none
Orphaned DC stops removal of 2008 R2 DC, DCPROMO fails upgrade from 2008 R2 to 2012 but shows success, DNS is a mess

    Question

  • I'm not sure where to start with this; please bear with me and thank you in advance. I'm a one-man-IT for a small company, and experiencing some big problems that I don't know how to fix. I'm not sure how far back the problems go.  I'm certain that my GPO's are out of whack, along with my internal DNS. I'm primarily concerned about the DNS issues since that's preventing me from moving over to Windows Server 2012.

    I’m in the process of moving, cleaning, repairing my internal DNS. 

    Over the years we've migrated from NT Server 4.0 --> Server 2003  and are presently running Server 2008 R2.

    My internal domain is simple:  Company.com

    I'm trying to migrate to Windows Server 2012 but I'm having a myriad of problems. 

    Current DC's:
    ASDSTLDC1 (Physical, Windows Server 2008 R2): 192.168.0.34
    ASDSTLDC3 (Virtual, Windows Server 2008 R2):  192.168.0.37
    2012DC01 (Physical, Windows Server 2012):  192.168.0.30

    I have an orphan record that I cannot get rid of (ASDSTLDC0), this was a former server that crashed and is no longer in service.

    Should I post IPCONFIG results from each server here, or put them on SkyDrive? Either is fine with me.

    • Edited by John Rhines Wednesday, July 17, 2013 10:33 PM
    Wednesday, July 17, 2013 10:07 PM

Answers

  • As long as the Phils can keep their stuff together, yes. And I'm not a Reds fan, either.

    I've never used the script to be able to comment. I like to get into the database and perform my own surgery, and the other tasks, as well. I don't know if the script does all of that.

    Don't forget about the dupe zones.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, July 17, 2013 11:06 PM
  • And it may disrupt services if machines are logged on and have used that DC as its logon server. It's best to do this on a weekend. But if the machine is truly having a problem and no machines are using it, then you can remove it now.

    One thing, I would manually transfer the FSMO roles to the new, physical DC ASDSTLDC0. That's where we at least want the PDC role to be, so we can set the time service to sync to an external source. You may have to also reset the time sync on the others to the domain hierarchy.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, July 18, 2013 1:06 AM
  • John, your tweet saying you couldn't find the AD tombstone, spurned me to make a quick video about it. Sorry the audio is a little low. I didn't bump up the gain in control panel before making it.

    AD Tombstone Value = What it is and How to Change it
    http://www.youtube.com/watch?v=-GIrKHoSorw


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, July 18, 2013 1:53 AM

All replies

  • St Louis fan, eh? Phillies! <just kiddin>

    I saw your Twitter tweet. I'm glad you posted here.

    Have you seen my blog to get that orphaned record out of there? You'll need to run a metadata cleanup, as well as  clean out DNS NS records, Sites, and anything else referencing it, as my blog explains.

    Complete Step by Step Guideline to Remove an Orphaned Domain controller (including seizing FSMOs, running a metadata cleanup,

    cleanup DNS (Nameserver tab), AD Sites (old DC references), transfer or fix time settings, WINS settings, etc.
    Published by Ace Fekay, MCT, MVP DS on Oct 5, 2010 at 12:14 AM
    http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx

    -

    You may also want to check to make sure you have no duplicate AD zones. They show up in ADSI Edit as "CNF..." or "InProgress..."

    Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
    Published by acefekay on Sep 2, 2009 at 2:34 PM  7748  2
    http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx

    -

    What version of Windows 2003 did you use to upgrade from NT4? If it was pre-SP1, such as the original, non-SP1 CD, then I recommend to change the AD Tombstone value from 60 days to 180 days. If it shows up in the spot below as "<Not Set>," that means it's 60 days. You can change it to 180.

    ADSI Edit - In the Configuration Container, dig down to Directory Services, right-click, choose Properties, look for the tombstoneLifetime attribute:
    CN=Directory Services,CN=Windows NT,CN=Services,CN=Configuration,DC=Domain,DC=com

    FYI - the Tombstone value solely depends on the operating system used to install the very first domain controller in the new forest. It doesn't matter if you are now on Windows 2012, it will be still be 60 days if installed with 2000 or 2003 without an SP.

    - Windows 2000 with all SPs = 60 Days
    - Windows Server 2003 without SP = 60 Days
    - Windows Server 2003 SP1 and all newer operating systems = 180 Days

    -


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    • Edited by Ace Fekay [MCT]MVP Wednesday, July 17, 2013 10:20 PM forgot to post link to dupe zone blog
    Wednesday, July 17, 2013 10:19 PM
  • The Phillies are a great team, always enjoy playing them.  I can't stand the Reds though.

    I've read the article about removing the orphan record, and running metadata cleanup, and have the PowerShell script "GUI Metadata Cleanup Utility" but I wasn't sure if this script alone would also remove the orphan record OR are these two separate processes?

