Link to home
Create AccountLog in
Avatar of Marinertek
MarinertekFlag for United States of America

asked on

remove old domain controller with existing server of the same name

Hello experts!

I have a unique issue. We've come into a situation where a domain controller had been unsuccessfully removed two years ago and a new server was brought into production with the same name in the same domain. Now, 2 years later, I'm seeing lots of junk in dcdiag in reference to that old domain controller name (this is an inherited network).

My question is, can I safely remove the domain controller reference using ntdsutil metadata cleanup without impacting the current production member server?

The member server has no domain controller roles, and is not in the domain-controller OU. My assumption is that I can do the normal clean up process and leave DNS in place, but I can't afford to accidentally remove the production system from active-directory. Everything is Windows 2003 standard SP2.

Thanks!
Avatar of Mike Kline
Mike Kline
Flag of United States of America image

So right now if you go through the metadata process  http://www.petri.co.il/delete_failed_dcs_from_ad.htm

Do you see two boxes listed with exactly the same name/DN?

Thanks

Mike
Avatar of dekkar
dekkar

sounds a bit risky.... Another alternative is to promote the memeber server, then demote it.
You really should first rename the server that's using the "reused" name, do the process of removing it from the metabase, then bring it back to the old name.
I am 90% sure that metadata cleanup won't worry the member server, however I have never physically tried it. Probably the safest way is to remove the new server from the domain into a workgroup temporarily, do your metadata cleanup, then re-add it. I don't think you would be able to promote it with the old data in there.

Naturally, take a backup of AD and  the server itself before you do try anything.
Btw: promoting the member server will only increase the mess.
Avatar of Marinertek

ASKER

Thanks for all the fast input everyone! To address a few points:

@mkline71 - the only difference I see for objects is the OU, the name, domain and other CN/DC values are identical.

@tiago_aviz - renaming, cleaning, then renaming sounds like it may be the best plan of action - in your experience has doing this had any impact on active directory? The member server is running applications (including databases) - do you think there would be any negative effects from this? What do you think is an appropriate time interval to allow the changes to propagate before going through the metadata cleanup (we have two on-site DC's and one remote DC)?

@trackhappy - there may be other applications that prevent me from going this route, unfortunately I have not had the chance to fully investigate what is running on the server, though it is housing database driven applications. I'm trying to use the Occam's Razor technique which is why I said @tiago_aviz may have the best method (less functional changes overall)

@dekkar - I do not think this would work... the existing metadata mess would probably keep me from promoting it properly. I have to agree with @tiago_aviz that this would only cause more potential problems than it would solve.

So - given all that, any other thoughts on the process of renaming, then doing metadata cleanup, then renaming again while remaining in the domain?

Thanks!
Then you should have it there, look at your current DC (full DN)....you know that is the current one.

The old one is the one with the different DN...delete that one.

Thanks

Mike
Thanks @mkline71 - using ntdsutil how would I identify the server by OU? From ntdsutil I only see the server name listed once. I got the OU for the failed dc-server via dcdiag on one of our current controllers.

When I look at the data I see a lot of CN values for the server name, domain, site, etc, but no way to list the full DN and ensure that I have the right object. Is there a command I am missing?

Thanks!

 
Sorry @mkline71 - I guess I was not precise enough in my original answer to your comment - I only see the failed DC listed once using ntdsutil, I know it's a different OU than the current working server because of dcdiag
ASKER CERTIFIED SOLUTION
Avatar of Mike Kline
Mike Kline
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Great - thanks to everyone for all the input! On Thursday I will have the chance to evaluate the server again and will let you know if anything has changed that I did not include. Once we've decided and executed the process I will post the results.

Thanks again for all the fast responses :-)
The metadata you are looking at only exists for domain controllers, which is why I am 90% sure you can remove it from there safely. You won't see any other servers except DC's in there.
I would only rename the server, not remove it from domain in order to do the metadata cleanup, as it could mess with your applications on this server.

Rename the server, remove the data from AD, then put it back on the same name it was before.

From my experience, no issues will arise using this procedure.
If you have a lab or even a vm where you can take a snapshot of the domain (we do this in our lab of the current domain), then import the domain in to the VM or lab server.  You can run the cleanup utils and then do some verification checks to make sure the cleanup was successful.

Of course, make sure the VM or lab has zero contact to production.

Just my 2c

Douglas
Thanks again everyone - we just cleaned the metadata without doing any renaming and it worked like a charm :-)