Re: Forcfully (manually) removing a domain
From: Herb Martin (news_at_LearnQuick.com)
Date: 12/24/04
- Next message: Al Mulnick: "Re: Move a DHCP database"
- Previous message: Kevin: "Getting rid of old DC references"
- In reply to: John Rosenlof: "Re: Forcfully (manually) removing a domain"
- Next in thread: Dean Wells [MVP]: "Re: Forcfully (manually) removing a domain"
- Reply: Dean Wells [MVP]: "Re: Forcfully (manually) removing a domain"
- Reply: John Rosenlof: "Re: Forcfully (manually) removing a domain"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 24 Dec 2004 09:13:03 -0600
"John Rosenlof" <greyseal96@hotmail.com> wrote in message
news:OGhPRna6EHA.3856@tk2msftngp13.phx.gbl...
> > > Is there something else that I can do to remove it? Do I
> > > just take the setting out of the registry, or is there something more?
> >
> > What setting?
>
> I found a setting in the registry that contains the domains listed at the
> logon screen. If I deleted that, I'm assuming that that would solve this.
> The only problem that I see with that is that I would have to delete that
> value on all of the computers in the network. I'm hoping to find a way to
> get the DC's to tell all of the computers.
I don't think you can hurt anything by removing that
REMOVED domain -- but like all of the MS KBs
on the registry, I warn you to first backup (maybe
it's time for a System State backup anyway).
I would also just write down the key and value so
that I could type it back in.
Chances are it will just come back if the domain is
still known to the DCs.
> > Have you removed the trust from Domains and Trusts
> > or however you created it...?
>
> Yes and no. The trust is broken, but it is still listed. I cleaned up
and
> removed all of the stuff in AD, but in Domains and Trusts I can't delete
the
> icon for the formerly trusted domain. When I right-click it there is no
> delete option. I'm not sure, after going through the whole removal
process,
> how to get that deleted. Any ideas would be greatly appreciated.
You might look to see if there is a Trust delete procedure
for NTDSUtil (or ADSIEdit) -- I do not personally know
of one.
> Thanks again. Merry Christmas.
> -John
-- Herb Martin > > > "Herb Martin" <news@LearnQuick.com> wrote in message > news:ObERzSS6EHA.2196@TK2MSFTNGP14.phx.gbl... > > "John Rosenlof" <greyseal96@hotmail.com> wrote in message > > news:eWMIlaR6EHA.2592@TK2MSFTNGP09.phx.gbl... > > > I went in and changed the DNS settings to what you instructed. We have > > two > > > DC's doing DNS and the forward lookup zones for our domain were both > doing > > > dynamic update. The reverse lookup zones were not doing it for our > subnet > > > so I set it to do so. > > > > Good, doing that for the reverse zones is fine but it > > was not likely to have causing you any troubles -- > > reverse zones are nearly as important as many people > > seem to think. > > > > > I made the setting to both DC's and it appears that > > > they both show the change as being made, although I'm not exactly sure > on > > > how to verify that other than looking in the DNS mmc on each computer. > I > > > > Dynamic? Just watch to see if new records appear...or > > get corrected or just make sure that nothing you need is > > missing. > > > > > then set the workstations and servers to use only those two DC's for DNS > > and > > > verified that they are set that way through ipconfig. I restarted > > netlogon > > > on the two DC's. The name of the removed domain is still listed at the > > > logon screen. > > > > Those domains may still be listed in the trusts. > > > > The reason for fixing the DNS was to make sure the > > DCs replicated AND to make sure the clients authenticate, > > rather than to fix the problem directly. > > > > > Is there something else that I can do to remove it? Do I > > > just take the setting out of the registry, or is there something more? > > > > What setting? > > > > Have you removed the trust from Domains and Trusts > > or however you created it...? > > > > > Thanks for your patience and your help. And also, thanks for the info > > about > > > GINA. > > > > Sure. > > > > -- > > Herb Martin > > > > > > > > > > -John > > > "Herb Martin" <news@LearnQuick.com> wrote in message > > > news:ewu9vIJ6EHA.1404@TK2MSFTNGP11.phx.gbl... > > > > "John Rosenlof" <greyseal96@hotmail.com> wrote in message > > > > news:eGy$JwI6EHA.2584@TK2MSFTNGP10.phx.gbl... > > > > > Thanks again for the info. That helped out because just to check on > > the > > > > > authentication, I unplugged my PC from the ethernet port and > attempted > > > to > > > > > sign on to the domain. It signed on without a problem which tells > me > > > that > > > > > it is caching the info and not refreshing it. How do fix this? > > > > > > > > That part is normal. It is so a machine can log you > > > > onto (your own) machine when it travels or the net > > > > is down (e.g., a laptop.) > > > > > > > > > Is it a > > > > > setting in GP? The DC's are both replicating properly and the DNS > > > records > > > > > are cleaned of the old domain. I just can't get that stupid domain > to > > > not > > > > > be listed on the logon screen. > > > > > > > > You can change the number of cached logons but let's > > > > fix the real problem first. > > > > > > > > It's probably a DNS issue: > > > > > > > > DNS for AD > > > > 1) Dynamic for the zone supporting AD > > > > 2) All internal DNS clients NIC\IP properties must specify SOLELY > > > > that internal, dynamic DNS server (set.) > > > > 3) DCs and even DNS servers are DNS clients too -- see #2 > > > > > > > > Restart NetLogon on any DC if you change any of the above that > > > > affects a DC and/or use: > > > > > > > > nltest /dsregdns /server:DC-ServerNameGoesHere > > > > > > > > Ensure that DNS zones/domains are fully