removing Windows 2008 DC after demotion, time for ntdsutil
- From: "Edward Ray" <hunglikethor@xxxxxxxxxxxx>
- Date: Wed, 20 May 2009 15:11:01 -0700
Looks like I will have to put in some time amswering other peoples questions; this my third in last week or so :)
REcently demoted a Windows 2008 x64 Enterprise DC to a member server. It was also an enterprise subordinate CA so first I backed up private key, database and registry settingss of the CA. Then I removed the Active Directory Services (had to do this before DC demotion). Then I used "dcpromo" to demote the DC, followed by then removal "Active Directory Domain Services" and "DNS Server" in the "Server Manager." Then I added back the Active Directory Certificate Services and imported the provate key, database and registry settings.
All apreared to be working fine, except that all of my clients still continue to try to get Kerberos tickets from the demoted DC (I use "tcpdump" on a SPAN switch port to observe this). In addition the demoted DC is still listed in the "Active Directory Sites and Services" and attempts to remove it fail due to lack of permissions. This is despite the fact I am logged in as an Enterprise Admin and the Enterprise Admin has the "Full Control" under the Security tab of the demoted DC in sites and services.
The recently added DC (also a Windows 2008 x64 Enterprise system has the following error in the Directory Service Event log (Event ID 1568, repeated 3 times in same time period):
None of the directory servers in the following site that replicate the following directory partition are configured to use the following transport, even though the site itself is configured to allow replication over this transport.
Site:
CN=Orange,CN=Sites,CN=Configuration,DC=mmicmanhomenet,DC=local
Directory partition:
CN=Configuration,DC=mmicmanhomenet,DC=local
Transport:
CN=SMTP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=mmicmanhomenet,DC=local
User Action
- Configure the site to not allow replication using this transport by modifying the appropriate siteLink objects.
- Enable one or more directory servers to use this transport. For the SMTP transport, this requires installation of the SMTP service and configuration of the mailAddress attribute on the corresponding Server object.
All of my domain controllers ( 2 Windows 2008 Enterprise, 1 Windows 2003 R2 SP 2 Enterprise, Windows 2003 native AD domain/forest) are in different sites, have the SMTP service installed and have a rule allowing them to replicate via SMTP. This is by choice; I have found it to be a more secure as well as robust way to replicate across geographically dispered sites.
Suspect it is time to use ntdsutil to clean up the AD and fix these issues. Been awhile since I have messed around with ntdsutil so if someone can point to of give me a step by step much appreciated. Main goal is to get old demoted DC records out of the AD and be able to remove the server from Sites and Services. I also do not seem to have permissions to remove the site link and recreate, which was the first thing I tried.
Thanks in advance!
Edward Ray
CISSP, GCIA, GCIH, MCSE+Security
Netsec Consulting
.
- Follow-Ups:
- Re: removing Windows 2008 DC after demotion, time for ntdsutil
- From: Ace Fekay [Microsoft Certified Trainer]
- Re: removing Windows 2008 DC after demotion, time for ntdsutil
- Prev by Date: Re: "the dsa object cannot be deleted"
- Next by Date: Re: Group Members SIDs
- Previous by thread: Permission on extended Attributes
- Next by thread: Re: removing Windows 2008 DC after demotion, time for ntdsutil
- Index(es):
Relevant Pages
|
Loading
