Trouble removing NT4 Domain controller from AD

  • Thread starter Thread starter Dr Zoidberg
  • Start date Start date
D

Dr Zoidberg

At work we have a mixed mode domain with three win2k DCs and an NT4 BDC.

At some point in the past there was another BDC which wasn't removed before
being decommissioned.
I'd like to remove this from AD for neatness as much as any security risk it
poses but am having trouble doing so.
If you try and remove it via AD U&C you get an error saying that the DSA
object could not be deleted.
If you try and remove it via server manager on the NT4 machine you get "An
unspecified error occurred"
If you try and use ntdsutil to delete it then it is not listed (which is
what I expected).

Any ideas how to remove this , and is it something I would have to do before
upgrading my last NT4 machine and converting to native mode?

--
Alex

"I laugh in the face of danger"

"Then I hide until it goes away"

www.drzoidberg.co.uk
 
Open ADSIEDIT.msc, navigate to the domain controller object, right click it,
select properties, choose the useraccountcontrol attribute and change it to
4096. Delete the account after making the change.

--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Hopefully this will help...

It may be determined that an object exists in the Configuration partition in
the
LostAndFoundConfig container. This object has a reference to a domain
controller
in the domain that is to be removed. The attribute with the reference is :
dn: CN=NTDS Settings,CN=LostAndFoundConfig,CN=Configuration,DC=Domain,DC=Com

Internal documentation indicates that this object will prevent the NTDSUTIL
utility
from removing the domain (it has checks to determine if there are any
objects
anywhere that have "hasMasterNCs: DC=its,DC=pacificlife,DC=net" as an
attribute,
the cleanup will be prevented if the domain to be removed matches the
hasMasterNCs reference).

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
<>
Resolution:
=========
Simply delete the above object, CN=NTDS
Settings,CN=LostAndFoundConfig,CN=Configuration,DC=Domain,DC=Com, and
attempt the
metadata cleanup for the ITS domain again from the Domain Naming FSMO owner.
 
Tim said:
Open ADSIEDIT.msc, navigate to the domain controller object, right
click it, select properties, choose the useraccountcontrol attribute
and change it to 4096. Delete the account after making the change.
Click to expand...
Top man.
That did the trick nicely!

Thanks.

--
Alex

"I laugh in the face of danger"

"Then I hide until it goes away"

www.drzoidberg.co.uk
 
Back
Top