Solved

URGENT:  Failed DC demotion, need to clean AD but MUST leave computer account, etc.

Posted on 2007-03-27
6
357 Views
Last Modified: 2010-03-17
Hi!
A while back I had a failed DC demotion in my 2003 AD network.  I resorted to removing the DC with the dcpromo /forceremoval switch per http://support.microsoft.com/kb/332199.  Now I am attempting to extend the schema for an application and it this is failing because it finds a DC that it cannot write to (the disabled DC).  My goal is to remove the DC metadata from AD but I MUST leave the computer account intact because this is a critical app server we are talking about.  The cleanup processes I've seen such as http://www.petri.co.il/delete_failed_dcs_from_ad.htm and http://support.microsoft.com/default.aspx?scid=kb;EN-US;216498 may involve removing the computer account from the AD or generally leave me feeling a little uncertain.

 Where do you think I can draw the line where I am not removing the computer account or other important info for the system to participate in the network as an app server, yet remove enough info so that other DCs don't look to this system as a DC any longer.  I would play it safe and remove the bare minimum so other DCs don't think this box is still a DC.  I need accuracy on this one, which is why I turned to EE.
0
Comment
Question by:JohnDemerjian
6 Comments
 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 250 total points
ID: 18803167
From what you've said, it appears that you are still using this server as an application server on your network, in a member server capacity.  Although it might be possible to do what you're requesting, I'm not sure it would be advisable.  Personally, I would recommend following all of the steps in 216498, including removing the computer account in AD.  Then, I'd go to the server itself, unjoin and rejoin the domain, which should recreate a new computer account for the server in the Computers container rather than the DCs container.
0
 
LVL 13

Assisted Solution

by:strongline
strongline earned 250 total points
ID: 18803447
For a complete clean result, 216498 must be followed so there is really not way around here. With that said, I will try the following because it has to be one way or another:

Option 1:
==========
Follow most of the steps in KB216498 except the one that removes the computer account using adsiedit.msc. I will change the computer object's useraccountControl value to be 4096 from 532480 instead of remove the whole object, then move it out of "domain controller" OU. Preserve A record in DNS for this server too.

Again, this is an un-tested operation, so use your own judgement.

Option 2:
==========
Try if you can promote it, then demote it again.

Good luck.
0
 
LVL 5

Author Comment

by:JohnDemerjian
ID: 18803686
Thanks for the feedback.  Unfortunately the ONLY option I have is as I have stated previously, so I'll be pushing on despite best practices.  Strongline, why are you changing the computer object's useraccountControl value to be 4096 (WORKSTATION_TRUST_ACCOUNT) instead of SERVER_TRUST_ACCOUNT 8192 ?
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 6

Expert Comment

by:shayneg
ID: 18803835
i don't know why you are panicing so much. just remove the computer account and the disjoin the domain and rejoin. I have done this a thousand times and it is by far the best way and will cause you no harm.
0
 
LVL 5

Author Comment

by:JohnDemerjian
ID: 18803927
shayneg

you don't understand the application installed and how it uses the domain permissions.  if i do as you suggest, it will wreak havoc with the DCOM permissions.  not an option.
0
 
LVL 5

Author Comment

by:JohnDemerjian
ID: 18803957
i removed the metadata per http://www.petri.co.il/delete_failed_dcs_from_ad.htm and it left the computer account and access to the domain intact.  thanks all for your efforts.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question