    Wednesday, July 17, 2013 10:44 PM
  • As long as the Phils can keep their stuff together, yes. And I'm not a Reds fan, either.

    I've never used the script to be able to comment. I like to get into the database and perform my own surgery, and the other tasks, as well. I don't know if the script does all of that.

    Don't forget about the dupe zones.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, July 17, 2013 11:06 PM
  • Thank you very much for the reply.  I don't mind going through the steps, just trying to get my ducks in a row before I fire.

    1. Before removing this DC should I change all static IP addresses for all adapters and remove the IP address of the soon-to-be-defunct DC?
    2. Will this disrupt any existing network activity taking place on the network?

    Server to be removed: ASDSTLDC1

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : asdstldc1
       Primary Dns Suffix  . . . . . . . : asdsoftware.com
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : asdsoftware.com

    Ethernet adapter LOM1:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client) #6
       Physical Address. . . . . . . . . : 00-19-B9-ED-6D-76
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::c0a8:22%15(Preferred)
       Link-local IPv6 Address . . . . . : fe80::b4a5:4936:920c:1bba%15(Preferred)
       IPv4 Address. . . . . . . . . . . : 192.168.0.34(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.248.0
       Default Gateway . . . . . . . . . : fe80::c0a8:ee%15
                                           192.168.0.238
       DHCPv6 IAID . . . . . . . . . . . : 301996473
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-4C-FB-B7-00-19-B9-ED-6D-76
       DNS Servers . . . . . . . . . . . : fe80::c0a8:25%15
                                           192.168.0.30
                                           192.168.0.34
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter Local Area Connection* 12:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter isatap.{9F38C838-ABD5-4E7B-9AED-9605D5B0D8F3}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Secondary DNS Server (keeping): ASDSTLDC3

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : ASDSTLDC3
       Primary Dns Suffix  . . . . . . . : asdsoftware.com
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : asdsoftware.com

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter
       Physical Address. . . . . . . . . : 00-15-5D-00-CC-0C
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::9b:5ad4:bed6:204c%11(Preferred)
       IPv4 Address. . . . . . . . . . . : 192.168.0.37(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.248.0
       Default Gateway . . . . . . . . . : 192.168.0.238
       DHCPv6 IAID . . . . . . . . . . . : 234886493
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-94-01-6D-00-15-5D-00-CC-0C
       DNS Servers . . . . . . . . . . . : 192.168.0.30
                                           192.168.0.37
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.{2B0EEEB7-627A-4B75-B124-CD39625103FF}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 9:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Example member server: (SQL2008)

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : SQL2008
       Primary Dns Suffix  . . . . . . . : asdsoftware.com
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : asdsoftware.com

    Ethernet adapter Local Area Connection 3:

       Connection-specific DNS Suffix  . : asdsoftware.com
       Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter #2
       Physical Address. . . . . . . . . : 00-15-5D-00-CC-14
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::6585:c989:7422:bc21%15(Preferred)
       IPv4 Address. . . . . . . . . . . : 192.168.0.209(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : Monday, July 08, 2013 10:35:32 PM
       Lease Expires . . . . . . . . . . : Monday, July 22, 2013 10:50:09 PM
       Default Gateway . . . . . . . . . : 192.168.0.238
       DHCP Server . . . . . . . . . . . : 192.168.0.34
       DHCPv6 IAID . . . . . . . . . . . : 301995357
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-7D-39-32-00-15-5D-00-CC-12
       DNS Servers . . . . . . . . . . . : 192.168.0.30
                                           192.168.0.37
                                           192.168.0.34
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.asdsoftware.com:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 9:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Wednesday, July 17, 2013 11:52 PM
  • If you're going to remove a DC/DNS, you have to make sure no machines are using it for DNS whether static or in DHCP scope Option 006. For example, the SQL server is using it. I don't know if DC3 (.37) is.

    Where do you see that orphaned record for ASDSTLDC0?

    Did you run a simple metadata cleanup just to see if it's there? And you can do that without making any changes, of course.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, July 18, 2013 1:03 AM
  • And it may disrupt services if machines are logged on and have used that DC as its logon server. It's best to do this on a weekend. But if the machine is truly having a problem and no machines are using it, then you can remove it now.

    One thing, I would manually transfer the FSMO roles to the new, physical DC ASDSTLDC0. That's where we at least want the PDC role to be, so we can set the time service to sync to an external source. You may have to also reset the time sync on the others to the domain hierarchy.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, July 18, 2013 1:06 AM
  • John, your tweet saying you couldn't find the AD tombstone, spurned me to make a quick video about it. Sorry the audio is a little low. I didn't bump up the gain in control panel before making it.

    AD Tombstone Value = What it is and How to Change it
    http://www.youtube.com/watch?v=-GIrKHoSorw


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, July 18, 2013 1:53 AM