Solved

Orphaned sub-domain with a crashed and dead DC

Posted on 2006-10-20
7
762 Views
Last Modified: 2010-04-18
THIS DOMAIN DOES NOT REALLY EXIST - USING THE DOMAIN NAMES FOR AN EXAMPLE

We have a domain imaginary.com on which we created a sub-domain really.imaginary.com. On the sub-domain we created a Domain Controller named CLAUDETTE. Several days after adding CLAUDETTE to the sub-domain and promoting her to a global DC she crashed and burned.

What we would like to do at this point is remove any and all references to CLAUDETTE and the sub-domain really.imaginary.com
from AD.

Does anyone know how I would go about this?

I take it that I would have to go into AD using a tool/utility to manually remove the entries but do not know which tools to use or where to look in AD.

Thank you,

Keatscon
0
Comment
Question by:keatscon
  • 3
  • 2
  • 2
7 Comments
 
LVL 7

Expert Comment

by:CharliePete00
ID: 17775798
See http://support.microsoft.com/?kbid=216498

Be sure to take careful note of the warnings.  You will be directly modifying the AD schema as part of the process and should take great care.  Forked AD is much worse than a forked registry.  I'd make sure to get good system state backups of all DCs before beginning and only move forward when there is ample time to make and test the change then rollback if necessary.

Good Luck!
0
 

Author Comment

by:keatscon
ID: 17776923
CharliePete00,

     If I were to shutdown a DC and perform the procedure on the remaining DC,
     would I then be able to bring up the DC that was shutdown and push the changes
     down to this DC?

     Or would I have to leave both DCs up and running and perform the procedure?

     My line of thinking is that I can take one of DCs down and in case of an error I could take
    the damaged DC down and then bring up the healthy DC to take it's place.

   
Thank you,

Keatscon
0
 
LVL 7

Expert Comment

by:CharliePete00
ID: 17780995
No.  Active Directory, like any other database, can be divided into 2 parts:  the schema or definitions/descriptions of the data stored; and the data itself.  AD replication only passes changes in data and not schema.  Placing a DC in Authoritative Restore mode is simply a way of forcing all of the AD data it contains to be replicated to all other DCs.  No schema changes will be made.  Taking one of your DCs down to use for an authoritve restore in case the manual removal of the subdomain goes bad will not work.  You will need system state backups of all DCs prior to beginning in order to recover if necessary.
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 500 total points
ID: 17782868
i just typed out a long answer and my wiresless died.....what a PITA....

Basically you have a different situation than the link that was posted gives you, you have lost a DC in your Domain, you lost it in your forest so things are a little different

remove the trusts and data associated with them

http://support.microsoft.com/kb/q230306

Delete the DC's
http://support.microsoft.com/kb/q230306

delete the records from DNS, Sites and Services, and you may need ADSIEDIT to remove from ADUC
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17782869
0
 

Author Comment

by:keatscon
ID: 17791413
Gentlemen,

    I tried KB216498 per CharliePete00's recommendation. Receiveed a plethora of error messages and it did not solve my problem.

    I then tried KB230306 and that solved the issue of the sub-domain.

    The domain controller I can find no sign of in AD after following KB230306.
   
    I tried following the article from www.petri.co.il, but could not find the old DC of the sub-domain
    and so quit out of the ntdsutil.

    I do however still the sub-domain listed in the 'Log on to:' drop-down menu in the
    'Log On to Windows' dialog box. Is this a bad sign or just a remnant from the lost sub-domain?
    Should I make attempts at removing this from AD?

Thank you,

Keatscon

0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17792526
you need to remove any trusts that in AD Domains and Trusts, need to clear all DNS, need to run a metadata cleanup with NTDSUTIL by attaching to your DC
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question