braineater13
asked on
Unable to manually demote remote 2K3 DC out of Active Directory
I have a remote server that fails when i try to demote it out of Active Directory. I have sense removed it from the domain and put it in a workgroup and replaced it witha new server with differ net bios name that i have successfully ran dcpromo. The problem i am having is since i cannot demote the original server, I need to mannually remove all traces of that server out of AD on our WAN. I have never had to do this before and was wondering if anyone can provide step by step documentation on the process.
Thanks
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The best way to do this is to demote the AD if it is giving you trouble then demote it by force first by using cm dcpromo /forceremoval and then use the
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
excerise to clean up metadata, DNS record removal and removal of computer account from site.
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
excerise to clean up metadata, DNS record removal and removal of computer account from site.
If replication is not working between the servers then you cannot demote the server Gracefully and the Option left would be either to fix replication first or to remove the server with DCPROMO /FORCEREMOVAL .
Please follow the following steps as explained in following article :-
--------------------------
How to remove data in Active Directory after an unsuccessful domain controller demotion:-
http://support.microsoft.com/kb/216498
SMB Guy Got Nice Steps but as you are doing it for the first time then This Support Article Would be simple and easy .
I dont agree to the GURU's Comments that its IMPOSSIBLE ,its just a simple LDAP operation which metadata cleanup will do so we can very well do it manually as well but should always prefer Metadata Cleanup .
Also make sure that you Double Check the DNS entries as well after running these commands as mentioned in article and also Force the replication as soon as command completes .
If there are any DNS entriese left for the Server make Sure you delete the as well .
Thanks .
Please follow the following steps as explained in following article :-
--------------------------
How to remove data in Active Directory after an unsuccessful domain controller demotion:-
http://support.microsoft.com/kb/216498
SMB Guy Got Nice Steps but as you are doing it for the first time then This Support Article Would be simple and easy .
I dont agree to the GURU's Comments that its IMPOSSIBLE ,its just a simple LDAP operation which metadata cleanup will do so we can very well do it manually as well but should always prefer Metadata Cleanup .
Also make sure that you Double Check the DNS entries as well after running these commands as mentioned in article and also Force the replication as soon as command completes .
If there are any DNS entriese left for the Server make Sure you delete the as well .
Thanks .
Truely,i never heard MS asking removal of record manually,coz in manual process you may miss deleting the records. When a normal server becomes RDC/ADC it writes its entries so many places its difficult to remove those entries manually,even something wrong deletion will cause a big damage.These are the places we know there are so much into ADSIedit, its almost imp to remove coz something will be remaining in manual process.
It writes at so many places like registry,srv records in dns,site info in AD.
Metadata cleanup is very imp step to clear the stale or crashed system from AD which is given by MS & manual is not recommended.
There is one more way to trick the server to remove AD using below Steps.
Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\
In the right-pane, double-click ProductType.
Type ServerNT in the Value data box, and then click ok
Reboot the server,but still its not the recommended way of doing it.
Speaking truely never heard anyone recommending or doing manual deletion of records instead of metadata cleanup. So,its not recommended by MS.
SO dcpromo /forceremoval followed by Metadata cleanup ensure the desired result is achieved w/o any issue.
References
http://support.microsoft.com/kb/332199
There is good script for metadata cleanup.
http://community.spiceworks.com/scripts/show/80-ad-metadata-cleanup
Note: Performing dcpromo /forceremoval will move the server into workgroup
It writes at so many places like registry,srv records in dns,site info in AD.
Metadata cleanup is very imp step to clear the stale or crashed system from AD which is given by MS & manual is not recommended.
There is one more way to trick the server to remove AD using below Steps.
Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\
In the right-pane, double-click ProductType.
Type ServerNT in the Value data box, and then click ok
Reboot the server,but still its not the recommended way of doing it.
Speaking truely never heard anyone recommending or doing manual deletion of records instead of metadata cleanup. So,its not recommended by MS.
SO dcpromo /forceremoval followed by Metadata cleanup ensure the desired result is achieved w/o any issue.
References
http://support.microsoft.com/kb/332199
There is good script for metadata cleanup.
http://community.spiceworks.com/scripts/show/80-ad-metadata-cleanup
Note: Performing dcpromo /forceremoval will move the server into workgroup
The steps to delete Active Directory references to a 'Dead" DC are documented in the Swing Migration Kit.
I've done dozens of Swings and I can do it from memory at this point. The hardest part is doing the command line metadata cleanup with NTDSUTIL.
The swing kit also has a vbscript that will march through your DNS Zones and remova all references to a dead DC. That is handy!
I've done dozens of Swings and I can do it from memory at this point. The hardest part is doing the command line metadata cleanup with NTDSUTIL.
The swing kit also has a vbscript that will march through your DNS Zones and remova all references to a dead DC. That is handy!
http://windowsitpro.com/article/articleid/13414/how-do-i-remove-a-nonexistent-domain-controller.html
Delete the dc account using ADSIEDIT:
1) Expand the Domain NC container.
2) Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET.
3) Expand OU=Domain Controllers.
4) Right-click CN=domain controller name, and then click Delete.
Expand the Domain NC container.
3) Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET.
4) Expand CN=System.
5) Expand CN=File Replication Service.
6) Expand CN=Domain System Volume (SYSVOL share).
7) Right-click the domain controller you are removing, and then click Delete.
Expand the Configuration Container.
3) Expand CN=Sites. Normally, you have only three entries below Sites. If the list
includes different or additional names, inspect them for containers below that refer
to the servername object you are trying to delete. The normal three entries are as
follows:
a. CN=Default-First-Site-Name
b. CN=Inter-site Transports
c. CN=Subnets
4) Expand CN=Default-First-Site-Name
5) Typically you should see a container here named for the computer object you are
looking for. It should read as CN=domain controller name with the actual name
of your server. Delete only the container (and it’s contents) that is named
for the domain controller you are removing.
Expand the Configuration Container
c. Expand CN=Services
d. Expand CN=NetServices
e. Right-click the objects that indicate the class as “dHCPClass”, and then click Delete.
DNS Records Cleanup – Remove permanently abandoned DC entry instances from DNS,
specifically the GUID specific record in _msdcs.