URGENT: Failed DC demotion, need to clean AD but MUST leave computer account, etc.
Hi!
A while back I had a failed DC demotion in my 2003 AD network. I resorted to removing the DC with the dcpromo /forceremoval switch per http://support.microsoft.com/kb/332199. Now I am attempting to extend the schema for an application and it this is failing because it finds a DC that it cannot write to (the disabled DC). My goal is to remove the DC metadata from AD but I MUST leave the computer account intact because this is a critical app server we are talking about. The cleanup processes I've seen such as http://www.petri.co.il/delete_failed_dcs_from_ad.htm and http://support.microsoft.com/default.aspx?scid=kb;EN-US;216498 may involve removing the computer account from the AD or generally leave me feeling a little uncertain.
Where do you think I can draw the line where I am not removing the computer account or other important info for the system to participate in the network as an app server, yet remove enough info so that other DCs don't look to this system as a DC any longer. I would play it safe and remove the bare minimum so other DCs don't think this box is still a DC. I need accuracy on this one, which is why I turned to EE.
A while back I had a failed DC demotion in my 2003 AD network. I resorted to removing the DC with the dcpromo /forceremoval switch per http://support.microsoft.com/kb/332199. Now I am attempting to extend the schema for an application and it this is failing because it finds a DC that it cannot write to (the disabled DC). My goal is to remove the DC metadata from AD but I MUST leave the computer account intact because this is a critical app server we are talking about. The cleanup processes I've seen such as http://www.petri.co.il/delete_failed_dcs_from_ad.htm and http://support.microsoft.com/default.aspx?scid=kb;EN-US;216498 may involve removing the computer account from the AD or generally leave me feeling a little uncertain.
Where do you think I can draw the line where I am not removing the computer account or other important info for the system to participate in the network as an app server, yet remove enough info so that other DCs don't look to this system as a DC any longer. I would play it safe and remove the bare minimum so other DCs don't think this box is still a DC. I need accuracy on this one, which is why I turned to EE.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
i don't know why you are panicing so much. just remove the computer account and the disjoin the domain and rejoin. I have done this a thousand times and it is by far the best way and will cause you no harm.
ASKER
shayneg
you don't understand the application installed and how it uses the domain permissions. if i do as you suggest, it will wreak havoc with the DCOM permissions. not an option.
you don't understand the application installed and how it uses the domain permissions. if i do as you suggest, it will wreak havoc with the DCOM permissions. not an option.
ASKER
i removed the metadata per http://www.petri.co.il/delete_failed_dcs_from_ad.htm and it left the computer account and access to the domain intact. thanks all for your efforts.
ASKER