Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Can Metadata be cleaned on an DC that has already been force demoted?

已答复 Can Metadata be cleaned on an DC that has already been force demoted?

  • Tuesday, December 04, 2012 5:37 PM
     
     
    Sign In to Vote
    0
    We had a 2003sp2 DC (no master roles, just a "secondary" DNS) go tombstone. The dcpromo /forceremoval was done with the idea of doing metadata cleanup afterward. However now of course it is in a workgroup and the other DCs cannot see it to do the metadata cleanup. Is there a way we can do the metadata cleanup (already went manually through DNS and AD Sites and Services) even though it is no longer part of the domain?
     

All Replies

  • Tuesday, December 04, 2012 6:51 PM
     
     
    Sign In to Vote
    0

    Hi,

    You always need to perform metadata cleanup from any of operational DC, as a part of cleanup process, you need to manually removed old DC's stale entries from DNS, ADUC and AD sites.

    Clean Up Server Metadata Windows Server 2003 and Windows Server 2003 R2
    http://technet.microsoft.com/en-us/library/cc736378(WS.10).aspx

    Clean Up Server Metadata Windows Server 2008 and higher
    http://technet.microsoft.com/en-us/library/cc816907(WS.10).aspx

    Reference: http://abhijitw.wordpress.com/2012/03/03/active-directory-metadata-cleanup/

    Best regards,

    Abhijit Waikar.
    MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
    Blog: http://abhijitw.wordpress.com
    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

     
  • Tuesday, December 04, 2012 9:22 PM
     
     
    Sign In to Vote
    0
    The problem is that the Tombstoned DC has already been demoted and cleaned out of DNS, ADUC and AD Sites before the metadata was cleaned by another server. Now when the metadata cleanup commands are given, the broken DC can never be found. Is there any way to actually clean the metadata, or at this point is it better to make a new DC with a new name and just forget the old broken DC?
    • Edited by CSCTool Tuesday, December 04, 2012 9:34 PM
    •  
     
  • Tuesday, December 04, 2012 9:40 PM
     
     Answered
    Sign In to Vote
    0

    If there are no entries present and NTDSUTIL command returns clean then you can promote the new DC with a new name.

    Installing an Additional Domain Controller
    http://technet.microsoft.com/en-us/library/cc733027(v=ws.10).aspx

    Best regards,

    Abhijit Waikar.
    MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
    Blog: http://abhijitw.wordpress.com
    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

     
  • Wednesday, December 05, 2012 2:44 AM
     
     Answered
    Sign In to Vote
    0

    The problem is that the Tombstoned DC has already been demoted and cleaned out of DNS, ADUC and AD Sites before the metadata was cleaned by another server. Now when the metadata cleanup commands are given, the broken DC can never be found. Is there any way to actually clean the metadata, or at this point is it better to make a new DC with a new name and just forget the old broken DC?

    Hi,

    To conform if the faulty DC instances are present in AD database you need to run ntdsutil command to check the same.Also check the instances of faulty server is not present in DNS,DC OU,AD sites and services.
    http://sandeshdubey.wordpress.com/2011/10/12/metadata-cleanup-of-a-domain-controller/

    How to remove data in Active Directory after an unsuccessful domain controller demotion
    http://support.microsoft.com/kb/216498

    Note: You need to connect to online DC to perfrom the above operation.

    Once the instances are remove you can promote the new server as additional DC with the same name and IP address or different the choice is yours.

    Create an additional domain controller:http://technet.microsoft.com/en-us/library/cc781792(v=ws.10).aspx
    Checklist: Creating an additional domain controller in an existing domain:http://technet.microsoft.com/en-us/library/cc759620(v=ws.10).aspx

    If the OS version of server is higher i.e if you are adding Win2008 server in Win2003 domain then you need to prepare the domain using correct adprep tool.See this for more details:http://technet.microsoft.com/en-us/library/cc733027(v=ws.10).aspx

    Upgrading an Active Directory Domain from Windows Server 2003 or Windows Server 2003 R2 to Windows Server 2012
    http://msmvps.com/blogs/mweber/archive/2012/07/30/upgrading-an-active-directory-domain-from-windows-server-2003-or-windows-server-2003-r2-to-windows-server-2012.aspx

    Note:Dont forget to change all of the clients dns setting to point to new DC this may be in DHCP options or the TCP/IP settings.

    Hope this helps

    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

     
  • Sunday, December 09, 2012 7:29 PM
     
     Answered
    Sign In to Vote
    0
    The problem is that the Tombstoned DC has already been demoted and cleaned out of DNS, ADUC and AD Sites before the metadata was cleaned by another server. Now when the metadata cleanup commands are given, the broken DC can never be found. Is there any way to actually clean the metadata, or at this point is it better to make a new DC with a new name and just forget the old broken DC?

    So, since the metadata cleanup was done properly (The old longer have a reference in AD) and the old DC is not an FSMO holder (Please run netdom query fsmo on the new DC to make sure that it holds all of the FSMO roles. If no, you will need to resize the missing ones) then there is no more action to do before promoting a new DC. To double check, you can run dcdiag to check the DC health and it should no longer report issues with the tombstoned DC.

    To dertermine your forest tombstone lifetime: http://technet.microsoft.com/en-us/library/cc784932(v=ws.10).aspx

    It can be adjusted depending on your needs.

    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

     
  • Monday, December 10, 2012 3:42 AM
     
     
    Sign In to Vote
    0

    The places required to look after either using normal demotion or force demotion of a DC are below.

    -Each & every sub folder inside _msdcs folder in DNS

    -Name server tab in DNS

    -Host records in DNS

    -Server object under NTDS setting in AD sites & services.

    -Open ADSIEDIT.MSC, connect to configuration partition

    CN=Configuration, DC=domain, DC=com > CN=Sites > locate DC to be removed from the sites.

    Note: ADSIEDIT is a powerful tool to edit AD database objects & modification made is permanent, so if you are unsure what you are doing it, take System state backup & then modify from there as anything deleted from there will require system state backup to restore the deleted objects.

    Metadata cleanup is made simple in windows 2008, which provides GUI interface, so if you got any DC running on windows 2008, you can use metadata cleanup from that DC, but it doesn’t matter which DC you choose the cleanup failed DC records.

    http://awinish.wordpress.com/2011/05/08/metadata-cleanup-of-a-domain-controller/

    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

     
  • Wednesday, December 12, 2012 3:37 PM
     
     
    Sign In to Vote
    0

    It turns out the problem was the military time sync issue:

    http://blogs.technet.com/b/askpfeplat/archive/2012/11/23/fixing-when-your-domain-traveled-back-in-time-the-great-system-time-rollback-to-the-year-2000.aspx

    Unfortunately we did not know it until all of AD was broken even more. We have contracted out with Premium Support to help us get everything back up.