Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Could not deleted orphened DC in dsa.msc console.

Posted on 2007-10-10
Medium Priority
Last Modified: 2009-07-29
I am a new network administrator for a company. I met a interesting issue. One of my servers named "hqfax-new" was a domain controller and i demoted it to a member server recently. But when i tried to input name "hqfax", i still can log onto this server through remote console. When i logon "hqfax" and "hqfax-new", i checked the ip address, i found that they two have the same IP addresss, It made me confused because i am sure there is no server named "hqfax" in my domain.

I guess maybe my new fax server "hqfax-new" is derived from old server "hqfax", my predecessor(the former network administrator) just changed the name from "hqfax' to "hqfax-new" and promoted it to a DC. BTW, after i demoted "hqfax-new", i still see it listed on my DC list under dsa.msc console. I tried to deleted it, but failed. It says "The object HQFAX (or some fo the objects it contains) cannot be deleted because: Access is denied.

Are there any experts here could help me with it?  Thank you very much.
Question by:Jason Yu
LVL 71

Accepted Solution

Chris Dent earned 1000 total points
ID: 20055078

It sounds like DNS has a lot of old records sitting around, it would at least explain why you can resolve hqfax. Have you considered configuring Aging and enabling Scavenging in DNS?

When you say you see it in the DC List, you mean it's in the Domain Controllers container? But it was successfully demoted? You don't really want to delete the computer account unless you've removed it from the domain completely.

If it's giving access denied it's either because it still has child objects (FRS Subscriber for Domain Controllers) which can be removed using ADSIEdit.msc. Or the permissions aren't quite right, but should be easy to fix if you open the properties for the account, select Security, Advanced then click Default.



Author Comment

by:Jason Yu
ID: 20058715
Yes, i can see it in the DCs container List. Because i can only see the old name on it with "hqfax", i want to deleted it because it is not a DC anymore. The new "Hqfax-new" is also not a DC anymore, if i deleted this record in DC list, do the applications on this server still work? I had fax application on this server, so I want to keep the application run but don't take it as a DC anymore.

Could you kindly tell me how to do that? I wish i can get help here, if you need more information, i will provide.

Assisted Solution

MSE-dwells earned 1000 total points
ID: 20073578
It's unlikely (though not impossible) that the old DC's computer account object is used; it's orphaned from any physical machine, thus the conclusion.  That said, and although unlikely, it is possible that the fax software has some kind of dependency on the object ... you can rename or move it elsewhere and restart the fax software since that'll be a fair indication of any such dependency (unless the s/w is bound to the object by SID or GUID but we can't practically alter those properties so this is our simplest potential win).

You should already have permission (assuming you're as a DA) to delete it but since you're receiving an unexpected error, you'll likely need to follow Chris' advice in order to re-ACL it.  Do so with Active Directory Users and Computers logged on as a DA, you can also see what's underneath the object by selecting View --> Users, Groups and Computers as Containers ... then expand the Domain Controllers OU followed by the now defunct DC.  This bit's important --> you'll see containers in the left pane and, once selected,  their child objects in the right pane (most people miss the containers on the left side in this scenario) ...

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Let's recap what we learned from yesterday's Skyport Systems webinar.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question