Could not deleted orphened DC in dsa.msc console.

I am a new network administrator for a company. I met a interesting issue. One of my servers named "hqfax-new" was a domain controller and i demoted it to a member server recently. But when i tried to input name "hqfax", i still can log onto this server through remote console. When i logon "hqfax" and "hqfax-new", i checked the ip address, i found that they two have the same IP addresss, It made me confused because i am sure there is no server named "hqfax" in my domain.

I guess maybe my new fax server "hqfax-new" is derived from old server "hqfax", my predecessor(the former network administrator) just changed the name from "hqfax' to "hqfax-new" and promoted it to a DC. BTW, after i demoted "hqfax-new", i still see it listed on my DC list under dsa.msc console. I tried to deleted it, but failed. It says "The object HQFAX (or some fo the objects it contains) cannot be deleted because: Access is denied.

Are there any experts here could help me with it?  Thank you very much.
Jason YuAsked:
Who is Participating?
Chris DentPowerShell DeveloperCommented:

It sounds like DNS has a lot of old records sitting around, it would at least explain why you can resolve hqfax. Have you considered configuring Aging and enabling Scavenging in DNS?

When you say you see it in the DC List, you mean it's in the Domain Controllers container? But it was successfully demoted? You don't really want to delete the computer account unless you've removed it from the domain completely.

If it's giving access denied it's either because it still has child objects (FRS Subscriber for Domain Controllers) which can be removed using ADSIEdit.msc. Or the permissions aren't quite right, but should be easy to fix if you open the properties for the account, select Security, Advanced then click Default.


Jason YuAuthor Commented:
Yes, i can see it in the DCs container List. Because i can only see the old name on it with "hqfax", i want to deleted it because it is not a DC anymore. The new "Hqfax-new" is also not a DC anymore, if i deleted this record in DC list, do the applications on this server still work? I had fax application on this server, so I want to keep the application run but don't take it as a DC anymore.

Could you kindly tell me how to do that? I wish i can get help here, if you need more information, i will provide.
It's unlikely (though not impossible) that the old DC's computer account object is used; it's orphaned from any physical machine, thus the conclusion.  That said, and although unlikely, it is possible that the fax software has some kind of dependency on the object ... you can rename or move it elsewhere and restart the fax software since that'll be a fair indication of any such dependency (unless the s/w is bound to the object by SID or GUID but we can't practically alter those properties so this is our simplest potential win).

You should already have permission (assuming you're as a DA) to delete it but since you're receiving an unexpected error, you'll likely need to follow Chris' advice in order to re-ACL it.  Do so with Active Directory Users and Computers logged on as a DA, you can also see what's underneath the object by selecting View --> Users, Groups and Computers as Containers ... then expand the Domain Controllers OU followed by the now defunct DC.  This bit's important --> you'll see containers in the left pane and, once selected,  their child objects in the right pane (most people miss the containers on the left side in this scenario) ...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.