replicated to all DNS > > > > servers for that (internal) zone/domain. > > > > > > > > > About the GINA--could you either explain that a little more or refer > > me > > > to > > > > > an article that explains it? I've never heard about it, and I'm > > always > > > > open > > > > > to learning new stuff. > > > > > > > > It's not usually imporatant -- I just happen to have worked > > > > with the signon source code, writing and advising on the > > > > writing of a custom GINA: Graphical Identification 'n > > > > Authentication. > > > > > > > > You can search for something like this through Google: > > > > > > > > [ msgina microsoft: ] > > > > or > > > > [ msgina site:microsoft.com ] > > > > or > > > > [ msgina site:msdn.microsoft.com ] > > > > > > > > > > > > -- > > > > Herb Martin > > > > > > > > > > > > > Thanks! > > > > > -John > > > > > "Herb Martin" <news@LearnQuick.com> wrote in message > > > > > news:uURM8585EHA.2876@TK2MSFTNGP12.phx.gbl... > > > > > > "John Rosenlof" <greyseal96@hotmail.com> wrote in message > > > > > > news:O7#tol75EHA.3472@TK2MSFTNGP09.phx.gbl... > > > > > > > Thanks for the response. I appreciate the help. > > > > > > > A couple of questions-- > > > > > > > How long should it take to remove itself from the list? It's > been > > a > > > > few > > > > > > > days and it's still there? > > > > > > > What is an external trust? > > > > > > > > > > > > Generally it should remove on the next boot after > > > > > > replication of the DCs. > > > > > > > > > > > > Once the DCs don't know about the trust (it is removed) > > > > > > and the machine rebuilds (re-queries) from the DCs this > > > > > > should go. > > > > > > > > > > > > One must wonder if your DCs are replicating and if the > > > > > > machines are properly authenticating with (a replicated) > > > > > > DC. > > > > > > > > > > > > PT mentioned WINS issues but that is generally only > > > > > > an issue for domains and servers continuing to show > > > > > > up in the BROWSE lists. > > > > > > > > > > > > (The code in the GINA which builds the logon list of > > > > > > domains does not use directly -- except may to find > > > > > > it's own DC. GINA==logon screen) > > > > > > > > > > > > The machines do however remember that list (I believe) > > > > > > between boots, in case they are offline, and so it can > > > > > > survive reboots if the machine is not authenticating. > > > > > > > > > > > > Most authentication problems are really DNS issues > > > > > > in Win2000+ Domains: > > > > > > > > > > > > DNS for AD > > > > > > 1) Dynamic for the zone supporting AD > > > > > > 2) All internal DNS clients NIC\IP properties must specify > > SOLELY > > > > > > that internal, dynamic DNS server (set.) > > > > > > 3) DCs and even DNS servers are DNS clients too -- see #2 > > > > > > > > > > > > Restart NetLogon on any DC if you change any of the above that > > > > > > affects a DC and/or use: > > > > > > > > > > > > nltest /dsregdns /server:DC-ServerNameGoesHere > > > > > > > > > > > > Ensure that DNS zones/domains are fully replicated to all DNS > > > > > > servers for that (internal) zone/domain. > > > > > > > > > > > > -- > > > > > > Herb Martin > > > > > > > > > > > > > > > > > > > > > > > > > > Thank you > > > > > > > -John > > > > > > > "Herb Martin" <news@LearnQuick.com> wrote in message > > > > > > > news:#PTT0O75EHA.1120@TK2MSFTNGP11.phx.gbl... > > > > > > > > "John Rosenlof" <greyseal96@hotmail.com> wrote in message > > > > > > > > news:e7wJ7g55EHA.2124@TK2MSFTNGP15.phx.gbl... > > > > > > > > > Hi, > > > > > > > > > > > > > > > > > > As per the advice that I got here, I followed what KB 216498 > > > said > > > > > and > > > > > > I > > > > > > > > > successfully removed a domain from Active Directory. The > > domain > > > > > that > > > > > > > was > > > > > > > > > removed was had a trust relationship with our current > > > (surviving) > > > > > > domain > > > > > > > > and > > > > > > > > > consequently at the logon screen of the computers it was > > listed > > > as > > > > > an > > > > > > > > > available domain to log onto. My question has a couple of > > > > > parts---1) > > > > > > > Now > > > > > > > > > that I've removed the trust and the computer metadata from > AD, > > > > will > > > > > > that > > > > > > > > > disappear on the workstations, or do I have to manually > remove > > > it > > > > as > > > > > > > well? > > > > > > > > > and 2) We want to rejoin the computer that was removed and > we > > > want > > > > > to > > > > > > > keep > > > > > > > > > the same domain and computer name. Will this cause any > > problems > > > > if > > > > > > that > > > > > > > > > domain is still listed on the workstations before it is > > > rejoined? > > > > > > > > > > > > > > > > It should disappear after the domain and it's trust are gone, > > > > > > > > replicated etc. > > > > > > > > > > > > > > > > IF this was an external trust you should also deleted this > > > > > > > > from the machine domain. > > > > > > > > > > > > > > > > > Thank you in advance for any help that can be given, and let > > me > > > > know > > > > > > if > > > > > > > I > > > > > > > > > outlined our problem clearly. > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > Herb Martin > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -John > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
- Next message: Al Mulnick: "Re: Move a DHCP database"
- Previous message: Kevin: "Getting rid of old DC references"
- In reply to: John Rosenlof: "Re: Forcfully (manually) removing a domain"
- Next in thread: Dean Wells [MVP]: "Re: Forcfully (manually) removing a domain"
- Reply: Dean Wells [MVP]: "Re: Forcfully (manually) removing a domain"
- Reply: John Rosenlof: "Re: Forcfully (manually) removing a domain"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
