Solved

URGENT:  Failed DC demotion, need to clean AD but MUST leave computer account, etc.

Posted on 2007-03-27
6
359 Views
Last Modified: 2010-03-17
Hi!
A while back I had a failed DC demotion in my 2003 AD network.  I resorted to removing the DC with the dcpromo /forceremoval switch per http://support.microsoft.com/kb/332199.  Now I am attempting to extend the schema for an application and it this is failing because it finds a DC that it cannot write to (the disabled DC).  My goal is to remove the DC metadata from AD but I MUST leave the computer account intact because this is a critical app server we are talking about.  The cleanup processes I've seen such as http://www.petri.co.il/delete_failed_dcs_from_ad.htm and http://support.microsoft.com/default.aspx?scid=kb;EN-US;216498 may involve removing the computer account from the AD or generally leave me feeling a little uncertain.

 Where do you think I can draw the line where I am not removing the computer account or other important info for the system to participate in the network as an app server, yet remove enough info so that other DCs don't look to this system as a DC any longer.  I would play it safe and remove the bare minimum so other DCs don't think this box is still a DC.  I need accuracy on this one, which is why I turned to EE.
0
Comment
Question by:JohnDemerjian
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 250 total points
ID: 18803167
From what you've said, it appears that you are still using this server as an application server on your network, in a member server capacity.  Although it might be possible to do what you're requesting, I'm not sure it would be advisable.  Personally, I would recommend following all of the steps in 216498, including removing the computer account in AD.  Then, I'd go to the server itself, unjoin and rejoin the domain, which should recreate a new computer account for the server in the Computers container rather than the DCs container.
0
 
LVL 13

Assisted Solution

by:strongline
strongline earned 250 total points
ID: 18803447
For a complete clean result, 216498 must be followed so there is really not way around here. With that said, I will try the following because it has to be one way or another:

Option 1:
==========
Follow most of the steps in KB216498 except the one that removes the computer account using adsiedit.msc. I will change the computer object's useraccountControl value to be 4096 from 532480 instead of remove the whole object, then move it out of "domain controller" OU. Preserve A record in DNS for this server too.

Again, this is an un-tested operation, so use your own judgement.

Option 2:
==========
Try if you can promote it, then demote it again.

Good luck.
0
 
LVL 5

Author Comment

by:JohnDemerjian
ID: 18803686
Thanks for the feedback.  Unfortunately the ONLY option I have is as I have stated previously, so I'll be pushing on despite best practices.  Strongline, why are you changing the computer object's useraccountControl value to be 4096 (WORKSTATION_TRUST_ACCOUNT) instead of SERVER_TRUST_ACCOUNT 8192 ?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 6

Expert Comment

by:shayneg
ID: 18803835
i don't know why you are panicing so much. just remove the computer account and the disjoin the domain and rejoin. I have done this a thousand times and it is by far the best way and will cause you no harm.
0
 
LVL 5

Author Comment

by:JohnDemerjian
ID: 18803927
shayneg

you don't understand the application installed and how it uses the domain permissions.  if i do as you suggest, it will wreak havoc with the DCOM permissions.  not an option.
0
 
LVL 5

Author Comment

by:JohnDemerjian
ID: 18803957
i removed the metadata per http://www.petri.co.il/delete_failed_dcs_from_ad.htm and it left the computer account and access to the domain intact.  thanks all for your efforts.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question