Solved

Removing an orphaned server from Active Directory

Posted on 2010-08-19
12
632 Views
Last Modified: 2012-05-10
Hello all,
I have a Windows 2003 R2 server that is failed in such a way that I cannot logon interactively (either at the console or via remote session) without a Blue Screen. However, it is otherwise operational in the background.
I have added a server and replicated the 5 roles to it and made it a global catalog. A different server is a working DNS replica.

My plan:
I will need to run a repair Windows server installation on the faulty server, rejoin it to the domain, and re-replicate the domain data.
However, I assume I will first need to remove this faulty server from the domain directory before rejoining after a reinstall. Since I cannot login interactively on the host, I cannot uninstall active directory services as would normally be done.

I've never removed an orphaned server and would like a little hand holding.

By the way, I have tape backups and a recent system state backup of the failed server, but the restores of either are what caused this issue of Blue Screens. I think there is a mismatched system file or something of the sort, which is why I feel reinstalling the OS (repairing the install) would be the best route. Since all the \Program Files and data are there, perhaps I can use the backed up software hive and be OK.

Any input appreciated.

Chris
 
0
Comment
Question by:ChrisHelvey
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 2
12 Comments
 
LVL 7

Accepted Solution

by:
marektech earned 250 total points
ID: 33475503
If you are talking about removing a failed domain controller, you say server, from a network then this article is a great resource:

http://ezinearticles.com/?25-Easy-Steps-to-Recover-a-Downed-Domain-Controller-(Dont-Panic)&id=3674561
0
 
LVL 6

Assisted Solution

by:Joshua1909
Joshua1909 earned 250 total points
ID: 33475740
This is one of the better articles I've seen on removing an orphaned DC:
http://www.petri.co.il/delete_failed_dcs_from_ad.htm

Used it successfully recently myself.
0
 

Author Comment

by:ChrisHelvey
ID: 33475777
Thanks, I'm following these instructions. (Though they are for Win 2008.)

"Seize naming master" returns with incorrect syntax. Called something else in this version?
0
Turn Insights Into Action

You’ve already invested in ITSM tools, chat applications, automation utilities, and more. Fortify these solutions with intelligent communications so you can drive business processes forward.

With xMatters, you'll never miss a beat.

 

Author Comment

by:ChrisHelvey
ID: 33475797
Got it "Seize Domain Naming Master"
0
 

Author Comment

by:ChrisHelvey
ID: 33475976
I'm at the metadata cleanup part. I have no option for "list sites."
My domain is named indianawood.com
The bad server is named FPS02
The new replication server is named ADS2
I am at the console of ADS2 using NTDSutil and connected to controller ADS2
I have "Select Operation Target" as an option.

A little help? I'm nervous about what I am about to do. This server is currently operational as an AD controller. I suppose I should shut it off before the next step?
Am I forgetting anything else? I have operating DNS. DHCP is on the old server - I should try to write down that data from an MMC connection remotely as there are some reservations in there.
0
 
LVL 7

Expert Comment

by:marektech
ID: 33476099
So you have successfully seized all roles from the old domain controller. That's a good thing.

You can try using the metadata clean up instructions Joshua1909 posted - they are for 2003 if that helps. I can vouch for that guide too.

Anything like this should be done out of hours though as you don't want to affect users. As you mentioned things like DHCP if they are on the DC which is being removed will need to be reconfigured.
0
 

Author Comment

by:ChrisHelvey
ID: 33476325
All roles are seized. I'll look at this guide as well. Thanks.
0
 

Author Comment

by:ChrisHelvey
ID: 33476445
Do you think there will be an issue putting this back in the directory as the same name (FPS02?) Lots of things point to it that I do not want to reconfigure.
0
 

Author Comment

by:ChrisHelvey
ID: 33476524
According to this article:
 http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/A_2706-Why-not-to-re-use-DC-names.html?sfQueryTermInfo=1+10+30+clean+instruct+metadata+up
Perhaps I should just add it in as a member server, wait the 14 day period and then re-replicate. Not a problem for me to do that. I'm trying to anticipate what other problems I may run in to.

Anything else you can think of, let me have it.
0
 

Author Comment

by:ChrisHelvey
ID: 33476614
I am going to do this now as I have a window of time to have it down.

So, just to make sure I am correct in this cleanup:
I am on the ADS2 box running metadata cleanup.
I am currently connected to ADS2.

I'm confused on the syntax. I want to remove FPS02 from the Directory for indianawood.com domain.
 
"Remove selected Server FPS02" should do it? or do I use "Select Operation Taget" and choose FPS02 first?
0
 

Author Comment

by:ChrisHelvey
ID: 33477235
Found it: http://www.petri.co.il/fix_unsuccessful_demotion.htm 

I am waiting to do this to see how the reinstall goes. If I can use my saved config\software hive to make things like ZetaFax, shares, etc, work properly then I'll follow through with it. I made a copy of the \Windows directory using robocopy so if it all goes to hell, I could get back to this place and the active directory would be OK with it. Permissions might be a problem wth those things until I am rejoined anyway, so we'll see.  
0
 

Author Closing Comment

by:ChrisHelvey
ID: 33496452
The referred documents by both posters were helpful, so I split the points.
In the end, I found a backup tape that worked in restoring the system state. Then I manually changed all the DNS entries to only use the restored server for domain authentication (by removing the name of the second one in all the records.) The main problem was an incompatibility between versions of NovaBackup. The trial version downloaded from the site imported my tape but would not show the system state as an option to restore. As a last ditch effore, I found enough of the original version to run and import. Voiala, it was there.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question