Solved

Orphaned sub-domain with a crashed and dead DC

Posted on 2006-10-20
7
751 Views
Last Modified: 2010-04-18
THIS DOMAIN DOES NOT REALLY EXIST - USING THE DOMAIN NAMES FOR AN EXAMPLE

We have a domain imaginary.com on which we created a sub-domain really.imaginary.com. On the sub-domain we created a Domain Controller named CLAUDETTE. Several days after adding CLAUDETTE to the sub-domain and promoting her to a global DC she crashed and burned.

What we would like to do at this point is remove any and all references to CLAUDETTE and the sub-domain really.imaginary.com
from AD.

Does anyone know how I would go about this?

I take it that I would have to go into AD using a tool/utility to manually remove the entries but do not know which tools to use or where to look in AD.

Thank you,

Keatscon
0
Comment
Question by:keatscon
  • 3
  • 2
  • 2
7 Comments
 
LVL 7

Expert Comment

by:CharliePete00
ID: 17775798
See http://support.microsoft.com/?kbid=216498

Be sure to take careful note of the warnings.  You will be directly modifying the AD schema as part of the process and should take great care.  Forked AD is much worse than a forked registry.  I'd make sure to get good system state backups of all DCs before beginning and only move forward when there is ample time to make and test the change then rollback if necessary.

Good Luck!
0
 

Author Comment

by:keatscon
ID: 17776923
CharliePete00,

     If I were to shutdown a DC and perform the procedure on the remaining DC,
     would I then be able to bring up the DC that was shutdown and push the changes
     down to this DC?

     Or would I have to leave both DCs up and running and perform the procedure?

     My line of thinking is that I can take one of DCs down and in case of an error I could take
    the damaged DC down and then bring up the healthy DC to take it's place.

   
Thank you,

Keatscon
0
 
LVL 7

Expert Comment

by:CharliePete00
ID: 17780995
No.  Active Directory, like any other database, can be divided into 2 parts:  the schema or definitions/descriptions of the data stored; and the data itself.  AD replication only passes changes in data and not schema.  Placing a DC in Authoritative Restore mode is simply a way of forcing all of the AD data it contains to be replicated to all other DCs.  No schema changes will be made.  Taking one of your DCs down to use for an authoritve restore in case the manual removal of the subdomain goes bad will not work.  You will need system state backups of all DCs prior to beginning in order to recover if necessary.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 500 total points
ID: 17782868
i just typed out a long answer and my wiresless died.....what a PITA....

Basically you have a different situation than the link that was posted gives you, you have lost a DC in your Domain, you lost it in your forest so things are a little different

remove the trusts and data associated with them

http://support.microsoft.com/kb/q230306

Delete the DC's
http://support.microsoft.com/kb/q230306

delete the records from DNS, Sites and Services, and you may need ADSIEDIT to remove from ADUC
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17782869
0
 

Author Comment

by:keatscon
ID: 17791413
Gentlemen,

    I tried KB216498 per CharliePete00's recommendation. Receiveed a plethora of error messages and it did not solve my problem.

    I then tried KB230306 and that solved the issue of the sub-domain.

    The domain controller I can find no sign of in AD after following KB230306.
   
    I tried following the article from www.petri.co.il, but could not find the old DC of the sub-domain
    and so quit out of the ntdsutil.

    I do however still the sub-domain listed in the 'Log on to:' drop-down menu in the
    'Log On to Windows' dialog box. Is this a bad sign or just a remnant from the lost sub-domain?
    Should I make attempts at removing this from AD?

Thank you,

Keatscon

0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17792526
you need to remove any trusts that in AD Domains and Trusts, need to clear all DNS, need to run a metadata cleanup with NTDSUTIL by attaching to your DC
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now