Could not deleted orphened DC in dsa.msc console.

Posted on 2007-10-10
Last Modified: 2009-07-29
I am a new network administrator for a company. I met a interesting issue. One of my servers named "hqfax-new" was a domain controller and i demoted it to a member server recently. But when i tried to input name "hqfax", i still can log onto this server through remote console. When i logon "hqfax" and "hqfax-new", i checked the ip address, i found that they two have the same IP addresss, It made me confused because i am sure there is no server named "hqfax" in my domain.

I guess maybe my new fax server "hqfax-new" is derived from old server "hqfax", my predecessor(the former network administrator) just changed the name from "hqfax' to "hqfax-new" and promoted it to a DC. BTW, after i demoted "hqfax-new", i still see it listed on my DC list under dsa.msc console. I tried to deleted it, but failed. It says "The object HQFAX (or some fo the objects it contains) cannot be deleted because: Access is denied.

Are there any experts here could help me with it?  Thank you very much.
Question by:Jason Yu
    LVL 70

    Accepted Solution


    It sounds like DNS has a lot of old records sitting around, it would at least explain why you can resolve hqfax. Have you considered configuring Aging and enabling Scavenging in DNS?

    When you say you see it in the DC List, you mean it's in the Domain Controllers container? But it was successfully demoted? You don't really want to delete the computer account unless you've removed it from the domain completely.

    If it's giving access denied it's either because it still has child objects (FRS Subscriber for Domain Controllers) which can be removed using ADSIEdit.msc. Or the permissions aren't quite right, but should be easy to fix if you open the properties for the account, select Security, Advanced then click Default.



    Author Comment

    by:Jason Yu
    Yes, i can see it in the DCs container List. Because i can only see the old name on it with "hqfax", i want to deleted it because it is not a DC anymore. The new "Hqfax-new" is also not a DC anymore, if i deleted this record in DC list, do the applications on this server still work? I had fax application on this server, so I want to keep the application run but don't take it as a DC anymore.

    Could you kindly tell me how to do that? I wish i can get help here, if you need more information, i will provide.
    LVL 9

    Assisted Solution

    It's unlikely (though not impossible) that the old DC's computer account object is used; it's orphaned from any physical machine, thus the conclusion.  That said, and although unlikely, it is possible that the fax software has some kind of dependency on the object ... you can rename or move it elsewhere and restart the fax software since that'll be a fair indication of any such dependency (unless the s/w is bound to the object by SID or GUID but we can't practically alter those properties so this is our simplest potential win).

    You should already have permission (assuming you're as a DA) to delete it but since you're receiving an unexpected error, you'll likely need to follow Chris' advice in order to re-ACL it.  Do so with Active Directory Users and Computers logged on as a DA, you can also see what's underneath the object by selecting View --> Users, Groups and Computers as Containers ... then expand the Domain Controllers OU followed by the now defunct DC.  This bit's important --> you'll see containers in the left pane and, once selected,  their child objects in the right pane (most people miss the containers on the left side in this scenario) ...

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    There are two modes of restricted groups GPOs. Replacing mode:   Additive mode:   How do they work? Replacing mode: Everything (users, groups, computers) that is member of the local administrators group will be cleared out. After th…
    Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now