none
How to remove write protected CN object after failed DC/dcpromo removal

    Question

  • We have two domain controllers, dc1 and dc2. We have already removed dc2 and made meta data cleanup (with ntdsutil, with microsoft script, with GUI). Unfortunately we have always one CN object left which is write protected (Protect from accidential deletion) which can't be deleted. It is located in:

    CN=dc2,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=forestrootdomain

    To delete the msDFSR-Member CN object (dc2) in the Topolocy CN via ADSIEdit fails. To delete it with Powershell fails too, PS command:

    Get-ADObject "CN=dc2,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=forestrootdomain" | Set-ADObject -ProtectedFromAccidentalDeletion:$false

    with the following error:

    Set-ADObject : A required attribute is missing

    But if we can't delete this CN object, we can't recreate a domain controller with the same hostname who has a functional replication and advertisement within the domain.

    Any suggestions appreciated.

    Best regards


    -- Regards Timo

    Thursday, December 29, 2016 12:02 PM

Answers

  • Thank you for your reply. Unfortunately it didn't work, because the Domain Controller object itself was already deleted. I had to manually restore the failed Domain Controller, remove the "Protect from accidental deletion" tick on the "Topology" CN object of the failed DC.

    After this I shutdown the failed DC and removed it manually with the ntdsutil. The CN object of the failed DC was successfully removed. I recreated the new DC and AD/DNS replication works now fine again.


    -- Regards Timo

    • Marked as answer by EST.Timo Monday, January 2, 2017 1:58 PM
    Monday, January 2, 2017 1:58 PM

All replies

  • Please use the following - It should work:

    Set-ADObject "CN=dc2,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=forestrootdomain" -ProtectedFromAccidentalDeletion:$false



    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Friday, December 30, 2016 1:38 AM
  • Thank you for your reply. Unfortunately it didn't work, because the Domain Controller object itself was already deleted. I had to manually restore the failed Domain Controller, remove the "Protect from accidental deletion" tick on the "Topology" CN object of the failed DC.

    After this I shutdown the failed DC and removed it manually with the ntdsutil. The CN object of the failed DC was successfully removed. I recreated the new DC and AD/DNS replication works now fine again.


    -- Regards Timo

    • Marked as answer by EST.Timo Monday, January 2, 2017 1:58 PM
    Monday, January 2, 2017 1:58 PM
  • Hi EST.Timo,

    Glad to hear you have solved the issue and thanks for feeding back the resolution.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, January 3, 2017 2:22 AM
    Moderator