Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-7409: Manually Removing a Computer Zone in ADUC Leaves Data That Causes precreate_computer() to Fail When the Computer is Re-created via Centrify ADEdit

Authentication Service ,  

26 August,16 at 08:54 PM

Applies to:
Centrify DirectControl 5.3.1
When a computer object is precreated using Centrify ADEdit, if a mistake is made and the computer needs to be removed and recreated, the Microsoft ADUC tool is often used to remove the zone metadata (SCP and zone override container) along with the computer object. Then precreate_computer() is run a second time to re-create the computer and zone information. When the SCP and Override zone are manually removed via ADUC first and then the computer object is removed, when precreate_computer() is called to re-create that same computer, the error is shown:
Cannot create computer object testcomp$@centrifyimage.vms.
Zone testcomp.centrifyimage.vms already exists
When manually removing the SCP and the computer override zone using ADUC, additional data about the computer is left-over in the zone that causes the precreate_computer() to throw the error.

The data that is left is located in the ....<Zone>\Authorization container.  In the image below, the zone is PowerShellTest.
User-added image
The Authorization container holds an object of type msDS-Application as seen in the image above.  The container name is a long hexadecimal string.  Predefined Rights and Roles for the zone are stored in this container.  

When a computer is precreated, another object is created that is of type msDS-AzScope.
User-added image
There is one of these objects for each precreated computer.  The name of the object is also a long hexadecimal string. In order to  locate the correct object, the Attributes of the object must be examined.  

The object where the attribute msDS-AzScopeName has the value that is the computer name, is the object that is storing the excess data.
User-added image
This object must be deleted to completely remove all the object that represent the computer in the zone.
Remove the SCP and zone override, then remove the computer object. Then find the msDS-AzScope object that matches the computer name and manually delete that object as well.

The simpler and correct way to remove all the data associated to a Centrified computer is to remove the computer via DirectManage Acces Manager and then remove the computer object in ADUC,  or remove the computer object in ADUC first, instead of removing the SCP and override zone.  If you remove the computer object first, then all the metadata objects (SCP and override) will also be correctly deleted and precreate_computer() can be used to re-create the object successfully.