locked
Messy cleanup help. RRS feed

  • Question

  • So I have to manually remove Exchange info from our AD. not sure where to start.  Here is the story.

    -

    We have an empty forret root. Call it root.dom.

    In that forest are two child domains. For example here.root.dom and there.root.dom

    I work and live in the "here" domain. The "there" domain is another office in another city.

    "here" and "there" are connected by a vpn. One Exchange environment with connectors between our mail servers (2k10) and their servers (2k3). All was good and fine and replicating and all.

    -

    This year we demerged. All their data was backup and moved to different servers on a differnt domain in another forest. As is the case sometimes when non-IT management call all the shots this is basically how it went down (we were warned of this but were hoping to avoid it.. but here is the gist of it)

    "Ok.. the people at "there" just terminated the VPN and shut down all their servers. Their DCs are off. They are never coming back on. Their mail servers are off. They are never coming back on."

    We could not do dcpromo to demote the DCs and delete the domain with the last DC. Couldnt delete mailboxes. Nothing.

    -

    I am fairly comfortable with ntdsutil to remove all the dc's and then the domain but before I do that I would at least like to clean up the exchange environment.

    If I try to delete the mailboxes from EMC it complains that I cannot reach a domain controller in their domain.

    -

    I am not sure where to start with this.. thoughts?



    • Edited by Sam Booka Thursday, October 11, 2012 8:25 PM
    Thursday, October 11, 2012 8:23 PM

Answers

  • On Thu, 11 Oct 2012 20:23:21 +0000, Sam Booka wrote:
     
    >
    >
    >So I have to manually remove Exchange info from our AD. not sure where to start. Here is the story.
    >
    >-
    >
    >We have an empty forret root. Call it root.dom.
    >
    >In that forest are two child domains. For example here.root.dom and there.root.dom
    >
    >I work and live in the "here" domain. The "there" domain is another office in another city.
    >
    >"here" and "there" are connected by a vpn. One Exchange environment with connectors between our mail servers (2k10) and their servers (2k3). All was good and fine and replicating and all.
    >
    >-
    >
    >This year we demerged. All their data was backup and moved to different servers on a differnt domain in another forest. As is the case sometimes when non-IT management call all the shots this is basically how it went down (we were warned of this but were hoping to avoid it.. but here is the gist of it)
    >
    >"Ok.. the people at "there" just terminated the VPN and shut down all their servers. Their DCs are off. They are never coming back on. Their mail servers are off. They are never coming back on."
    >
    >We could not do dcpromo to demote the DCs and delete the domain with the last DC. Couldnt delete mailboxes. Nothing.
    >
    >-
    >
    >I am fairly comfortable with ntdsutil to remove all the dc's and then the domain but before I do that I would at least like to clean up the exchange environment.
    >
    >If I try to delete the mailboxes from EMC it complains that I cannot reach a domain controller in their domain.
    >
    >-
    >
    >I am not sure where to start with this.. thoughts?
     
    Probably the cleanest way would be to install the missing servers in
    your forest and then remove them normally. Use Hyper-V and you can do
    it with VMs - you don't need more than "just enough" resources to
    bring the servers back.
     
    You can't just nuke the users out of the AD to take care of the
    mailboxes becasue they're in a domain naming context that you don't
    have any more. Removing the AD stuff with ntdsutil should make them go
    away in the GCs.
     
    There's tons of information on doing the recovery of missing servers.
    Here's just one of them:
     
    http://msexchangeguru.com/2010/11/07/e2k7-dr/
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Proposed as answer by cara chen Friday, October 12, 2012 6:01 AM
    • Marked as answer by Sam Booka Monday, October 22, 2012 2:17 PM
    Thursday, October 11, 2012 9:44 PM

All replies

  • On Thu, 11 Oct 2012 20:23:21 +0000, Sam Booka wrote:
     
    >
    >
    >So I have to manually remove Exchange info from our AD. not sure where to start. Here is the story.
    >
    >-
    >
    >We have an empty forret root. Call it root.dom.
    >
    >In that forest are two child domains. For example here.root.dom and there.root.dom
    >
    >I work and live in the "here" domain. The "there" domain is another office in another city.
    >
    >"here" and "there" are connected by a vpn. One Exchange environment with connectors between our mail servers (2k10) and their servers (2k3). All was good and fine and replicating and all.
    >
    >-
    >
    >This year we demerged. All their data was backup and moved to different servers on a differnt domain in another forest. As is the case sometimes when non-IT management call all the shots this is basically how it went down (we were warned of this but were hoping to avoid it.. but here is the gist of it)
    >
    >"Ok.. the people at "there" just terminated the VPN and shut down all their servers. Their DCs are off. They are never coming back on. Their mail servers are off. They are never coming back on."
    >
    >We could not do dcpromo to demote the DCs and delete the domain with the last DC. Couldnt delete mailboxes. Nothing.
    >
    >-
    >
    >I am fairly comfortable with ntdsutil to remove all the dc's and then the domain but before I do that I would at least like to clean up the exchange environment.
    >
    >If I try to delete the mailboxes from EMC it complains that I cannot reach a domain controller in their domain.
    >
    >-
    >
    >I am not sure where to start with this.. thoughts?
     
