[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Unable to delete computers after being demoted as domain controller

Posted on 2007-10-16
11
Medium Priority
?
2,426 Views
Last Modified: 2013-12-15
I have two old servers that are no longer present and are listed as computers in my AD.  Both of them I am unable to delete.  When I attempt to delete the computer The following:

The computer object you want to delete represents Active Directory domain controller "servername'
Which of the following statements best describes the reason for deleting this object?
    1. I want to demote this domain controller from the domain and continue using it as a computer
    2. I want to restart Active Directory replication for this domain controller
    3. This domain controller is permanently offline and can no longer be demoted using the Active Directory Installation Wizard (DCPROMO)

I select option #3.

I get the following message:
"Object 'servername' is a container and contains other objects.  Are you sure you want to delete object 'servername' and the objects it contains?  This operation could take a long time if 'servername' contains a large number of objects."

I slect "yes"

The final message I recieve is: "The object 'servername' (or some of the objects it contains) cannot be deleted because: Access is denied"

I can't figure out why access is denied because I am logged in as a domain administrator.  

Thx for any help.
0
Comment
Question by:jer007
  • 3
  • 3
  • 2
  • +3
11 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 20088907
if they are domain controllers that are no longer present then see http://www.petri.co.il/delete_failed_dcs_from_ad.htm
0
 
LVL 8

Expert Comment

by:thenone
ID: 20088913
look under group policies under default domain policy. Go to computer configuration, secuirty settings,user rights and under enable computer and user accounts to be trusted for delegation make sure administrators are in this section.
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20089181
In Active Directory Users and Computers, select View --> Users Groups and Computer as containers ... expand the Domain Controllers OU in the left pane and repeat that process for each offending DC ... are you able to delete the deepest of the object(s)?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Comment

by:jer007
ID: 20092825
I have tried the steps in the article from petri.co but that didn't work because when I get to step 12, selecting the server, the server I want to delete is not listed.  

I've checked the group policy and administrators are in the section for enable computer and user accounts to be trusted for delegation.

When I selected View --> Users Groups and Computer as containers one additional prompt comes up.  It reads "The selected object has other associated objects.  Select those associated objects that you also want to delete."  The option listed and selected is "Mark each selected Exchange mailbox for deletion."  After I hit yes it responds the same and fails with an "Access Denied" message.
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20093008
Assuming you're positive you want to delete this object then ensure 'View --> Advanced Features' in on, right click the Computer object in question and select 'Properties' --> 'Security' --> 'Advanced' --> 'Owner' --> select 'Administrators' in the white-part of the dialog box and click OK (confirm any prompts as necessary) OK, OK .. you get the picture.  

Try again.
0
 
LVL 8

Expert Comment

by:thenone
ID: 20093030
You could use asiedit and delete it from there
0
 

Author Comment

by:jer007
ID: 20093055
Administrator is already the owner of these computers.

I'm not familiar with asiedit, can you please explain?
0
 
LVL 9

Accepted Solution

by:
MSE-dwells earned 1000 total points
ID: 20093104
ADSEDIT won't help since the issue is one of permission, not visibility.  ADSIEDIT is a Support Tool that is to Active Directory as REGEDIT is to the Registry; a free-form editing interface with very little of idea of the data's meaning or importance.

Now we've assertained ownership, you simply need to reset the permissions (assuming you're logged on as a Domain Admin).  First refresh the OU to ensure we're seeing the latest data (i.e. highlight it in the left pane and hit F5) then repeat the earlier steps up to the Security tab.  Verify that Domain Admins has Full Control, if not, give it.  the click Advanced and select Allow inheritable ...
0
 

Author Comment

by:jer007
ID: 20093319
That did it, as soon as I selected Allow Inheritable... it worked, they are now gone.

Thanks for everything.
0
 

Expert Comment

by:cwhiting
ID: 34926790
Awesome! I'm running a DC in an isolated VM environment to test migration to 2008 and needed to make the DC I'm working on the PDC first. I could not for the life of me figure out why as the Domain Admin I could not delete secondary Domain Controllers from Active directory. Permissions were the problem for me. I had to assign Full Control for domain Administrators and then deleted without any problem.
0
 
LVL 3

Expert Comment

by:DJNafey
ID: 39720328
Thanks MSE-dwells - that helped me too :-)
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question