| Author | Messages | |
ifconfig
Posts:49
 | | 03/09/2010 5:44 PM |
| Denizens of AD Land:
I'm trying to get rid of a DC that has refused to dcpromo itself out of
existence. As a last resort, I took the DC offline then tried to use the
ADUC in W2K8 to delete its computer account. The usual warnings show up
(it's a GC as well) and I checked the box to assure Windows the machine is
now permanently offline and can no longer be demoted using dcpromo.
The snag is that, regardless of which account I use to try deleting this
account, I'm denied access with the message: "Windows cannot delete the
object LDAP://gooddc.company.com/CN=baddc,OU=DomainControllers,DC=company,DC=com"
because: access is denied."
Is this because I have a site (along with site links) setup with this DC?
Should I delete the site and site links before I attempt to delete the DC's
account?
Your help == my appreciation.
Thanks,
Fred W.
| | | |
| CKaiser
Posts:41
| | 03/09/2010 6:02 PM |
| Have you tried turning on view users, groups, and computers as containers in
ADUC and checking perms there? You may also find sub-objects there.
Also, check for NTFRS objects. Do a metadata cleanup.
***********************
Charlie Kaiser
charliek@golden-eagle.org
Kingman, AZ
***********************
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of
> Frederic Woodbridge, III
> Sent: Tuesday, March 09, 2010 10:43 AM
> To: activedir@activedir.org
> Subject: [ActiveDir] DC computer object deletion: access is denied
>
> Denizens of AD Land:
>
> I'm trying to get rid of a DC that has refused to dcpromo
> itself out of existence. As a last resort, I took the DC
> offline then tried to use the ADUC in W2K8 to delete its
> computer account. The usual warnings show up (it's a GC as
> well) and I checked the box to assure Windows the machine is
> now permanently offline and can no longer be demoted using dcpromo.
>
> The snag is that, regardless of which account I use to try
> deleting this account, I'm denied access with the message:
> "Windows cannot delete the object
> LDAP://gooddc.company.com/CN=baddc,OU=Domain
> Controllers,DC=company,DC=com" because: access is denied."
>
> Is this because I have a site (along with site links) setup
> with this DC? Should I delete the site and site links before
> I attempt to delete the DC's account?
>
> Your help == my appreciation.
>
> Thanks,
>
> Fred W.
>
>
>
>
| | | |
| RickSheikh
Posts:373
| | 03/09/2010 6:08 PM |
| dcpromo /forceremoval
http://support.microsoft.com/kb/332199
followed by metadata clean up ?
http://support.microsoft.com/kb/216498
On Tue, Mar 9, 2010 at 11:43 AM, Frederic Woodbridge, III <
fwoodbridge@gmail.com> wrote:
> Denizens of AD Land:
>
> I'm trying to get rid of a DC that has refused to dcpromo itself out of
> existence. As a last resort, I took the DC offline then tried to use the
> ADUC in W2K8 to delete its computer account. The usual warnings show up
> (it's a GC as well) and I checked the box to assure Windows the machine is
> now permanently offline and can no longer be demoted using dcpromo.
>
> The snag is that, regardless of which account I use to try deleting this
> account, I'm denied access with the message: "Windows cannot delete the
> object LDAP://gooddc.company.com/CN=baddc,OU=DomainControllers,DC=company,DC=com" because: access is denied."
>
> Is this because I have a site (along with site links) setup with this DC?
> Should I delete the site and site links before I attempt to delete the DC's
> account?
>
> Your help == my appreciation.
>
> Thanks,
>
> Fred W.
>
>
>
>
| | | |
| kennedyjim
Posts:89
| | 03/09/2010 6:10 PM |
| Right click the DC in ADUC and look at the object tab. Is the check box preventing accidental deletion checked?
On Tue, Mar 9, 2010 at 11:43 AM, Frederic Woodbridge, III <fwoodbridge@gmail.com<mailto:fwoodbridge@gmail.com>> wrote:
Denizens of AD Land:
I'm trying to get rid of a DC that has refused to dcpromo itself out of existence. As a last resort, I took the DC offline then tried to use the ADUC in W2K8 to delete its computer account. The usual warnings show up (it's a GC as well) and I checked the box to assure Windows the machine is now permanently offline and can no longer be demoted using dcpromo.
The snag is that, regardless of which account I use to try deleting this account, I'm denied access with the message: "Windows cannot delete the object LDAP://gooddc.company.com/CN=baddc,OU=Domain<http://gooddc.company.com/CN=baddc,OU=Domain> Controllers,DC=company,DC=com" because: access is denied."
Is this because I have a site (along with site links) setup with this DC? Should I delete the site and site links before I attempt to delete the DC's account?
Your help == my appreciation.
