Cannot Delete a Computer Account for the Domain Controller in Windows 2000 (328775)
The information in this article applies to:
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Server
This article was previously published under Q328775 SYMPTOMS
If you try to delete the computer account for the domain controller in Active Directory Users and Computers, you may receive the following error message:
Error: DSA object cannot be deleted
This problem occurs if you delete the computer account after you have demoted the domain controller by running the dcpromo process on it.
CAUSE
This problem occurs if the value of UserAccountControl is set to 8192.
RESOLUTION
To resolve this issue, change the value of UserAccountControl to 4096.
NOTE: Use this resolution only if one of the following is true: - You have demoted the domain controller by running the dcpromo utility on it.
- The computer hardware failed, you used the ntdsutil process to clean the account's metadata, and then you deleted the account from Active Directory Sites and Services, but you still cannot
delete the computer account.
- Click Start, point to Programs, point to Windows 2000 Support Tools, point to Tools, and then click ADSI Edit.
- Expand Domain NC, expand dc=domain,dc=com, and then expand ou=domain controllers.
- Right-click the computer name of the domain controller, and then click Properties.
- On the Attributes tab, select both properties in the Select which properties to view list box.
- In the Select a property to view list box, select UserAccountControl.
- Under Attribute Value, view the value. Make the value 4096 to give the computer account member server status so that you can delete it.
- Type 4096 in the Edit Attribute box.
- Click the Set button.
- Click Apply, and then click OK. Quit ADSI Edit.
| Modification Type: | Minor | Last Reviewed: | 2/19/2005 |
|---|
| Keywords: | kbenv kberrmsg kbprb KB328775 |
|---|
|