locked
DNS entries in other DNS servers after Demotion RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi all

    I have demoted a DC/DNS from the domain, other DC/DNSs are still operating. I have used DCPROMO to do that and I can see AD worked fine.

    The problem is within DNS:
    if I look at DNS entries on live DNS servers, I can still see entries for the demoted DC/DNS server.
    I have uninstalled DNS role from the server but it did not delete entries on other servers.
    I have also run NSLOOKUP and it comes back with a list of IPs, including the demoted IP.

    What do I have to do in order to remove all entries in DNS?

    Remove them manually one by one?
    Run the scavenging? PLease help how?
    Run NTDSutil? PLease help how?

    Thanks for your help!

    BD

    Wednesday, August 8, 2012 11:39 AM

Answers

  • Question
    Sign in to vote
    1
    Sign in to vote

    Hello,

    if DNS records are not removed complete please check DNS zones and DNS zone properties NAMESERVER tab. remove old records manual if the DC is removed compelte from the domain.

    Additional you must remove the demoted DC from AD sites and services, this is NOT done during demotion.

    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    • Marked as answer by kakagol Saturday, August 11, 2012 6:49 AM
    Wednesday, August 8, 2012 12:12 PM

All replies

  • Question
    Sign in to vote
    1
    Sign in to vote

    Hello,

    if DNS records are not removed complete please check DNS zones and DNS zone properties NAMESERVER tab. remove old records manual if the DC is removed compelte from the domain.

    Additional you must remove the demoted DC from AD sites and services, this is NOT done during demotion.

    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    • Marked as answer by kakagol Saturday, August 11, 2012 6:49 AM
    Wednesday, August 8, 2012 12:12 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thanks for that

    I have removed it from:

    ADSS
    a PTR record on the reverse lookup zone

    Then I have those entries in 2 zones: ( I am not sure what to do.....)

    1st ZONE       ( _msdcs.abc.com )
     I have one NS record

    2nd ZONE       ( abc.com )
    _msdsc > I have a NS record
    DomainDnsZones > Sites > _tcp > I have one SRV record
    DomainDnsZones > _tcp > I have one SRV record
    ForestDnsZones > Sites > _tcp > I have one SRV record
    ForestDnsZones > _tcp > I have one SRV record
    TAPI3Directory > Sites > _tcp > I have one SRV record
    TAPI3Directory > _tcp > I have one SRV record

    PLease help thanks

    BD

    Wednesday, August 8, 2012 12:33 PM
  • Question
    Sign in to vote
    1
    Sign in to vote

    Hello,

    1st is about the Nameserver listing in the DNS zone properties, Nameserver tab. Have you check ed the DNS server is removed there also?

    2nd may take some time after removing the DC from AD sites and services.

    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Wednesday, August 8, 2012 12:57 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    1st ZONE       ( _msdcs.abc.com )
    It is now OKAY, no records for that IP

    2nd ZONE       ( abc.com )
    I still have those entries, the DC has been deleted from ADSS. Should I wait or can I just delete them all manually?

    _msdsc > I have a NS record
    DomainDnsZones > Sites > _tcp > I have one SRV record
    DomainDnsZones > _tcp > I have one SRV record
    ForestDnsZones > Sites > _tcp > I have one SRV record
    ForestDnsZones > _tcp > I have one SRV record
    TAPI3Directory > Sites > _tcp > I have one SRV record
    TAPI3Directory > _tcp > I have one SRV record

    BD

    Wednesday, August 8, 2012 1:07 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello,

    which SRV record is listed there?

    But if the server doesn't exist anymore it should be safe to delete it.

    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Wednesday, August 8, 2012 1:51 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    It`s the _ldap SRV record for the demoted server

    Aging/Scaveging is not set. Do you think setting it would delete the entries automatically?

    BD

    Wednesday, August 8, 2012 2:05 PM
  • Question
    Sign in to vote
    1
    Sign in to vote

    Hi BD,

    Thanks for posting here.

    Yes , it should be. However I’s suspect that the changing (DC demotion) was not been replicated to other DNS servers that contain the AD integrated zone. Could we try to first manually replicate with servers and see how is going :

    Repadmin /syncall

    http://technet.microsoft.com/en-us/library/cc835086(v=ws.10)

    Of course we are definitely able to manually clean old records form AD database :

    How to remove data in Active Directory after an unsuccessful domain controller demotion

    http://support.microsoft.com/kb/216498/

    Thanks.

    Tiger Li

    Tiger Li

    TechNet Community Support

    • Proposed as answer by Sandesh Dubey Friday, August 10, 2012 11:49 PM
    Friday, August 10, 2012 5:54 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    How was the demotion forceful or normal.If the demotion was normal  assuming that you have AD integrated zone wait for replication to complete as Tiger suggest or you can use repadmin/syncall /AdeP or AD sites and services to force the replication and check .Also check the AD sites and service,DNS Nameserver tab to remove the instances of faulty DC.

    In case if the demotion was forceful you need to remove the instances of faulty DC from AD database,dns,AD sites and services,DC OU.
    Complete Step by Step Guideline to Remove an Orphaned Domain controller (including seizing FSMOs, running a metadata cleanup, and more)
    http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx

    Hope this heps

    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Friday, August 10, 2012 11:50 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thank you all
    Its all solved now!!!

    BD

    Saturday, August 11, 2012 6:49 AM