How to delete the DC computer account from the Domain Contro

Alex · Guest

Hi All,

I think a lot of people may benefit if they know how to delete the Domain
Controller computer account for the purpose of the System State backup
validation.
Scenario:
Forest Functional Level is Windows 2003.
There are 2 functional domain controllers - both Windows 2003: DC_good and
DC_bad.
We took a System State backup on DC_good and DC_bad.
Now we want to pretend that virus deleted the Domain Controller computer
account of the DC_bad. Our first goal is to delete DC_bad's computer account
from
OU=Domain Controllers,DC=mydomain,DC=local.
How to do it so DC_bad's computer account would not be recreated once DC_bad
comes back online.

I tried to change the isCriticalSystemObject of the DC_bad to FALSO or
NOT_SET in the ADSIEdit, but it failed with error: "Access to the attribute
is not permitted because the attribute is owned by the Security Accounts
Manager (SAM)."

Additionaly I tried the following steps, but they did not work for me:
1. Tried to delete DC_bad from the ADUC.
2. Tried to delete DC_bad from the ADSIEdit.
3. Tried to delete DC_bad from the LDP.
4. Tried to delete DC_bad from the NTDSUtil.

The furthest where I could get was that I was able to delete
CN=NTFRS Subscriptions,CN=DC_bad,OU=Domain Controllers,DC=mydomain,DC=local
and
CN=NTFRS Subscriptions,CN=DC_bad,OU=Domain Controllers,DC=mydomain,DC=local
CN=DC_bad,CN=Domain System Volume (SYSVOL share),CN=File Replication
Service,CN=System,DC=mydomain,DC=local

but I was unable to delete the DC_bad from the OU=Domain
Controllers,DC=mydomain,DC=local irreversably. Please help me to accomplish
that.

Thank you in advance,
Alex

Jorge Silva · Guest

Hi Alex

Why can't you dcpromo on the DC_BAD?
Are you getting errors, what type of errors (Description, source etc..)?

You said that you tryied to delete the computer from AD with NTDSUTIL, what
credentials did you used?

check that:
How to remove data in Active Directory after an unsuccessful domain
controller demotion
http://support.microsoft.com/?kbid=216498

--
I hop that helps

Good Luck
Jorge Silva
MCSA
Systems Administrator

"Alex" <Alex@discussions.microsoft.com> wrote in message
news:72D1870B-0931-4C40-B5A8-A55871D646D2@microsoft.com...

Alex · Guest

Please see in line:

Alex · Guest

Also tried to delete
CN=DC_bad,CN=Servers,CN=First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local according to the
KB247393 "Error Deleting a Domain Controller Account in Active Directory
Users and Computers" http://support.microsoft.com/kb/247393. I was able to
delete the server with the "NTDS Objects" subcontainer. I also tried to
delete the DC_bad account from the Domain Controllers OU, but then DC_bad
entries returned bad everywhere.

Funny thing: I was unable to delete the
CN=DC_bad,CN=Servers,CN=First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
unless I took ownership of it. However, when this container was restored, it
belonged to the original owner: Domain Admins (MYDOMAIN\Domain Admins). I am
also a member of this group. Also the connection objects were recreated
automatically.

Joe Richards [MVP] · Guest

You shouldn't be able to accomplish this unless the DC you are trying to remove
is offline, it won't allow an originating write or replicated write to remove
its critical pieces, it will simply put them back out there.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

Alex wrote: