none
Post Metadata cleanup

    Question

  • Domain info:

    MS Server 2008 R2

    Domain members are XP/Win7/Server 2003/Server 2008 R2

    I had a Forest domain.com with 4 child domains that we will call child1.domain.com, etc all pointing to the same parent.

    We condensed these down to a single domain in order to eliminate the child domains. Now all we have is domain.com. child2.domain.com was shutdown and reloaded improperly and required metadata cleanup to eliminate the old data. This was completed successfully. We only want the domain.com to exist


    Current status is:

    Active Directory Domains and Trusts shows ONLY domain.com

    Active Directory Sites and Services shows ONLY domain.com

    Active Directory Users and Computers shows ONLY domain.com

    DNS shows ONLY pointers and records for domain.com


    Problem

    When I go to edit a folder and add permissions to a folder or file and the normal box shows up and I hit the "locations" button, I still see child2.domain.com and and older forest that existed before I worked here. If I try to expand child2.domain.com it lets me but there is nothing in there. Same thing for that ancient single domain forest. These are orphaned objects and need to be removed. When I open metadata cleanup I can only see 1 domain, 1 naming context, and 1 site just like the GUI shows. I want this to populate over to  this selection screen. Also of note my XP machines still show these old domains as well on the logon screen. We are NOT running WINS of any kind.

    Help? Thoughts?

    Tuesday, February 12, 2013 8:50 PM

Answers

  • There are few areas you need to clear for orphaned DC/Domains.

    1. You can NTDSUTIL for cleaning up the orphan DC and Domain

    DC

    http://awinish.wordpress.com/2011/05/08/metadata-cleanup-of-a-domain-controller/

    Domain

    http://support.microsoft.com/kb/230306

    2. Also run the below dsquery & compare the list

    >>dsquery * "CN=Configuration,DC=contoso,DC=com" -filter "(&(objectClass=crossRef)(objectCategory=crossRef)(systemFlags=5))" -attr NcName msDS-NC-Replica-Locations

    >>dsquery * DC=DomainDnsZones,DC=contoso,DC=com -scope base -attr msDs-masteredBy >> domaindnszones-DCs.txt
    >>dsquery * DC=fomainDnsZones,DC=contoso,DC=com -scope base -attr msDs-masteredBy >> forestdnszones-DCs.txt

    For Trust

    nltest /domain_trusts


    Regards
    Biswajit Biswas

    My Blogs|MCC|TNWiki Ninja

    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin


    Wednesday, February 13, 2013 4:45 AM
  • Was able to remove that ancient forest with:

    To undo the trust that USA-Chicago has for Northamerica, type the following at the command prompt:

    netdom trust /d:Northamerica USA-Chicago /remove

    Was also able to remove the 2 way trust with the old child objects by:

    To break a two-way trust relationship, type the following at the command prompt:

    netdom trust /d:marketing.example.com Engineering.example.com /remove /twoway /Uo:admin@engineering.example.com /Ud:admin@marketing.example.com

    Also of note I had to use /force flags since the domains no longer exist

    Thanks Cicely for moving me down the correct path on this one!!!




    Wednesday, February 13, 2013 2:22 PM

All replies

  • Hi,

    Per the problem, please check the followings,
    1. Is the AD replication between domain controllers OK in your environment?
    2. The old domains' meta data had been removed completely from env as http://support.microsoft.com/kb/230306
    3. Make sure all TDOs related to those child domains are completely removed from the root domain as below,
        a. use Adsiedit.msc to open up the root domain partition
        b. Expand CN=System,DC=domain,DC=com, check if there are any objects named as CN=childx.domain.com under this container, if yes, delete them manually.
        c. Expand CN=Users,DC=domain,DC=com, check if there are any objects named as childx$ under this container, if yes, delete them manually.

    For more information about TDO, please read http://technet.microsoft.com/en-us/library/cc773178(WS.10).aspx

    Regards,
    Cicely

    Wednesday, February 13, 2013 2:47 AM
  • Thanks for the reply.

    1. Replication in domain.com is fine

    2. As stated in original post no metadata remains of the old domains (in paragraph under "Problem")

    3 Adsiedit tasks were completed previously and I verified only domain.com remains.

    Any other suggestions?


    Wednesday, February 13, 2013 3:32 AM
  • There are few areas you need to clear for orphaned DC/Domains.

    1. You can NTDSUTIL for cleaning up the orphan DC and Domain

    DC

    http://awinish.wordpress.com/2011/05/08/metadata-cleanup-of-a-domain-controller/

    Domain

    http://support.microsoft.com/kb/230306

    2. Also run the below dsquery & compare the list

    >>dsquery * "CN=Configuration,DC=contoso,DC=com" -filter "(&(objectClass=crossRef)(objectCategory=crossRef)(systemFlags=5))" -attr NcName msDS-NC-Replica-Locations

    >>dsquery * DC=DomainDnsZones,DC=contoso,DC=com -scope base -attr msDs-masteredBy >> domaindnszones-DCs.txt
    >>dsquery * DC=fomainDnsZones,DC=contoso,DC=com -scope base -attr msDs-masteredBy >> forestdnszones-DCs.txt

    For Trust

    nltest /domain_trusts


    Regards
    Biswajit Biswas

    My Blogs|MCC|TNWiki Ninja

    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin


    Wednesday, February 13, 2013 4:45 AM
  • 1 I did run ntdsutil...which was the metadata cleanup that I spoke of.

    2 The only thing that shows is domain.com and associated naming contexts etc

    Please read my entire post before submitting a reply.

    Thanks


    Wednesday, February 13, 2013 4:50 AM
  • For Item 3, there should not be any TDO named domain.com, I don't know if you checked the correct container. as you mentioned, there is only one domain and one site as GUI shows, do you also mean you only could see one domain in domain.msc tool? The domain list in logon screen is built from the trust domain list, that's why I would like to double confirm this with you. If you pretty sure all TDOs were removed previously, I would suggest you to contact PSS for support, you may be required to capture a iDNA trace during the problem for them to debug.

    Regards,
    Cicely
    Wednesday, February 13, 2013 7:17 AM
  • Just got to work. (updating)

    query1 returns fine with only expected results

    query2 returns fine with only expected results

    query3 returns fine with only expected results



    nltest domain_trusts does indeed show the domains I need to get rid of. How do I destroy these trusts that are displayed?

    Thanks for the help! We found it, but now how do I destroy those trusts?




    Wednesday, February 13, 2013 1:59 PM
  • I am looking at the netdom command now...I think this might be it
    Wednesday, February 13, 2013 2:12 PM
  • Was able to remove that ancient forest with:

    To undo the trust that USA-Chicago has for Northamerica, type the following at the command prompt:

    netdom trust /d:Northamerica USA-Chicago /remove

    Was also able to remove the 2 way trust with the old child objects by:

    To break a two-way trust relationship, type the following at the command prompt:

    netdom trust /d:marketing.example.com Engineering.example.com /remove /twoway /Uo:admin@engineering.example.com /Ud:admin@marketing.example.com

    Also of note I had to use /force flags since the domains no longer exist

    Thanks Cicely for moving me down the correct path on this one!!!




    Wednesday, February 13, 2013 2:22 PM
  • Domain meta data cleanup

    http://support.microsoft.com/kb/230306


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

    Wednesday, February 13, 2013 3:42 PM