Thanks,
Fred W.
| | | |
| ifconfig
Posts:49
| | 03/09/2010 7:10 PM |
| I was actually going to include that in the email: yes, I checked to make
sure accidental deletion is UN-checked. :-)
On Tue, Mar 9, 2010 at 11:08, Kennedy, Jim <kennedyjim@elyriaschools.org>wrote:
> Right click the DC in ADUC and look at the object tab. Is the check box
> preventing accidental deletion checked?
>
>
>
>
>
>
>
> On Tue, Mar 9, 2010 at 11:43 AM, Frederic Woodbridge, III <
> fwoodbridge@gmail.com> wrote:
>
> Denizens of AD Land:
>
>
>
> I'm trying to get rid of a DC that has refused to dcpromo itself out of
> existence.
>
| | | |
| ifconfig
Posts:49
| | 03/09/2010 7:20 PM |
| Thanks ...
Anyone have any idea *why* I'm getting an access denied message though?
Fred
On Tue, Mar 9, 2010 at 11:07, Rick Sheikh <ricksheikh@gmail.com> wrote:
> dcpromo /forceremoval
>
> http://support.microsoft.com/kb/332199
>
> followed by metadata clean up ?
>
> http://support.microsoft.com/kb/216498
>
>
>
| | | |
| ifconfig
Posts:49
| | 03/10/2010 9:25 PM |
| So has no one ever run into a situation like this? Curiouser and curiouser!
On Tue, Mar 9, 2010 at 10:59, Charlie Kaiser <charliek@golden-eagle.org>wrote:
> Have you tried turning on view users, groups, and computers as containers
> in
> ADUC and checking perms there? You may also find sub-objects there.
>
> Also, check for NTFRS objects. Do a metadata cleanup.
>
> ***********************
> Charlie Kaiser
> charliek@golden-eagle.org
> Kingman, AZ
> ***********************
>
> > -----Original Message-----
> > From: activedir-owner@mail.activedir.org
> > [mailto:activedir-owner@mail.activedir.org] On Behalf Of
> > Frederic Woodbridge, III
> > Sent: Tuesday, March 09, 2010 10:43 AM
> > To: activedir@activedir.org
> > Subject: [ActiveDir] DC computer object deletion: access is denied
> >
> > Denizens of AD Land:
> >
> > I'm trying to get rid of a DC that has refused to dcpromo
> > itself out of existence. As a last resort, I took the DC
> > offline then tried to use the ADUC in W2K8 to delete its
> > computer account. The usual warnings show up (it's a GC as
> > well) and I checked the box to assure Windows the machine is
> > now permanently offline and can no longer be demoted using dcpromo.
> >
> > The snag is that, regardless of which account I use to try
> > deleting this account, I'm denied access with the message:
> > "Windows cannot delete the object
> > LDAP://gooddc.company.com/CN=baddc,OU=Domain
> > Controllers,DC=company,DC=com" because: access is denied."
> >
> > Is this because I have a site (along with site links) setup
> > with this DC? Should I delete the site and site links before
> > I attempt to delete the DC's account?
> >
> > Your help == my appreciation.
> >
> > Thanks,
> >
> > Fred W.
> >
> >
> >
> >
>
>
>
| | | |
| ifconfig
Posts:49
| | 03/15/2010 7:35 PM |
| >
> > -----Original Message-----
>> > From: activedir-owner@mail.activedir.org
>> > [mailto:activedir-owner@mail.activedir.org] On Behalf Of
>> > Frederic Woodbridge, III
>> > Sent: Tuesday, March 09, 2010 10:43 AM
>> > To: activedir@activedir.org
>> > Subject: [ActiveDir] DC computer object deletion: access is denied
>> >
>> > Denizens of AD Land:
>> >
>> > I'm trying to get rid of a DC that has refused to dcpromo
>> > itself out of existence. As a last resort, I took the DC
>> > offline then tried to use the ADUC in W2K8 to delete its
>> > computer account. The usual warnings show up (it's a GC as
>> > well) and I checked the box to assure Windows the machine is
>> > now permanently offline and can no longer be demoted using dcpromo.
>> >
>> > The snag is that, regardless of which account I use to try
>> > deleting this account, I'm denied access with the message:
>> > "Windows cannot delete the object
>> > LDAP://gooddc.company.com/CN=baddc,OU=Domain
>> > Controllers,DC=company,DC=com" because: access is denied."
>> >
>> > Is this because I have a site (along with site links) setup
>> > with this DC? Should I delete the site and site links before
>> > I attempt to delete the DC's account?
>> >
>> > Your help == my appreciation.
>> >
>> > Thanks,
>> >
>> > Fred W.
>>
>>
"Anyone know what this is? Class? Anyone? Anyone? Anyone seen this before?
The Laffer Curve." :-D
| | | |
|
|