How to delete the DC computer account from the Domain Controllers

G

Guest

Hi All,

I think a lot of people may benefit if they know how to delete the Domain
Controller computer account for the purpose of the System State backup
validation.
Scenario:
Forest Functional Level is Windows 2003.
There are 2 functional domain controllers - both Windows 2003: DC_good and
DC_bad.
We took a System State backup on DC_good and DC_bad.
Now we want to pretend that virus deleted the Domain Controller computer
account of the DC_bad. Our first goal is to delete DC_bad's computer account
from
OU=Domain Controllers,DC=mydomain,DC=local.
How to do it so DC_bad's computer account would not be recreated once DC_bad
comes back online.

I tried to change the isCriticalSystemObject of the DC_bad to FALSO or
NOT_SET in the ADSIEdit, but it failed with error: "Access to the attribute
is not permitted because the attribute is owned by the Security Accounts
Manager (SAM)."

Additionaly I tried the following steps, but they did not work for me:
1. Tried to delete DC_bad from the ADUC.
2. Tried to delete DC_bad from the ADSIEdit.
3. Tried to delete DC_bad from the LDP.
4. Tried to delete DC_bad from the NTDSUtil.

The furthest where I could get was that I was able to delete
CN=NTFRS Subscriptions,CN=DC_bad,OU=Domain Controllers,DC=mydomain,DC=local
and
CN=NTFRS Subscriptions,CN=DC_bad,OU=Domain Controllers,DC=mydomain,DC=local
CN=DC_bad,CN=Domain System Volume (SYSVOL share),CN=File Replication
Service,CN=System,DC=mydomain,DC=local

but I was unable to delete the DC_bad from the OU=Domain
Controllers,DC=mydomain,DC=local irreversably. Please help me to accomplish
that.

Thank you in advance,
Alex
 
J

Jorge Silva

Hi Alex

Why can't you dcpromo on the DC_BAD?
Are you getting errors, what type of errors (Description, source etc..)?

You said that you tryied to delete the computer from AD with NTDSUTIL, what
credentials did you used?

check that:
How to remove data in Active Directory after an unsuccessful domain
controller demotion
http://support.microsoft.com/?kbid=216498



--
I hop that helps

Good Luck
Jorge Silva
MCSA
Systems Administrator
 
G

Guest

Please see in line:
Why can't you dcpromo on the DC_BAD?
The scenario is the restoration of the Domain Controller computer account
after it's been deleted by the malicious program/user. So, unfortunately, the
restoration after the demotion is the case for another scenario.
Are you getting errors, what type of errors (Description, source etc..)?
-[Start of error]-------------------------------------------------------------
Event Type: Warning
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1843
User: NT AUTHORITY\ANONYMOUS LOGON
Computer:DC_bad
Description:
While replicating changes from a source domain controller, a request to
delete the following critical system object was detected. This deletion will
be reversed. The object originated at the following domain controller.

Critical system object:
CN=DC_bad\0ADEL:12a32f-12d5-4795-90ee-6692ads83dg49d,CN=Deleted
Objects,DC=mydomain,DC=local
Originating domain controller:
CN=NTDS
Settings,CN=DC_bad,CN=Servers,CN=First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
Originating timestamp:
2006-05-00 10:00:00

Active Directory will not delete the object, but the object will be marked
as authoritative on the local domain controller. This object will then
continue to replicate to other domain controllers.

Changes made to the object just before the deletion operation may or may not
have been preserved. Some distinguished name references to or from the
deleted object may not have been restored.

User Action
Inspect the contents of this object on the other domain controllers for any
inconsistencies.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-[End of error]-------------------------------------------------------------
You said that you tryied to delete the computer from AD with NTDSUTIL, what
credentials did you used? BUILTIN\Administrators

check that:
How to remove data in Active Directory after an unsuccessful domain
controller demotion
http://support.microsoft.com/?kbid=216498
Did not work for me: each time I did a metadata cleanup when DC_bad was
offline, DC_bad's computer account was brought back into the AD after DC_bad
becomes online. This behavior was mentioned in the warning of the NTDSUTIL
that although the DC_bad's account will be removed now, it will be revived
once DC_bad is online.

I was able to delete the following containers though:
CN=NTFRS Subscriptions,CN=DC_bad,OU=Domain Controllers,DC=mydomain,DC=local

and

CN=DC_bad,CN=Domain System Volume (SYSVOL share),CN=File Replication
Service,CN=System,DC=mydomain,DC=local

My question is: if anybody has successful experience of deletion of the
Windows 2003 Domain Controller computer account without actually demoting it,
please advise about the steps. It will be highly appreciated.

Thank you,
Alex
 
G

Guest

Also tried to delet
CN=DC_bad,CN=Servers,CN=First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local according to the
KB247393 "Error Deleting a Domain Controller Account in Active Directory
Users and Computers" http://support.microsoft.com/kb/247393. I was able to
delete the server with the "NTDS Objects" subcontainer. I also tried to
delete the DC_bad account from the Domain Controllers OU, but then DC_bad
entries returned bad everywhere.

Funny thing: I was unable to delete the
CN=DC_bad,CN=Servers,CN=First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
unless I took ownership of it. However, when this container was restored, it
belonged to the original owner: Domain Admins (MYDOMAIN\Domain Admins). I am
also a member of this group. Also the connection objects were recreated
automatically.
 
J

Joe Richards [MVP]

You shouldn't be able to accomplish this unless the DC you are trying to remove
is offline, it won't allow an originating write or replicated write to remove
its critical pieces, it will simply put them back out there.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top