petri.co.il/delete_failed_dcs_from_ad.htm

This worked just fine but now the problem is that in the ACtive Directory
Users and Computers, in the Domain Controllers container, there's still
information for that DC.

We've tried to delete the server from the list and it gives the following
message: The DSA object cannot be delete.

It seems that it cannot be deleted as the server is registered in the active
directory as having a userAccountControl number of: 524288 which means the
server is trusted for delegation.

When we try to uncheck that option from the AD Users and Computers, it shows
the message: "Your security setting do not allow you to Specify whether or
not this account is to be trusted for delagation".

We even changed the GPSO to allow: "Enable computer and user accounts to be
trusted for delegation" and then tried to change this userAccountControl
value using even the ADSI Edit but the message still appers.

Can anybody help me to remove this Ghost DCs from the Active Directory?

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Francisco,

Open ADSIEDIT and navigate to the Domain Controllers OU. Expand the DC you
want to remove, and first delete any objects below it. Then delete the
computer account. Sometimes it will give you a warning, ignore it and delete
it again. This should work.



"Francisco Duran" wrote:

> A hardware problem forced us to remove a DC-controller from our network.
> The roles were taken by other DCs and as a gracefully demotion couldn't be
> performed, we had to clean-up the metadata following instructions from:
>
> http://www.petri.co.il/delete_failed_dcs_from_ad.htm
>
> This worked just fine but now the problem is that in the ACtive Directory
> Users and Computers, in the Domain Controllers container, there's still
> information for that DC.
>
> We've tried to delete the server from the list and it gives the following
> message: The DSA object cannot be delete.
>
> It seems that it cannot be deleted as the server is registered in the active
> directory as having a userAccountControl number of: 524288 which means the
> server is trusted for delegation.
>
> When we try to uncheck that option from the AD Users and Computers, it shows
> the message: "Your security setting do not allow you to Specify whether or
> not this account is to be trusted for delagation".
>
> We even changed the GPSO to allow: "Enable computer and user accounts to be
> trusted for delegation" and then tried to change this userAccountControl
> value using even the ADSI Edit but the message still appers.
>
> Can anybody help me to remove this Ghost DCs from the Active Directory?
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"" wrote:
> A hardware problem forced us to remove a DC-controller from
> our network.
> The roles were taken by other DCs and as a gracefully demotion
> couldn't be
> performed, we had to clean-up the metadata following
> instructions from:
>
> http://www.petri.co.il/delete_failed_dcs_from_ad.htm
>
> This worked just fine but now the problem is that in the
> ACtive Directory
> Users and Computers, in the Domain Controllers container,
> there's still
> information for that DC.
>
> We've tried to delete the server from the list and it gives
> the following
> message: The DSA object cannot be delete.
>
> It seems that it cannot be deleted as the server is registered
> in the active
> directory as having a userAccountControl number of: 524288
> which means the
> server is trusted for delegation.
>
> When we try to uncheck that option from the AD Users and
> Computers, it shows
> the message: "Your security setting do not allow you to
> Specify whether or
> not this account is to be trusted for delagation".
>
> We even changed the GPSO to allow: "Enable computer and user
> accounts to be
> trusted for delegation" and then tried to change this
> userAccountControl
> value using even the ADSI Edit but the message still appers.
>
> Can anybody help me to remove this Ghost DCs from the Active
> Directory?

this is the GUI of W2K ADUC that is protecting the DC account. Use
adsiedit to it

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Active-Directory-Remove-Ghost-DC-AD-ftopict397523.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1312927

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi,

Check this article, especially the ADSIEdit section.


How to remove data in Active Directory after an unsuccessful domain
controller demotion
http://support.microsoft.com/default.aspx?scid=kb;en-us;216498

br,
Denis

"Jorge_de_Almeida_Pinto" <UseLinkToEmail@WindowsForumz.com> wrote in message
news:3_1312927_492190a572b413b0a81f32559efdc5cf@windowsforumz.com...
> "" wrote:
> > A hardware problem forced us to remove a DC-controller from
> > our network.
> > The roles were taken by other DCs and as a gracefully demotion
> > couldn't be
> > performed, we had to clean-up the metadata following
> > instructions from:
> >
> > http://www.petri.co.il/delete_failed_dcs_from_ad.htm
> >
> > This worked just fine but now the problem is that in the
> > ACtive Directory
> > Users and Computers, in the Domain Controllers container,
> > there's still
> > information for that DC.
> >
> > We've tried to delete the server from the list and it gives
> > the following
> > message: The DSA object cannot be delete.
> >
> > It seems that it cannot be deleted as the server is registered
> > in the active
> > directory as having a userAccountControl number of: 524288
> > which means the
> > server is trusted for delegation.
> >
> > When we try to uncheck that option from the AD Users and
> > Computers, it shows
> > the message: "Your security setting do not allow you to
> > Specify whether or
> > not this account is to be trusted for delagation".
> >
> > We even changed the GPSO to allow: "Enable computer and user
> > accounts to be
> > trusted for delegation" and then tried to change this
> > userAccountControl
> > value using even the ADSI Edit but the message still appers.
> >
> > Can anybody help me to remove this Ghost DCs from the Active
> > Directory?
>
> this is the GUI of W2K ADUC that is protecting the DC account. Use
> adsiedit to it
>
> --
> Posted using the http://www.windowsforumz.com interface, at author's
request
> Articles individually checked for conformance to usenet standards
> Topic URL:
http://www.windowsforumz.com/Active-Directory-Remove-Ghost-DC-AD-ftopict397523.html
> Visit Topic URL to contact author (reg. req'd). Report abuse:
http://www.windowsforumz.com/eform.php?p=1312927