Search Tools Links Login

You Cannot Delete a Demoted Domain Controller Computer Account from Active Directory

After demoting a domain controller, you cannot remove its' computer account from Active Directory? You receive:

Error: DSA object cannot be deleted.

If you ran dcpromo to demote the domain controller, or you used ntdsutil to clean up a failed domain controller's metadata and removed the account from Active Directory Sites and Services, you may be unable to delete the account because the UserAccountControl is set to 8192 - SERVER_TRUST_ACCOUNT.

Try changing the UserAccountControl to 4096 - WORKSTATION_TRUST_ACCOUNT:

  1. Use Start / Run / ADSIEdit.msc / OK.
  2. Expand Domain NC, expand dc=domain,dc=com, and expand ou=domain controllers.
  3. Right-click the computer name of the domain controller, and then press Properties.
  4. On the Attributes tab, select Both in the Select which properties to view box.
  5. In the Select a property to view box, select UserAccountControl.
  6. Under Attribute Value, view the value.
  7. Type 4096 in the Edit Attribute box.
  8. Press the Set button.
  9. Press Apply and OK. Exit ADSI Edit.

About this post

Posted: 2005-11-1
By: FortyPoundHead
Viewed: 3,800 times

Categories

Active Directory

Attachments

No attachments for this post

Loading Comments ...

Comments

No comments have been added for this post.

You must be logged in to make a comment.