locked
Demoted 2003 DCs are still listed in DNS and Sites-Services RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    I recently demoted a few 2003 DCs using DCPROMO. In all cases the servers demoted gracefully. There are two 2008 R2 domain controllers left on the domain, and one of them has all OM roles.

    .

    Some of the demoted 2003 DCs are still listed in AD Sites and Services. A few of them did not have the "NTDS Settings" container listed under them and I was able to delete these without any issue. The remaining three DC objects have the "NTDS Settings" child object, and when I try to delete either that container or the DC, I get a message saying I need to run DCPROMO. Can I safely ignore this message since the servers were already successfully demoted?

    .

    Secondly, within DNS Manager on the 2008 R2 DC I still show several entries for the demoted DCs under _MSDCS.domain.local as well as other areas. If I right-click the objects I do not have an option to delete. There are also some references to old sites that I have deleted under _msdcs.domain.local \ DC \ _sites.  What should I do about those?

    .

    • Changed type Lawrence,Lu Tuesday, July 3, 2012 2:17 AM Question
    Monday, July 2, 2012 3:46 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello,

    what you see is normal, dcpromo will NEVER remove a DC from AD sites and services, as the server may run site aware applications that are required the machine to be in a site listed.

    Also the server will not be removed automatically from the DNS zones or the DNS zone properties Name server tab. That locations you have always to check/clear yourself.

    Error message about removal can be ignored if the DC do not longer exist BUT you should check with metadata cleanup for the old DCs also in AD database to be sure about the removal http://msmvps.com/blogs/mweber/archive/2010/05/16/active-directory-metadata-cleanup.aspx

    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Monday, July 2, 2012 4:57 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Since the demotion of the DC's was graceful you also need to cross check  and remove instances of servers(removed DC) from DNS,AD sites and services and DC OU.

    To remove the failed server object from the sites
    1. In Active Directory Sites and Services, expand the appropriate site.
    2. Delete the server object associated with the failed domain controller.

    To remove the failed server object from the domain controllers container
    1. In Active Directory Users and Computers, expand the domain controllers container.
    2. Delete the computer object associated with the failed domain controller.

    To remove the failed server object from DNS
    1. In the DNS snap-in, expand the zone that is related to the domain from where the server has been removed.
    2. Remove the CNAME record in the _msdcs.root domain of forest zone in DNS. You should also delete the HOSTNAME and other DNS records.
    3. If you have reverse lookup zones, also remove the PTR record of the server from these zones.

    Reference link:http://sandeshdubey.wordpress.com/2011/10/12/metadata-cleanup-of-a-domain-controller/

    Once done force the replication between the DC's.I would also recommend to check the health of DC by running dcdiag /q and repadmin /replsum and post the log if error is reported.

    Hope this helps

    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    Tuesday, July 3, 2012 1:26 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    After you demote a domain controller to a server, the object that represents the server in the Active Directory Sites and Services Manager snap-in remains. This issue occurs because the server object is a "container" in the Active Directory and may hold child objects that represent configuration data for other services installed on your computer. Because of this, the Dcpromo utility does not automatically remove the server object.

    Resolution:

    WARNING: If the server object contains any child objects named "NTDS Settings," these are objects that represent the server as a domain controller and should be automatically removed by the demotion process. If this does not work, or a demotion could not be performed (for example, on a computer with malfunctioning hardware) these objects must be removed by using the Ntdsutil utility before you delete the server object.

    After an administrator verifies that all other services with a dependency on the server object have been removed, or if the domain controller is being rebuilt and the decommissioning of the server could not be performed gracefully, an administrator can delete the server:

    1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services Manager.
    2. Double-click the Sites branch to expand it, and then double-click the appropriate site's branch (the site the server resides in) to expand it.
    3. Double-click the server's container, right-click the server object, and then click Delete.
    4. Click Yes when you are prompted to confirm deleting the object.

    NOTE: This process may not finish successfully for either of the following reasons:

    • If you receive a message that states the server is a container that contains other objects, verify that the appropriate decommissioning of services has completed before continuing.
    • If you receive a message that states the DSA object cannot be deleted, you may be attempting to delete an active domain controller.

    If you can’t perform above solution or process not finish successfully, you may try remove metadata for demoted Domain Controller:

    How to remove data in Active Directory after an unsuccessful domain controller demotion
    http://support.microsoft.com/kb/216498

    For DNS record issue, we recommend you to handle that by DNS Scavenging.

    Refer to these articles:

    Using DNS Aging and Scavenging
    http://technet.microsoft.com/en-us/library/cc757041%28WS.10%29.aspx
    Don't be afraid of DNS Scavenging. Just be patient.
    http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx

    For more information please refer to following MS articles:

    Domain Controller Server Object Not Removed After Demotion
    http://support.microsoft.com/kb/216364/en-us
    Domain controllers do not demote gracefully when you use the Active Directory Installation Wizard to force demotion in Windows Server 2003 and in Windows 2000 Server
    http://support.microsoft.com/kb/332199

    Hope this helps!

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

     

     

    Lawrence

    TechNet Community Support

    Tuesday, July 3, 2012 3:15 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Either way DC is demoted gracefully or forcefully, references are left as remnant & those requires manual intervention to cleanup. I have a blog where it list the places to be looked for remnants. Take a look at below article. Esp the folder _msdcs will contain records of removed DC & its safe to remove those from there as well as AD sites & services.

    Remove References of a Failed DC/Domain Or Perform Metadata Cleanup  http://awinish.wordpress.com/2011/05/08/metadata-cleanup-of-a-domain-controller/

    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Tuesday, July 3, 2012 5:48 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    You can and should remove all DCs that have been metadata cleaned from users and computers as well as sites and services. In 2003 SP2 and above if you directly delete the DC objects from the graphical interface and from a DC of the same domain as the DCs you are deleting, metadata takes place automatically.

