After demoting a domain controller, you cannot remove its’ computer account from Active Directory? You receive:
Error: DSA object cannot be deleted.
If you ran dcpromo to demote the domain controller, or you used ntdsutil to clean up a failed domain controller’s metadata and removed the account from Active Directory Sites and Services, you may be unable to delete the account because the UserAccountControl is set to 8192 – SERVER_TRUST_ACCOUNT.
Try changing the UserAccountControl to 4096 – WORKSTATION_TRUST_ACCOUNT:
- Use Start / Run / ADSIEdit.msc / OK.
- Expand Domain NC, expand dc=domain,dc=com, and expand ou=domain controllers.
- Right-click the computer name of the domain controller, and then press Properties.
- On the Attributes tab, select Both in the Select which properties to view box.
- In the Select a property to view box, select UserAccountControl.
- Under Attribute Value, view the value.
- Type 4096 in the Edit Attribute box.
- Press the Set button.
- Press Apply and OK. Exit ADSI Edit.