Solved

remove old domain controller with existing server of the same name

Posted on 2010-11-09
15
696 Views
Last Modified: 2012-06-22
Hello experts!

I have a unique issue. We've come into a situation where a domain controller had been unsuccessfully removed two years ago and a new server was brought into production with the same name in the same domain. Now, 2 years later, I'm seeing lots of junk in dcdiag in reference to that old domain controller name (this is an inherited network).

My question is, can I safely remove the domain controller reference using ntdsutil metadata cleanup without impacting the current production member server?

The member server has no domain controller roles, and is not in the domain-controller OU. My assumption is that I can do the normal clean up process and leave DNS in place, but I can't afford to accidentally remove the production system from active-directory. Everything is Windows 2003 standard SP2.

Thanks!
0
Comment
Question by:Marinertek
  • 5
  • 3
  • 3
  • +3
15 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34098290
So right now if you go through the metadata process  http://www.petri.co.il/delete_failed_dcs_from_ad.htm

Do you see two boxes listed with exactly the same name/DN?

Thanks

Mike
0
 
LVL 11

Expert Comment

by:dekkar
ID: 34098360
sounds a bit risky.... Another alternative is to promote the memeber server, then demote it.
0
 
LVL 5

Expert Comment

by:tiago_aviz
ID: 34098417
You really should first rename the server that's using the "reused" name, do the process of removing it from the metabase, then bring it back to the old name.
0
 
LVL 9

Expert Comment

by:Trackhappy
ID: 34098418
I am 90% sure that metadata cleanup won't worry the member server, however I have never physically tried it. Probably the safest way is to remove the new server from the domain into a workgroup temporarily, do your metadata cleanup, then re-add it. I don't think you would be able to promote it with the old data in there.

Naturally, take a backup of AD and  the server itself before you do try anything.
0
 
LVL 5

Expert Comment

by:tiago_aviz
ID: 34098421
Btw: promoting the member server will only increase the mess.
0
 
LVL 5

Author Comment

by:Marinertek
ID: 34098588
Thanks for all the fast input everyone! To address a few points:

@mkline71 - the only difference I see for objects is the OU, the name, domain and other CN/DC values are identical.

@tiago_aviz - renaming, cleaning, then renaming sounds like it may be the best plan of action - in your experience has doing this had any impact on active directory? The member server is running applications (including databases) - do you think there would be any negative effects from this? What do you think is an appropriate time interval to allow the changes to propagate before going through the metadata cleanup (we have two on-site DC's and one remote DC)?

@trackhappy - there may be other applications that prevent me from going this route, unfortunately I have not had the chance to fully investigate what is running on the server, though it is housing database driven applications. I'm trying to use the Occam's Razor technique which is why I said @tiago_aviz may have the best method (less functional changes overall)

@dekkar - I do not think this would work... the existing metadata mess would probably keep me from promoting it properly. I have to agree with @tiago_aviz that this would only cause more potential problems than it would solve.

So - given all that, any other thoughts on the process of renaming, then doing metadata cleanup, then renaming again while remaining in the domain?

Thanks!
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34098599
Then you should have it there, look at your current DC (full DN)....you know that is the current one.

The old one is the one with the different DN...delete that one.

Thanks

Mike
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 5

Author Comment

by:Marinertek
ID: 34098655
Thanks @mkline71 - using ntdsutil how would I identify the server by OU? From ntdsutil I only see the server name listed once. I got the OU for the failed dc-server via dcdiag on one of our current controllers.

When I look at the data I see a lot of CN values for the server name, domain, site, etc, but no way to list the full DN and ensure that I have the right object. Is there a command I am missing?

Thanks!

 
0
 
LVL 5

Author Comment

by:Marinertek
ID: 34098665
Sorry @mkline71 - I guess I was not precise enough in my original answer to your comment - I only see the failed DC listed once using ntdsutil, I know it's a different OU than the current working server because of dcdiag
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 34098672
So if you know that is the failed DC then you can delete it, the renaming method would also work...and give you piece of mind
0
 
LVL 5

Author Comment

by:Marinertek
ID: 34098692
Great - thanks to everyone for all the input! On Thursday I will have the chance to evaluate the server again and will let you know if anything has changed that I did not include. Once we've decided and executed the process I will post the results.

Thanks again for all the fast responses :-)
0
 
LVL 9

Expert Comment

by:Trackhappy
ID: 34098717
The metadata you are looking at only exists for domain controllers, which is why I am 90% sure you can remove it from there safely. You won't see any other servers except DC's in there.
0
 
LVL 5

Expert Comment

by:tiago_aviz
ID: 34100739
I would only rename the server, not remove it from domain in order to do the metadata cleanup, as it could mess with your applications on this server.

Rename the server, remove the data from AD, then put it back on the same name it was before.

From my experience, no issues will arise using this procedure.
0
 
LVL 3

Expert Comment

by:InterframeGap
ID: 34101226
If you have a lab or even a vm where you can take a snapshot of the domain (we do this in our lab of the current domain), then import the domain in to the VM or lab server.  You can run the cleanup utils and then do some verification checks to make sure the cleanup was successful.

Of course, make sure the VM or lab has zero contact to production.

Just my 2c

Douglas
0
 
LVL 5

Author Closing Comment

by:Marinertek
ID: 34115649
Thanks again everyone - we just cleaned the metadata without doing any renaming and it worked like a charm :-)
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now