Question

Cannot remove domain controller in Active Directory

Asked by: alank2

We have 4 Windows 2000 servers, each acting as a DC. Some time ago we had a 5th DC which has since been retired. Problem is the Event Manager on one of these servers keeps getting Event ID 13508, stating file replicating trouble. I tried to delete the missing server in AD under Domain Controllers but receive "The DSA object cannot be deleted". Is there a way to remove the missing server and eliminate these messages?

Thanks

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2005-02-10 at 12:30:57ID21310197
Tags

domain

,

cannot

,

controller

,

remove

Topics

Operating Systems Miscellaneous

,

Active Directory

Participating Experts
7
Points
250
Comments
8

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. The DSA operation is unable to proceed because of a DNS l…
    I have been working on this event error log for most of the day and I can't figure out why this is not resolving. The error message: _____________________________________________________________________ Source: NTDS KCC Event ID: 1265 The attempt to establish a replication ...
  2. The DSA operation is unable to proceed because of a DNS l…
    We have a Win2k Domain with 3 sites. Each site has a DC that acts as an inter-site replication partner. Replication had been working with both intersite and intrasite replication partners. Recently we started to have intersite replication problems that I am not sure how to ...
  3. How to change an incorrect dsa_Guid on a replication DC
    I recently replaced the PDC in a 2 server network. I did this by replicating the AD from the old server to a temporary server and then in turn replicating this to the new server. Once I put the new server in place the 2nd server in the group (Engineerserv) lost the ability ...
  4. Retiring a domain controller
    I need to reitire one domain controller in a small domain with 4 domain controllers. All the servers run windows 2003. The FSMO rolls have already been moved from the server being retired to one of the remaing domain controllers. Anything else I should be looking out for or n...
  5. DC's are not replicating
    Ok, here is my story. Originally, I had an SBS2003 server running Exchange 2003 as well. I purchased a new server, installed Server 2008, Exchange 2007, and migrated the mail. During this process, I also promoted the Exchange 2007 server to be a DC. After the migration all w...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: MrArubaPosted on 2005-02-10 at 13:04:50ID: 13280070

 

by: gerdawgPosted on 2005-02-10 at 13:51:45ID: 13280587

You have to use the support tools located on the Server CD.

From there you will use ADSI EDIT and follow the instructions to a T

I have done this in the past and it was successful. The issue is that that entry was never removed from your SCHEMA as it was not properly demoted or all information did not "unreplicate sucessfully"

I did a little searching.. Here is the MS article for your convience:

How to remove data in Active Directory after an unsuccessful domain controller demotion
Article ID : 216498
Last Review : November 4, 2004
Revision : 7.0
This article was previously published under Q216498
IN THIS TASK
• SUMMARY• Procedure
 

On this page
 SUMMARY
 MORE INFORMATION

SUMMARY
This article describes how to remove data in Active Directory after an unsuccessful domain controller demotion.

Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

The Active Directory Installation Wizard (Dcpromo.exe) is used for promoting a server to a domain controller and for demoting a domain controller to a member server (or to a stand-alone server in a workgroup if the domain controller is the last in the domain). As part of the demotion process, the wizard removes the configuration data for the domain controller from Active Directory. This data takes the form of an NTDS Settings object that exists as a child of the server object in Active Directory Sites and Services.

The information is in the following location in Active Directory:
CN=NTDS Settings,CN=<servername>,CN=Servers,CN=<sitename>,CN=Sites,CN=Configuration,DC=<domain>...
The attributes of the NTDS Settings object include data representing how the domain controller is identified in respect to its replication partners, the naming contexts that are maintained on the machine, whether the domain controller is a global catalog server, and the default query policy. The NTDS Settings object is also a container that may have child objects that represent the domain controller's direct replication partners. This data is required for the domain controller to operate in the environment, but is retired upon demotion.

In the event that the NTDS Settings object is not removed correctly (for example, if the NTDS Settings object is not correctly removed from a demotion attempt), the administrator can use the Ntdsutil.exe utility to manually remove the NTDS Settings object. The following steps list the procedure for removing the NTDS Settings object in Active Directory for a particular domain controller. At each Ntdsutil menu, the administrator can type help for more information about the available options.

