Re: Removing "permanently offline" DC...

Hi,

Well I guess there is a few ways you can go about this.
First I would point the two remaining machines to the PDC emulator in
your domain for primary DNS.
Make sure that at least one of these machines is a Global Catalog
server.
I would then do the following:

Run metadata cleanup on BOTH machines as per
http://support.microsoft.com/kb/216498 and as you see in the article it
also has the error message that displays for you.

Run ADSIedit on BOTH machines and remove any instance of the old domain
controller. (from the support tools)

1. Use ADSIEdit to delete the computer account
DC=Domain...OU=Domain Controllers, CN(OLD DOMAIN CONTROLLER)
If you cannot delete this CN, I would expand it and delete anything
under it one at a time.
Note: The FRS subscriber object is deleted when the computer object is
deleted, since it is a child of the computer account.

2. Use ADSIEdit to delete the FRS member object in
DC=Domain..,CN=System,(SYSVOL share),CN=file replication
service,CN=Domain System Volume (SYSVOL share), CN=(OLD DC)

3. In the DNS console, use the DNS MMC to delete the cname
(also known as the Alias) record in the _msdcs container.

4. In the DNS console, use the DNS MMC to delete the A (also known as
the Host) record in DNS.

5. If the deleted computer was the last domain controller in a child
domain and the child domain was also deleted, use
ADSIEdit to delete the trustDomain object for the child in CN=System,
DC=domain, DC=domain, Domain NC.

If this was a DNS server before you brought it down, remove the Name
Server record in DNS from the other DNS servers.
Open up your DNS console, right click _msdcs.YOURDOMAIN, properties,
NAME SERVERS and remove old DC.

Make sure there is no connection objects to this domain controller from
Sites and Services on the other machines.
I would actually delete all connection objects between all domain
controllers from Sites and Services on both machines and we will let
the KCC recreate the connection objects automatically.
I would then run the following command on the two existing servers
AFTER verifying that the two are pointed to the PDC emulator for
primary DNS.

ipconfig /flushdns & ipconfig /registerdns & net stop netlogon & net
start netlogon & net stop ntfrs & net start ntfrs.
We wait for the KCC to create the connection objects and we will then
look in the event logs of the remaining machines for the following
Event 13516 OR 13509 which indicate successful replication.
Let the machines replicate for a while and check for any errors.

Remember to change your client machines DNS if this old machine was the
DNS server the clients were pointed to.
If your DCHP scope had this old DC as a DNS server, remember to remove
that as well.

I hope this helps

Harj Singh
Power Your Active Directory Investment
www.specopssoft.com


Matthew McBride wrote:
Any ideas on fixing the replication and/or manually removing the traces from
the other DC's? I only have two others...

"Harj" wrote:

Hi,

From the support tools run Replomon and extract any errors it may give.
Also you can try dcdiag /v.

The error you are receiving pretty much means the NTDS Settings object
may already be removed from the Active Directory as the result of
another administrator (or you) removing the NTDS Settings object, or
replication of the successful removal of the object has not fully
finished.

What I think is happening is that the removal has not replicated to all
DC's straight up, it is trying to delete something that is not there.


Matthew McBride wrote:
The only replication errors I can see is that AD still seems to be looking
for the offline server. What's the easiest way to test replication?

"Harj" wrote:

Hi,
From your other domain controller are you getting any replication
errors? This is usual caused by replication latency

Matthew McBride wrote:
That was actually the first article I tried...I thought going back through
metadata cleanup after completing all the steps would work, but no luck.
It's the last step that I'm stuck on (#20)...I get no error anything when
attempting that...it just never goes away.

"Harj" wrote:

Hi,

Take a look at this article about metadata cleanup which describes the
DSA object cannot be found

How to remove data in Active Directory after an unsuccessful domain
controller demotion
http://support.microsoft.com/kb/216498/

My years at Microsoft showed me this could be a replication issue
still, but if you follow the article you will be able to remove the old
DC with no problems

Harj Singh
Power Your Active Directory Investment
www.specopssoft.com


Matthew McBride wrote:
Yes...I get several errors when attempting. Something about "element not
found" and "DSA object could not be found."


"abckid" wrote:

Hi,

Did you try metadata cleanup ?

http://technet2.microsoft.com/WindowsServer/en/Library/1a7522c3-ac6e-4f83-af5b-9be87b47a95d1033.mspx?mfr=true

abckid.

"Matthew McBride" wrote:

One of our DC's died a few weeks ago...it wasn't a server class machine and
suffered a hard drive failure. I have another server promoted and have
switched all the FSMO roles. Everything seems to be replicating correctly,
but I am unable to remove all traces of the previous DC. I'm getting
numerous errors in the logs because the current DC's can't find it.

I tried going to AD Sites and Services and removing it there...but even when
I click the option that the domain controller is permanently offline and
cannot be demoted by using DCPROMO, it never gets deleted.

Any suggestions?







.

Relevant Pages

  • Re: SBS 2003 and Replication Errors with Remote DC
    ... alpha server as soon as you can to get things going. ... A simple DNS replication test is to create a host record in the SBS server ... Domain Controller Diagnosis ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2003 and Replication Errors with Remote DC
    ... I did make the changes that you suggested on the DNS of my alpha server and rebooted. ... I did run the simple DNS test that you suggested by adding a host record to my SBS server. ... A simple DNS replication test is to create a host record in the SBS server and wait till it shows up in the remote server. ...
    (microsoft.public.windows.server.sbs)
  • Re: how do i move primary DC from one machine to another
    ... Test omitted by user request: DNS ... Connecting to directory service on server WIN2003DC. ... Replication Site Latency Check ...
    (microsoft.public.windows.server.general)
  • Re: error 8254 DNS Lookup failure
    ... FYI, I repointed the DNS to one server, deleted the contents of _MSDCS ... > in the same site, Replication has been fine up until yesterday, the ... > Starting test: CrossRefValidation ...
    (microsoft.public.win2000.dns)
  • Re: How to enable communication between Two different lans (subnets)/ domains 2003 server based? Ass
    ... You will also almost certainly have DNS problems running a domain behind ... server domain, with a DHCP server running on one of the 2003 boxes. ... the "inner" subnet can see the original subnet and the Internet, ... The .227 machines can see the machines on the 192.168.1.0 subnet and the ...
    (microsoft.public.windows.server.networking)