Solved

URGENT:  Failed DC demotion, need to clean AD but MUST leave computer account, etc.

Posted on 2007-03-27
6
348 Views
Last Modified: 2010-03-17
Hi!
A while back I had a failed DC demotion in my 2003 AD network.  I resorted to removing the DC with the dcpromo /forceremoval switch per http://support.microsoft.com/kb/332199.  Now I am attempting to extend the schema for an application and it this is failing because it finds a DC that it cannot write to (the disabled DC).  My goal is to remove the DC metadata from AD but I MUST leave the computer account intact because this is a critical app server we are talking about.  The cleanup processes I've seen such as http://www.petri.co.il/delete_failed_dcs_from_ad.htm and http://support.microsoft.com/default.aspx?scid=kb;EN-US;216498 may involve removing the computer account from the AD or generally leave me feeling a little uncertain.

 Where do you think I can draw the line where I am not removing the computer account or other important info for the system to participate in the network as an app server, yet remove enough info so that other DCs don't look to this system as a DC any longer.  I would play it safe and remove the bare minimum so other DCs don't think this box is still a DC.  I need accuracy on this one, which is why I turned to EE.
0
Comment
Question by:JohnDemerjian
6 Comments
 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 250 total points
ID: 18803167
From what you've said, it appears that you are still using this server as an application server on your network, in a member server capacity.  Although it might be possible to do what you're requesting, I'm not sure it would be advisable.  Personally, I would recommend following all of the steps in 216498, including removing the computer account in AD.  Then, I'd go to the server itself, unjoin and rejoin the domain, which should recreate a new computer account for the server in the Computers container rather than the DCs container.
0
 
LVL 13

Assisted Solution

by:strongline
strongline earned 250 total points
ID: 18803447
For a complete clean result, 216498 must be followed so there is really not way around here. With that said, I will try the following because it has to be one way or another:

Option 1:
==========
Follow most of the steps in KB216498 except the one that removes the computer account using adsiedit.msc. I will change the computer object's useraccountControl value to be 4096 from 532480 instead of remove the whole object, then move it out of "domain controller" OU. Preserve A record in DNS for this server too.

Again, this is an un-tested operation, so use your own judgement.

Option 2:
==========
Try if you can promote it, then demote it again.

Good luck.
0
 
LVL 5

Author Comment

by:JohnDemerjian
ID: 18803686
Thanks for the feedback.  Unfortunately the ONLY option I have is as I have stated previously, so I'll be pushing on despite best practices.  Strongline, why are you changing the computer object's useraccountControl value to be 4096 (WORKSTATION_TRUST_ACCOUNT) instead of SERVER_TRUST_ACCOUNT 8192 ?
0
 
LVL 6

Expert Comment

by:shayneg
ID: 18803835
i don't know why you are panicing so much. just remove the computer account and the disjoin the domain and rejoin. I have done this a thousand times and it is by far the best way and will cause you no harm.
0
 
LVL 5

Author Comment

by:JohnDemerjian
ID: 18803927
shayneg

you don't understand the application installed and how it uses the domain permissions.  if i do as you suggest, it will wreak havoc with the DCOM permissions.  not an option.
0
 
LVL 5

Author Comment

by:JohnDemerjian
ID: 18803957
i removed the metadata per http://www.petri.co.il/delete_failed_dcs_from_ad.htm and it left the computer account and access to the domain intact.  thanks all for your efforts.
0

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now