DHCP Unauthorize: There is no such object on the server


In this blog post, let’s see what you should do if you get during DHCP Unauthorize: There is no such object on the server error message,

DHCP Authorize / Unauthorize

As you probably know, a DHCP Server must be authorized in an Active Directory to start delivering addresses. This is to avoid rogue servers everybody could set up. The reverse operation is called “unauthorize” and you’re supposed to do it before removing the DHCP role on a server.

In most cases, this is never done as the role is not uninstalled but the server is switched off instead. In this case the old server still appears in the Active Directory as authorized.

Unauthorizing a server properly

The proper way to do it is to use the MMC, the netsh commands or a powershell cmdlet.

For MMC:

  • Open the DHCP MMC and click DHCP.
  • On the Action menu, click Manage authorized servers
  • In the Authorized DHCP servers dialog box, select the server you want to unauthorize.
  • Click Unauthorize.

For netsh:

  • Check the server list with “netsh dhcp show server”netsh show dhcp server
  • Delete each server with “netsh dhcp delete server servername.domain.local IPAddress”netsh delete dhcp server

In powershell the cmdlet is called, “Remove-DhcpServerInDC” and not unauthorize-something as the verb is not generic enough:

remove-dhcpserverindcThe same parameters should be used: DNS Name and IP Address.

How does it work

The authorization in the Active Directory just creates entries into the NetServices container of your configuration partition of your forest.

IF every goes well you’ve got an object representing for each server you have authorized.

Troubleshooting issues with unauthorize

If you are somewhere stuck into the middle of the process, you will get messages such as:

  • There is no such object on the server
  • The parameter is incorrect

In all cases:

  • check the following under the CN=”NetServices,CN=Services,CN=Configuration,DC=myforest,DC=local”

NetServices Services Configuration container

  • You no longer have an object with the name of the server under this container. If the object is still there you may want to delete it after having written down the contents of its dhcpServers attribute.dhcpclass-object
  • There is a DHCPRoot object which has weird entries into its DHCPServers attribute value corresponding to the attributes you saw in the previous step.

dhcpRoot objectYou may want to delete them using ADSIEdit.msc or any tool of your choice.