    The following commands should only list the healthy DCs and should not include any DCs which you removed.

    Repadmin /viewlist * will enumerate DC from the config partition

    NLtest /dclist:domain will enumerate using Netlogon

    DNS clean-up is your next step, deleting any and all entries refering to the deleted DCs and their IP addresses. You mentioned not being able to delete the NS records which referenced old DCs. If you double click those records or go into the zone properties in DNS, name server TAB, you should be able to remove these entries.

    run the following command once you have finished cleaning DNS to confirm the health of the config:

    DCDiag /test:dns

    You may want to enable scavenging on DNS to clean-up old site entries but I'd start with the above first :)

    Nelson

    Monday, July 2, 2012 4:29 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello,

    what you see is normal, dcpromo will NEVER remove a DC from AD sites and services, as the server may run site aware applications that are required the machine to be in a site listed.

    Also the server will not be removed automatically from the DNS zones or the DNS zone properties Name server tab. That locations you have always to check/clear yourself.

    Error message about removal can be ignored if the DC do not longer exist BUT you should check with metadata cleanup for the old DCs also in AD database to be sure about the removal http://msmvps.com/blogs/mweber/archive/2010/05/16/active-directory-metadata-cleanup.aspx

    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Monday, July 2, 2012 4:57 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello,

    As a additional info, please read this article too:

    Remove a Current Operational Domain Controller from Active Directory (Ace Fekay - MVP)

    Regards

    Monday, July 2, 2012 7:04 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Since the demotion of the DC's was graceful you also need to cross check  and remove instances of servers(removed DC) from DNS,AD sites and services and DC OU.

    To remove the failed server object from the sites
    1. In Active Directory Sites and Services, expand the appropriate site.
    2. Delete the server object associated with the failed domain controller.

    To remove the failed server object from the domain controllers container
    1. In Active Directory Users and Computers, expand the domain controllers container.
    2. Delete the computer object associated with the failed domain controller.

    To remove the failed server object from DNS
    1. In the DNS snap-in, expand the zone that is related to the domain from where the server has been removed.
    2. Remove the CNAME record in the _msdcs.root domain of forest zone in DNS. You should also delete the HOSTNAME and other DNS records.
    3. If you have reverse lookup zones, also remove the PTR record of the server from these zones.

    Reference link:http://sandeshdubey.wordpress.com/2011/10/12/metadata-cleanup-of-a-domain-controller/

    Once done force the replication between the DC's.I would also recommend to check the health of DC by running dcdiag /q and repadmin /replsum and post the log if error is reported.

    Hope this helps

    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    Tuesday, July 3, 2012 1:26 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    After you demote a domain controller to a server, the object that represents the server in the Active Directory Sites and Services Manager snap-in remains. This issue occurs because the server object is a "container" in the Active Directory and may hold child objects that represent configuration data for other services installed on your computer. Because of this, the Dcpromo utility does not automatically remove the server object.

    Resolution:

    WARNING: If the server object contains any child objects named "NTDS Settings," these are objects that represent the server as a domain controller and should be automatically removed by the demotion process. If this does not work, or a demotion could not be performed (for example, on a computer with malfunctioning hardware) these objects must be removed by using the Ntdsutil utility before you delete the server object.

    After an administrator verifies that all other services with a dependency on the server object have been removed, or if the domain controller is being rebuilt and the decommissioning of the server could not be performed gracefully, an administrator can delete the server:

    1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services Manager.
    2. Double-click the Sites branch to expand it, and then double-click the appropriate site's branch (the site the server resides in) to expand it.
    3. Double-click the server's container, right-click the server object, and then click Delete.
    4. Click Yes when you are prompted to confirm deleting the object.

    NOTE: This process may not finish successfully for either of the following reasons:

    • If you receive a message that states the server is a container that contains other objects, verify that the appropriate decommissioning of services has completed before continuing.
    • If you receive a message that states the DSA object cannot be deleted, you may be attempting to delete an active domain controller.

    If you can’t perform above solution or process not finish successfully, you may try remove metadata for demoted Domain Controller:

    How to remove data in Active Directory after an unsuccessful domain controller demotion
    http://support.microsoft.com/kb/216498

    For DNS record issue, we recommend you to handle that by DNS Scavenging.

    Refer to these articles:

    Using DNS Aging and Scavenging
    http://technet.microsoft.com/en-us/library/cc757041%28WS.10%29.aspx
    Don't be afraid of DNS Scavenging. Just be patient.
    http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx

    For more information please refer to following MS articles:

    Domain Controller Server Object Not Removed After Demotion
    http://support.microsoft.com/kb/216364/en-us
    Domain controllers do not demote gracefully when you use the Active Directory Installation Wizard to force demotion in Windows Server 2003 and in Windows 2000 Server
    http://support.microsoft.com/kb/332199

    Hope this helps!

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

     

     

    Lawrence

    TechNet Community Support

    Tuesday, July 3, 2012 3:15 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Either way DC is demoted gracefully or forcefully, references are left as remnant & those requires manual intervention to cleanup. I have a blog where it list the places to be looked for remnants. Take a look at below article. Esp the folder _msdcs will contain records of removed DC & its safe to remove those from there as well as AD sites & services.

    Remove References of a Failed DC/Domain Or Perform Metadata Cleanup  http://awinish.wordpress.com/2011/05/08/metadata-cleanup-of-a-domain-controller/

    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Tuesday, July 3, 2012 5:48 AM