    Probably the cleanest way would be to install the missing servers in
    your forest and then remove them normally. Use Hyper-V and you can do
    it with VMs - you don't need more than "just enough" resources to
    bring the servers back.
     
    You can't just nuke the users out of the AD to take care of the
    mailboxes becasue they're in a domain naming context that you don't
    have any more. Removing the AD stuff with ntdsutil should make them go
    away in the GCs.
     
    There's tons of information on doing the recovery of missing servers.
    Here's just one of them:
     
    http://msexchangeguru.com/2010/11/07/e2k7-dr/
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Proposed as answer by cara chen Friday, October 12, 2012 6:01 AM
    • Marked as answer by Sam Booka Monday, October 22, 2012 2:17 PM
    Thursday, October 11, 2012 9:44 PM
  • Thanks Rich, I will take a look

    I thought maybe I could clear the users etc using ADSIedit... but I guess i would need to be able to reach one of their DCs .. :/

    Friday, October 12, 2012 1:02 PM
  • On Fri, 12 Oct 2012 13:02:19 +0000, Sam Booka wrote:
     
    >Thanks Rich, I will take a look
    >
    >I thought maybe I could clear the users etc using ADSIedit... but I guess i would need to be able to reach one of their DCs .. :/
     
    Yeah. That's the problem -- you see them only because they're in the
    Global Catalog.
     
    The Configuration naming context of the AD is replicated to all DCs.
    You may have to add a DC dor the missing domain before you can
    reinstall the Exchage servers.
     
    Removing the Exchange servers with ADSI isn't as easy as it sounds.
    There are LOTS of objects in the configuration naming context the will
    have references to DNs containing the missing domain.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Friday, October 12, 2012 10:03 PM
  • So if I just bite the bullet and remove all the missing DCs  and the child domain using NTDSutil will that clear out the users as well (if their domain doesnt exist then how can they?)

    Monday, October 15, 2012 12:56 PM
  • On Mon, 15 Oct 2012 12:56:02 +0000, Sam Booka wrote:
     
    >So if I just bite the bullet and remove all the missing DCs and the child domain using NTDSutil will that clear out the users as well (if their domain doesnt exist then how can they?)
     
    Removing the DCs will remove the users (and other objects in the
    domain naming context) from that domain because they exist only in the
    Global Catalog in the remaining domain.
     
    However, it will NOT remove the information in the configuration
    naming context (which is where all you Exchange organization stuff
    lives).
     
    If I were you I'd try adding a DC to the missing domain and then
    remove the "missing" DC/GC machines). That won't recover the
    users/groups/contacts/computers but it will allow you to reinstall the
    missing Exchange servers so they can be gracefully removed by
    uninstall the software and then removing the servers.
     
    Once Exchange (and any other applications that might have data in
    other naming contexts) has been removed you can DCPROMO the one DC
    from the missing domain and remove the machine.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Monday, October 15, 2012 1:38 PM
  • Thanks rich.

    I have a VM I am trying to bring up but since I cant reach any DCs in the other domain I cant join or DCPROMO.

    Still googling :)

    Monday, October 15, 2012 3:12 PM
  • So some of the other forum members suggest that I am outta luck if I cant reach at least on DC in the old domain.

    If I have to delete a lot of stuff manually from ADSIEdit that is fine.. as long as I CAN delete it from ADSIEDIT.

    Monday, October 15, 2012 7:29 PM
  • On Mon, 15 Oct 2012 19:29:06 +0000, Sam Booka wrote:
     
    >So some of the other forum members suggest that I am outta luck if I cant reach at least on DC in the old domain.
     
    >If I have to delete a lot of stuff manually from ADSIEdit that is fine.. as long as I CAN delete it from ADSIEDIT.
     
    There's no supported way to remove Exchange 2007 except to uninstall
    the software.
     
    If you must, remove the old domain and then create it as a new domain
    -- and be sure to use the same capitalization and punctuation as the
    one you're going to remove.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Tuesday, October 16, 2012 2:36 AM
  • I have actually tried that in a test environment and even though you create a new domain with the same name.. it is still a new domain. Not sure it helps.

    This is actually a 2003 installation I am trying to remove. Does that make it easier or harder?

    Tuesday, October 16, 2012 1:17 PM
  • On Tue, 16 Oct 2012 13:17:11 +0000, Sam Booka wrote:
     
    >I have actually tried that in a test environment and even though you create a new domain with the same name.. it is still a new domain. Not sure it helps.
     
    I don't think it matters. The names will be the same.
     
    >This is actually a 2003 installation I am trying to remove. Does that make it easier or harder?
     
    Well, you could try this:
    http://support.microsoft.com/kb/833396
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Tuesday, October 16, 2012 9:58 PM
  • So I went into ntdsutil and deleted all the DCs, the NC and the child domain. I went into ADSites and deleted the site. Went into ADSIEDIT and deleted the child domains admin group.l

    I have more to clean up but it seems to have accomplished what I wanted and the sky didnt fall in.


    Thanks for all you help.
    • Edited by Sam Booka Monday, October 22, 2012 2:16 PM
    Monday, October 22, 2012 2:05 PM