Solved

How can i remove the Distinguished Name Attribute of a Removed Domain Controller In Active Directory ?

Posted on 2008-09-30
8
219 Views
Last Modified: 2010-03-17
In one of my domain controllers after running dcdiag tool i got a warning about a replication with a dc that no longer exist; in order to delete this record i opened ADSIEDIT in this particular server where i got this warning and i found it after doing a right click on Configuration | Schema | Domain (it doesn't matter which one i pick it's in the 3 of them), then going to Master By | Distinguished Name | and here are the list of my dc's including the one that i want to delete, so i select it then click on remove, then ok and when i try to click on Apply i got the error "The attribute cannot be modified because it is owned by the system", i checked permissions and i have Full control.
0
Comment
Question by:QUIMMCOIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
8 Comments
 
LVL 4

Expert Comment

by:cybersean
ID: 22610401
0
 

Author Comment

by:QUIMMCOIT
ID: 22613827
I did the 3 Procedures
1.- NTDSUTIL
2.- REMOVE SERVER OBJECTS FROM SITE
3.- REMOVE THE FAILED SERVER OBJECT FROM THE DOMAIN CONTROLLERS CONTAINER

Still have the same issue in the same Domain Controller.
0
 
LVL 4

Expert Comment

by:cybersean
ID: 22655819
Did you perform the DNS steps in the _msdcs.root  section?
Did that dc hold any of the fsmo roles by any chance?
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 

Author Comment

by:QUIMMCOIT
ID: 22659318
The server does not contain any fsmo roles, and yes i did the steps in the DNS
0
 

Author Comment

by:QUIMMCOIT
ID: 22995228
This is what Microsoft suggested, Im still testing, I'll let you know if it works

Actually, the real problem is not this DC tried to replicated with
non-existing DCs, this issue happen when the problematic DC has not
replicated for over 60 days (a.k.a. The tombstone lift time). When the DC
hasn't replicated with other DC more than tombstone, the replication will
be automatically disabled for security consideration. Therefore, no
replication will happen and the AD database on the problematic DC will not
updated which leads it to replicate with non-existing DCs.

In addition, even though you delete the reference in the AD database, it
will not replicate successfully either. Thus we need enable the replication
firstly and then sync the problematic DCs with the authoritative DC. For
now, please perform the following steps to test the issue:
 
Step 1: Please make sure the time is properly synchronized between the
domain controllers

Step 2:
====================
On GOOD DCs, add the following registry key to resume replication:

1. Click Start, click Run, type regedit, and then click OK.
2. Navigate to the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

3. In the details pane, create or edit the registry entry "Allow
Replication With Divergent and Corrupt Partner" as follows:

If the registry entry exists in the details pane, modify the entry as
follows:

a. In the details pane, right-click Allow Replication With Divergent and
Corrupt Partner, and then click Modify.
b. In the Value data box, type 1, and then click OK.

If the registry entry does not exist, create the entry as follows:

a. Right-click Parameters, click New, and then click DWORD Value.
b. Type the name Allow Replication With Divergent and Corrupt Partner, and
then press ENTER.
c. Double-click the entry. In the Value data box, type 1, and then click OK.

If the replication still does not happen, perform the next step:

Step 3:
========================
Still on the good DCs.

1. Locate and click the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

2. Click Add Value on the Edit menu.
3. Add the following value:

Value Name: Strict Replication Consistency
Data type: REG_DWORD
Value data: If the value is 1 , change it to 0 .

Then please restart the server to force a replication.

What's the result?

After replication starts successfully, revert the registry change made in
Step 2 and 3: change "Allow Replication With Divergent and Corrupt Partner"
to 0 and "Strict Replication Consistency" back to 1.

Reference:
----------------
Event ID 2042: It has been too long since this machine replicated
http://technet2.microsoft.com/windowsserver/en/library/34c15446-b47f-4d51-8e
4a-c14527060f901033.mspx
0
 

Author Comment

by:QUIMMCOIT
ID: 24487534
ok
0
 

Accepted Solution

by:
ee_auto earned 0 total points
ID: 24515708
Question PAQ'd, 500 points refunded, and stored in the solution database.
0

Featured Post

[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question