Unable to delete the Demoted server Object from Active directory users and computers after a successful demotion using metadata cleanup

Today we are going to demonstrate a small workaround,that might come in handy when and if you come across , while demoting a domain controller .

Post metadataclenup :

meta

 

we can see that the server has been demoted, which previously was a GC , and now it is not :

no more gc

 

,post this , we generally delete the server object of ad sites and services(dssite.msc and remove the replication backlink entry for the server object from Global settings under topology as shown below :

refbl

 

Now that the easy part.

 

When we come to deleting the computer object from dsa.msc AKA AD users and computers , you would often get this error :

protected

 

the Error clearly states that the object is protected from accidental deletion .

Upon investigation we found that it was not, as shown below :

protaduc5

 

As we can clearly say that the object is not protectec from accidental deletion .

Upon investigating further , I found that ,even when we try to delete the object from ADSIEDIT.MSC, we either get :

attemptdeladsi7

 

or

attemptdeladsi7

 

Even after granting full inheritable access to the superuser, we at times wont be delete the object .

permissionfrsuperuser8

Here we see that my user , the Administrator, has full inheritable rights to the object , but still we are facing the challenge.

 

In this case , we have to go to the properties of the demoted server object [dc2, in this case and look for an attribute isCriticalSystemObject . It would be by default set to true :

isceitical9

 

The trick lies here , we have to set this property of the attribute to “not set” :

notset10

 

Apply the changes and relaunch the dsa.msc and try to delete the server object :

attempdel11

You would be getting a warning as such :

warnin12

Click yes

 

and try to delete the server object . You would be successful in removing the server object :

success13

 

Hope this was helpful.

Happy learning !!

Madhabendu

Tagged , , . Bookmark the permalink.

One Response to Unable to delete the Demoted server Object from Active directory users and computers after a successful demotion using metadata cleanup

  1. Nelson says:

    Good done MAX…..