Today we are going to demonstrate a small workaround,that might come in handy when and if you come across , while demoting a domain controller .
Post metadataclenup :
we can see that the server has been demoted, which previously was a GC , and now it is not :
,post this , we generally delete the server object of ad sites and services(dssite.msc and remove the replication backlink entry for the server object from Global settings under topology as shown below :
Now that the easy part.
When we come to deleting the computer object from dsa.msc AKA AD users and computers , you would often get this error :
the Error clearly states that the object is protected from accidental deletion .
Upon investigation we found that it was not, as shown below :
As we can clearly say that the object is not protectec from accidental deletion .
Upon investigating further , I found that ,even when we try to delete the object from ADSIEDIT.MSC, we either get :
Even after granting full inheritable access to the superuser, we at times wont be delete the object .
Here we see that my user , the Administrator, has full inheritable rights to the object , but still we are facing the challenge.
In this case , we have to go to the properties of the demoted server object [dc2, in this case and look for an attribute isCriticalSystemObject . It would be by default set to true :
The trick lies here , we have to set this property of the attribute to “not set” :
Apply the changes and relaunch the dsa.msc and try to delete the server object :
You would be getting a warning as such :
and try to delete the server object . You would be successful in removing the server object :
Hope this was helpful.
Happy learning !!