diff --git a/tripleo_ipa/molecule/deregister/converge.yml b/tripleo_ipa/molecule/deregister/converge.yml
index a098355..d0b3fe3 100644
--- a/tripleo_ipa/molecule/deregister/converge.yml
+++ b/tripleo_ipa/molecule/deregister/converge.yml
@@ -212,6 +212,27 @@
     IPA_HOST: ipa.example.test
     IPA_PASS: password123
 
+- name: Simulate bad enrollment for test-3 host
+  hosts: all
+  vars:
+    ipa_server_user: admin
+    ipa_server_password: password123
+    ipa_server_hostname: ipa.example.test
+  tasks:
+    # We do this to simulate a bad enrollment. If the host has already been
+    # added, but isn't enrolled we need to recreate the host during
+    # tripleo_ipa_registration. Add this host shouldn't cause the
+    # tripleo_ipa_registration role to fail. It should handle it gracefully.
+    # This host isn't enrolled and doesn't have a keytab associated to it
+    # because it's disabled.
+    - name: create a pre-existing host test-3
+      ipa_host:
+        fqdn: 'test-3.example.test'
+        force: true
+        ipa_user: "{{ ipa_server_user }}"
+        ipa_pass: "{{ ipa_server_password }}"
+        ipa_host: "{{ ipa_server_hostname }}"
+
 - name: Converge - add host and relevant services for test-3 host
   hosts: all
   vars:
diff --git a/tripleo_ipa/roles/tripleo_ipa_registration/tasks/main.yml b/tripleo_ipa/roles/tripleo_ipa_registration/tasks/main.yml
index 112fedb..69d1d02 100644
--- a/tripleo_ipa/roles/tripleo_ipa_registration/tasks/main.yml
+++ b/tripleo_ipa/roles/tripleo_ipa_registration/tasks/main.yml
@@ -43,17 +43,22 @@
     - name: confirm that host is not already registered with current keytab
       when: '"has_keytab: TRUE" not in host_raw_data.stdout'
       block:
+        - name: remove stale host if present
+          when: host_raw_data.rc == 0
+          ipa_host:
+            fqdn: "{{ base_server_fqdn }}"
+            state: absent
+
         - name: add new host with random otp
           ipa_host:
             fqdn: "{{ base_server_fqdn }}"
             random_password: true
             force: true
           register: ipa_host
-          ignore_errors: true
 
         - name: set otp as a host fact
           set_fact:
-            ipa_host_otp: "{{ ipa_host.host.randompassword | default(omit) }}"
+            ipa_host_otp: "{{ ipa_host.host.randompassword }}"
           no_log: true
           delegate_facts: true
           delegate_to: "{{ tripleo_ipa_delegate_server }}"