How to Remove Ghost DC from AD

[Francisco Duran]

A hardware problem forced us to remove a DC-controller from our network.
The roles were taken by other DCs and as a gracefully demotion couldn't be
performed, we had to clean-up the metadata following instructions from:

http://www.petri.co.il/delete_failed_dcs_from_ad.htm

This worked just fine but now the problem is that in the ACtive Directory
Users and Computers, in the Domain Controllers container, there's still
information for that DC.

We've tried to delete the server from the list and it gives the following
message: The DSA object cannot be delete.

It seems that it cannot be deleted as the server is registered in the active
directory as having a userAccountControl number of: 524288 which means the
server is trusted for delegation.

When we try to uncheck that option from the AD Users and Computers, it shows
the message: "Your security setting do not allow you to Specify whether or
not this account is to be trusted for delagation".

We even changed the GPSO to allow: "Enable computer and user accounts to be
trusted for delegation" and then tried to change this userAccountControl
value using even the ADSI Edit but the message still appers.

Can anybody help me to remove this Ghost DCs from the Active Directory?

 

[Guest]

Francisco,

Open ADSIEDIT and navigate to the Domain Controllers OU. Expand the DC you
want to remove, and first delete any objects below it. Then delete the
computer account. Sometimes it will give you a warning, ignore it and delete
it again. This should work.

 

[Jorge_de_Almeida_Pinto]

A hardware problem forced us to remove a DC-controller from
our network.
The roles were taken by other DCs and as a gracefully demotion
couldn't be
performed, we had to clean-up the metadata following
instructions from:

http://www.petri.co.il/delete_failed_dcs_from_ad.htm

This worked just fine but now the problem is that in the
ACtive Directory
Users and Computers, in the Domain Controllers container,
there's still
information for that DC.

We've tried to delete the server from the list and it gives
the following
message: The DSA object cannot be delete.

It seems that it cannot be deleted as the server is registered
in the active
directory as having a userAccountControl number of: 524288
which means the
server is trusted for delegation.

When we try to uncheck that option from the AD Users and
Computers, it shows
the message: "Your security setting do not allow you to
Specify whether or
not this account is to be trusted for delagation".

We even changed the GPSO to allow: "Enable computer and user
accounts to be
trusted for delegation" and then tried to change this
userAccountControl
value using even the ADSI Edit but the message still appers.

Can anybody help me to remove this Ghost DCs from the Active
Directory?

this is the GUI of W2K ADUC that is protecting the DC account. Use
adsiedit to it

 

[Denis Wong @ Hong Kong]

Hi,

Check this article, especially the ADSIEdit section.


How to remove data in Active Directory after an unsuccessful domain
controller demotion
http://support.microsoft.com/default.aspx?scid=kb;en-us;216498

br,
Denis

this is the GUI of W2K ADUC that is protecting the DC account. Use
adsiedit to it

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Active-Directory-Remove-Ghost-DC-AD-ftopict397523.html
Visit Topic URL to contact author (reg. req'd). Report abuse:

http://www.windowsforumz.com/eform.php?p=1312927