In this blog post, let’s see what you should do if you get during DHCP Unauthorize: There is no such object on the server error message,
DHCP Authorize / Unauthorize
As you probably know, a DHCP Server must be authorized in an Active Directory to start delivering addresses. This is to avoid rogue servers everybody could set up. The reverse operation is called “unauthorize” and you’re supposed to do it before removing the DHCP role on a server.
In most cases, this is never done as the role is not uninstalled but the server is switched off instead. In this case the old server still appears in the Active Directory as authorized.
Unauthorizing a server properly
The proper way to do it is to use the MMC, the netsh commands or a powershell cmdlet.
- Open the DHCP MMC and click DHCP.
- On the Action menu, click Manage authorized servers
- In the Authorized DHCP servers dialog box, select the server you want to unauthorize.
- Click Unauthorize.
- Check the server list with “netsh dhcp show server”
- Delete each server with “netsh dhcp delete server servername.domain.local IPAddress”
In powershell the cmdlet is called, “Remove-DhcpServerInDC” and not unauthorize-something as the verb is not generic enough:
The same parameters should be used: DNS Name and IP Address.
How does it work
The authorization in the Active Directory just creates entries into the NetServices container of your configuration partition of your forest.
IF every goes well you’ve got an object representing for each server you have authorized.
Troubleshooting issues with unauthorize
If you are somewhere stuck into the middle of the process, you will get messages such as:
- There is no such object on the server
- The parameter is incorrect
In all cases:
- check the following under the CN=”NetServices,CN=Services,CN=Configuration,DC=myforest,DC=local”
- You no longer have an object with the name of the server under this container. If the object is still there you may want to delete it after having written down the contents of its dhcpServers attribute.
- There is a DHCPRoot object which has weird entries into its DHCPServers attribute value corresponding to the attributes you saw in the previous step.
You may want to delete them using ADSIEdit.msc or any tool of your choice.
THANK YOU SO MUCH. I’ve been looking everywhere on how to remove an old defunct authorised DHCP server and this helped me 🙂