Caution The administrator must also make sure that replication has occurred since the demotion before manually removing the NTDS Settings object for any server. Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.

back to the top
Procedure
1. Click Start, point to Programs, point to Accessories, and then click Command Prompt.
2. At the command prompt, type ntdsutil, and then press ENTER.
3. Type metadata cleanup, and then press ENTER. Based on the options given, the administrator can perform the removal, but additional configuration parameters must be specified before the removal can occur.
4. Type connections and press ENTER. This menu is used to connect to the specific server where the changes occur. If the currently logged on user does not have administrative permissions, different credentials can be supplied by specifying the credentials to use before making the connection. To do so, type set creds domain nameusernamepassword and press ENTER. For a null password, type null for the password parameter.
5. Type connect to server servername, and then press ENTER. You should receive confirmation that the connection is successfully established. If an error occurs, verify that the domain controller being used in the connection is available and the credentials you supplied have administrative permissions on the server.

Note If you try to connect to the same server that you want to delete, when you try to delete the server that step 15 refers to, you may receive the following error message:
Error 2094. The DSA Object cannot be deleted0x2094  
6. Type quit, and then press ENTER. The Metadata Cleanup menu appears.
7. Type select operation target and press ENTER.
8. Type list domains and press ENTER. A list of domains in the forest is displayed, each with an associated number.
9. Type select domain number and press ENTER, where number is the number associated with the domain the server you are removing is a member of. The domain you select is used to determine if the server being removed is the last domain controller of that domain.
10. Type list sites and press ENTER. A list of sites, each with an associated number, is displayed.
11. Type select site number and press ENTER, where number is the number associated with the site the server you are removing is a member of. You should receive a confirmation listing the site and domain you chose.
12. Type list servers in site and press ENTER. A list of servers in the site, each with an associated number, is displayed.  
13. Type select server number, where number is the number associated with the server you want to remove. You receive a confirmation listing the selected server, its Domain Name Server (DNS) host name, and the location of the server's computer account you want to remove.
14. Type quit and press ENTER. The Metadata Cleanup menu appears.
15. Type remove selected server and press ENTER. You should receive confirmation that the removal completed successfully. If you receive the following error message:
Error 8419 (0x20E3)
The DSA object could not be found
the NTDS Settings object may already be removed from Active Directory as the result of another administrator removing the NTDS Settings object, or replication of the successful removal of the object after running the DCPROMO utility.

Note You may also see this error when you try to bind to the domain controller that is going to be removed. Ntdsutil has to bind to a domain controller other than the one that is going to be removed with metadata cleanup.
16. Type quit at each menu to quit the Ntdsutil utility. You should receive confirmation that the connection disconnected successfully.
17. Remove the cname record in the _msdcs.root domain of forest zone in DNS. Assuming that DC is going to be reinstalled and re-promoted, a new NTDS Settings object is created with a new GUID and a matching cname record in DNS. You do not want the DC's that exist to use the old cname record.

As best practice you should delete the hostname and other DNS records. If the lease time that remains on Dynamic Host Configuration Protocol (DHCP) address assigned to offline server is exceeded then another client can obtain the IP address of the problem DC.
Now that the NTDS Settings object has been deleted, you can delete the computer account, the FRS member object, the cname (or Alias) record in the _msdcs container, the A (or Host) record in DNS, the trustDomain object for a deleted child domain, and the domain controller.

The Adsiedit utility is included with the Windows Support Tools feature in both Windows 2000 Server and Windows Server 2003. To install the Windows Support Tools, following these steps:• Windows 2000 Server: On the Windows 2000 Server CD, open the Support\Tools folder, double-click Setup.exe, and then follow the instructions that appear on the screen.
• Windows Server 2003: On the Windows Server 2003 CD, open the Support\Tools folder, double-click Suptools.msi, click Install, and then follow the steps in the Windows Support Tools Setup Wizard to complete the installation.
1. Use ADSIEdit to delete the computer account. To do this, follow these steps: a.  Click Start, click Run, type adsiedit.msc in the Open box, and then click OK.
b.  Expand the Domain NC container.
c.  Expand DC=Your Domain Name, DC=COM, PRI, LOCAL, NET.
d.  Expand OU=Domain Controllers.
e.  Right-click CN=domain controller name, and then click Delete.
If you receive the "DSA object cannot be deleted" error message when you try to delete the object, change the UserAccountControl value. To change the UserAccountControl value, right-click the domain controller in ADSIEdit, and then click Properties. Under Select a property to view, click UserAccountControl. Click Clear, change the value to 4096, and then click Set. You can now delete the object.

Note The FRS subscriber object is deleted when the computer object is deleted because it is a child of the computer account.
2. Use ADSIEdit to delete the FRS member object. To do this, follow these steps: a.  Click Start, click Run, type adsiedit.msc in the Open box, and then click OK
b.  Expand the Domain NC container.
c.  Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET.
d.  Expand CN=System.
e.  Expand CN=File Replication Service.
f.  Expand CN=Domain System Volume (SYSVOL share).
g.  Right-click the domain controller you are removing, and then click Delete.
 
