Solved

SBS2008 BPA: Source Server remains in AD

Posted on 2011-03-08
11
1,285 Views
Last Modified: 2012-08-13
The Source Server that is running Windows SBS 2003 (<<servername>>) still exists in the Active Directory Sites and Services in the Default-First-Site-Name. You should remove this server from AD Sites and Services after you demote the server and remove it from the domain.

This is what I get from a BPA scan at a new client, the previous ICT consultant forgot to demote the old 2003 server.  This server has been reinstalled at the mean time.  I also see errors & warnings in update service that is trying to apply updates to this old non existant server anymore.

What is best practice to remove this server from the 2008 domain?  Just remove it from AD users & computers + sites & services?  Or is there more that's need to be done.
0
Comment
Question by:PlusIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
11 Comments
 
LVL 18

Assisted Solution

by:Jeremy Weisinger
Jeremy Weisinger earned 250 total points
ID: 35068931
All you should need to do is delete the object from Sites and Services, go through DNS and remove entries for the old SBS server, and if the old SBS server is in the Domain Controllers OU you should delete it from there too making sure you select "This Domain Controller is permanently offline..."

For more info check out this link http://technet.microsoft.com/en-us/library/cc816907(WS.10).aspx
0
 
LVL 10

Author Comment

by:PlusIT
ID: 35069122
thx for the feedback, what about the update services?  Will these auto follow?
0
 
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 35069293
You can just delete the computer from the WSUS console.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 35074946
Since this was a DC, there will actually be a bit more involved.

1) Have a backup!!!!
2) Remove the computer from ADUC
3) Remove the computer from ADSS
4) Perform a metadata cleanup (this is a step *COMMONLY* skipped)
5) Clean up any DNS entries (another step commonly skipped)
6) Remove the computer from the WSUS console

My_Username hit the high points, but I didn't notice a metadata cleanup and, particularly with SBS, this causes issues down the road. MS has a full technet article on the process.

-Cliff
0
 
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 35075555
Thanks for breaking it down, Cliff. I actually did hit all those points you listed except for the backup part. Notice the "...making sure you select "This Domain Controller is permanently offline..." part of my original post. In 2008 this does the metadata cleanup for you. Following the link I posted will also give you more detail on what that does.

-MU
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 35088239
As an FYI, I can tell you firsthand (verified by MS) during the SBS 2011 beta process that the GUI does not always clean up all the metadata. The documented NTDSUtil process is still, sadly, the only way to be sure. But yeah, I see the point you are driving at.

-Cliff
0
 
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 35090879
Good to know. Do you know if that has been resolved in the RTM? I haven't heard that it was an issue in SBS 2008. Let us know if you heard different, otherwise I think PlusIT can go ahead with following the steps I originally posted along with making sure there's a backup available before altering AD.

Thanks Cliff!

0
 
LVL 58

Accepted Solution

by:
Cliff Galiher earned 250 total points
ID: 35099525
No, this is an issue with the underlying AD tools, not specific to SBS. When we found it, the general reply was "yeah, we know, but ntdsutil works" ...and the problem is in 2008 and 2008 R2. There are specific conditions that cause the GUI to leave metadata floating around, so in some cases, it works fine, but when they hit, they can be obnoxious. It was just a bigger deal with SBS because in many cases the migrations from 2003/2008 to 2011 will be performed by IT generalists, not AD experts.  But since the problem lies in the 2008 R2 code, no it is not fixed in RTM and probably won't be fixed until the next full version of Windows (or the version after, or the versoin after that.)

Certainly not a showstopper, but having access to that ntdsutil procedure is a big plus and I believe got included (or at least a link to it) in the latest round of 2011 migration docs.

-Cliff
0
 
LVL 10

Author Comment

by:PlusIT
ID: 35106581
thx for the comments guys i will check on this and see if the GUI left some things behind.  I'll get back to this in a few days.
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 35446327
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question