Centrify DirectControl 5.3.1
When a computer object is precreated using Centrify ADEdit, if a mistake is made and the computer needs to be removed and recreated, the Microsoft ADUC tool is often used to remove the zone metadata (SCP and zone override container) along with the computer object. Then precreate_computer() is run a second time to re-create the computer and zone information. When the SCP and Override zone are manually removed via ADUC first and then the computer object is removed, when precreate_computer() is called to re-create that same computer, the error is shown:
Cannot create computer object firstname.lastname@example.org.
Zone testcomp.centrifyimage.vms already exists
When manually removing the SCP and the computer override zone using ADUC, additional data about the computer is left-over in the zone that causes the precreate_computer() to throw the error.
The data that is left is located in the ....<Zone>\Authorization container. In the image below, the zone is PowerShellTest.
The Authorization container holds an object of type msDS-Application as seen in the image above. The container name is a long hexadecimal string. Predefined Rights and Roles for the zone are stored in this container.
When a computer is precreated, another object is created that is of type msDS-AzScope.
There is one of these objects for each precreated computer. The name of the object is also a long hexadecimal string. In order to locate the correct object, the Attributes of the object must be examined.
The object where the attribute msDS-AzScopeName has the value that is the computer name, is the object that is storing the excess data.
This object must be deleted to completely remove all the object that represent the computer in the zone.
Remove the SCP and zone override, then remove the computer object. Then find the msDS-AzScope object that matches the computer name and manually delete that object as well.
The simpler and correct way to remove all the data associated to a Centrified computer is to remove the computer via DirectManage Acces Manager and then remove the computer object in ADUC, or remove the computer object in ADUC first, instead of removing the SCP and override zone. If you remove the computer object first, then all the metadata objects (SCP and override) will also be correctly deleted and precreate_computer() can be used to re-create the object successfully.