3. In the DNS console, use the DNS MMC to delete the A record in DNS. The A record is also known as the Host record. To delete the A record, right-click the A record, and then click Delete. Also delete the cname (also known as the Alias) record in the _msdcs container. To do so, expand the _msdcs container, right-click the cname, and then click Delete.

Important If this was a DNS server, remove the reference to this DC under the Name Servers tab. To do this, in the DNS console, click the domain name under Forward Lookup Zones, and then remove this server from the Name Servers tab.

Note If you have reverse lookup zones, also remove the server from these zones.
4. If the deleted computer was the last domain controller in a child domain and the child domain was also deleted, use ADSIEdit to delete the trustDomain object for the child. To do this, follow these steps: a.  Click Start, click Run, type adsiedit.msc in the Open box, and then click OK
b.  Expand the Domain NC container.
c.  Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET.
d.  Expand CN=System.
e.  Right-click the Trust Domain object, and then click Delete.
 
5. Use Active Directory Sites and Services to remove the domain controller. To do this, follow these steps: a.  Start Active Directory Sites and Services.
b.  Expand Sites.
c.  Expand the server's site. The default site is Default-First-Site-Name.
d.  Expand Server.
e.  Right-click the domain controller, and then click Delete.
 
Also, consider the following:• If the removed domain controller was a global catalog server, evaluate whether application servers that pointed to the offline global catalog server must be pointed to a live global catalog server.
• If the removed DC was a global catalog server, evaluate whether an additional global catalog must be promoted to the address site, the domain, or the forest global catalog load.
• If the removed DC was a Flexible Single Master Operation (FSMO) role holder, relocate those roles to a live DC.
• If the removed DC was a DNS server, update the DNS client configuration on all member workstations, member servers, and other DCs that might have used this DNS server for name resolution. If it is required, modify the DHCP scope to reflect the removal of the DNS server.
• If the removed DC was a DNS server, update the Forwarder settings and the Delegation settings on any other DNS servers that might have pointed to the removed DC for name resolution.
back to the top
MORE INFORMATION
For additional information about how to forcefully demote a Windows Server 2003 or Windows 2000 domain controller, click the following article number to view the article in the Microsoft Knowledge Base:
332199 DCPROMO /FORCEREMOVAL command to force the demotion of Active Directory domain controllers

--------------------------------------------------------------------------------

APPLIES TO
• Microsoft Windows 2000 Server
• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 Datacenter Server
• Microsoft Windows Server 2003, Standard Edition
• Microsoft Windows Server 2003, Enterprise Edition
• Microsoft Windows Server 2003, Datacenter Edition

 Top of Page

Keywords:  kbhowtomaster kbenv KB216498  

 Top of Page

 

by: Spag_YettiPosted on 2005-02-10 at 15:37:06ID: 13281495

yeah... what that said is what i say!

On a serious note... I have had problems when I demote a DC that has a slow link back to the root... The instructions above should clear up your problem.

 

by: gerdawgPosted on 2005-02-10 at 15:42:33ID: 13281532

Sorry we were typing at the same time. :(

It's good for the ADSI edit, but BE CAREFUL. That's your AD schema your messing with.

 

by: SystmProgPosted on 2005-02-10 at 20:35:42ID: 13283094

 

by: kpradPosted on 2005-02-12 at 07:45:56ID: 13293931

always perform the meta data clean up using NTDSutil and then delete it from the adsiedit
also remember to rmove the dc from the system under domain head there is file replication listing the replication partner, remove it from ther as well and 13508 would disappear.i would also go with gerdawg
but remember to check fsmo role holders and if any role on the non existant DC should be seized.

 

by: mmvengePosted on 2005-02-15 at 00:17:41ID: 13311635

I had the same problem, you could try what I did, it helped remove the error msgs.

start -> Programs -> Active Directory Sites and services -> in the Active directory sites tree select SITES then expand the Default First Name Site -> Expand the SERVERS folder and if you can see the server from here try to delete it from here, it will prompt you that the server is offline and wether you would like to demote it permanetly.

 

by: SkipFirePosted on 2005-02-19 at 08:13:36ID: 13353914

Do you still have the old server and is it intact?  If so you might boot it back up and then run dcpromo and demote it from being a domain controller then take it off the netowrk.  Also check all 5 operation master roles and make sure the old computer isn't listed for any of those.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...