URGENT: Failed DC demotion, need to clean AD but MUST leave computer account, etc.

Hi!
A while back I had a failed DC demotion in my 2003 AD network.  I resorted to removing the DC with the dcpromo /forceremoval switch per http://support.microsoft.com/kb/332199.  Now I am attempting to extend the schema for an application and it this is failing because it finds a DC that it cannot write to (the disabled DC).  My goal is to remove the DC metadata from AD but I MUST leave the computer account intact because this is a critical app server we are talking about.  The cleanup processes I've seen such as http://www.petri.co.il/delete_failed_dcs_from_ad.htm and http://support.microsoft.com/default.aspx?scid=kb;EN-US;216498 may involve removing the computer account from the AD or generally leave me feeling a little uncertain.

 Where do you think I can draw the line where I am not removing the computer account or other important info for the system to participate in the network as an app server, yet remove enough info so that other DCs don't look to this system as a DC any longer.  I would play it safe and remove the bare minimum so other DCs don't think this box is still a DC.  I need accuracy on this one, which is why I turned to EE.
LVL 5
JohnDemerjianAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hypercat (Deb)Commented:
From what you've said, it appears that you are still using this server as an application server on your network, in a member server capacity.  Although it might be possible to do what you're requesting, I'm not sure it would be advisable.  Personally, I would recommend following all of the steps in 216498, including removing the computer account in AD.  Then, I'd go to the server itself, unjoin and rejoin the domain, which should recreate a new computer account for the server in the Computers container rather than the DCs container.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
stronglineCommented:
For a complete clean result, 216498 must be followed so there is really not way around here. With that said, I will try the following because it has to be one way or another:

Option 1:
==========
Follow most of the steps in KB216498 except the one that removes the computer account using adsiedit.msc. I will change the computer object's useraccountControl value to be 4096 from 532480 instead of remove the whole object, then move it out of "domain controller" OU. Preserve A record in DNS for this server too.

Again, this is an un-tested operation, so use your own judgement.

Option 2:
==========
Try if you can promote it, then demote it again.

Good luck.
0
JohnDemerjianAuthor Commented:
Thanks for the feedback.  Unfortunately the ONLY option I have is as I have stated previously, so I'll be pushing on despite best practices.  Strongline, why are you changing the computer object's useraccountControl value to be 4096 (WORKSTATION_TRUST_ACCOUNT) instead of SERVER_TRUST_ACCOUNT 8192 ?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

shaynegCommented:
i don't know why you are panicing so much. just remove the computer account and the disjoin the domain and rejoin. I have done this a thousand times and it is by far the best way and will cause you no harm.
0
JohnDemerjianAuthor Commented:
shayneg

you don't understand the application installed and how it uses the domain permissions.  if i do as you suggest, it will wreak havoc with the DCOM permissions.  not an option.
0
JohnDemerjianAuthor Commented:
i removed the metadata per http://www.petri.co.il/delete_failed_dcs_from_ad.htm and it left the computer account and access to the domain intact.  thanks all for your efforts.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.