Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Removing a tombstoned DC?

Posted on 2012-03-28
8
Medium Priority
?
1,652 Views
Last Modified: 2012-03-29
Two DC's, one tombstoned after 60 days, and was turned back on.  oops.

That was a 2003 DC.

The current DC is 2008 R2.

Is there an good easy way to get rid of this DC so I can create a new one? (that's the problem actually, that we can't promote a new DC, so we need to remove the old one as part of our cleanup process.)

Thank you for any help,

David
0
Comment
Question by:NeoDavidShepherd
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 21

Expert Comment

by:motnahp00
ID: 37779880
Does the current W2K8R2 DC have all of the OM roles?

You can check with "netdom query fsmo".
0
 
LVL 21

Expert Comment

by:motnahp00
ID: 37779999
Seize any of the missing roles to your DC using ntdsutil.

Here's some additional info from my W2K8R2 Unleashed book:

Retiring “Phantom” Domain Controllers
As is often the case in Active Directory, domain controllers might have been removed from the forest without first being demoted. They become phantom domain controllers and basically haunt the Active Directory, causing strange errors to pop up every so often. This is because of a couple remnants in the Active Directory, specifically the NTDS Settings object and the SYSVOL replication object. These phantom DCs might come about because of server failure or problems in the administrative process, but you should remove those servers and remnant objects from the directory to complete the upgrade to Windows Server 2008 R2. Not doing so will result in errors in the event logs and in the DCDIAG output as well as potentially raising the domain and forest to the latest functional level.
Simply deleting the computer object from Active Directory Sites and Services does not work. Instead, you need to use a low-level directory tool, ADSIEdit, to remove these servers properly. The following steps outline how to use ADSIEdit to remove these phantom domain controllers:
1.      Launch Server Manager.
2.      Expand the Roles node and select the Active Directory Domain Services node.
3.      Scroll down to the Advanced Tools section of the page and click on the ADSI Edit link.
4.      In the ADSIEdit window, select Action, Connect To.
5.      In the Select a Well Known Naming Context drop-down menu, select Configuration and click OK.
6.      Select the Configuration node.
7.      Navigate to Configuration\CN=Configuration\CN=Sites\CN=<Sitename>\CN=Servers\CN=<Servername>, where <Sitename> and <Servername> correspond to the location of the phantom domain controller.
8.      Right-click the CN=NTDS Settings, and click Delete.
9.      At the prompt, click Yes to delete the object.
10.      In the ADSIEdit window, select the top-level ADSIEdit node, and then select Action, Connect To.
11.      In the Select a Well Known Naming Context drop-down menu, select Default Naming Context, and click OK.
12.      Select the Default Naming Context node.
13.      Navigate to Default naming context \CN=System\CN=File Replication Service\CN=Domain System Volume(SYSVOL share)\CN=<Servername>, where <Servername> corresponds to the name of the phantom domain controller.
14.      Right-click the CN=<Servername>, and select Delete.
15.      At the prompt, click Yes to delete the object.
16.      Close ADSIEdit.
At this point, after the NTDS Settings are deleted, the server can be normally deleted from the Active Directory Sites and Services snap-in.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37780155
Wow who wrote that book, that is wrong information, what is odd is that it is a Windows 2008 R2 book.  The information should be better in a newer book.

Since that DC hasn't replicated in the TSL you have a few options.

1.  Just run a metadata cleanup and rebuild the DC (install the OS, promote etc0

2.  Run dcpromo /forceremoval  then a metadata cleanup then when that is done you can promote it again.

By the way metadata cleanup is much easier in 2008     http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

That is why I'm surprised about the book and not having that in there.

If that 2003 DC held FSMO roles you will have to seize them but I'm guessing it didn't

On another note, try and get a second DC up when you can

Thanks

Mike
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 

Author Comment

by:NeoDavidShepherd
ID: 37782234
Thank you very much...

Sorry to continue here, but SURELY there is a way to remove the DC without having to power it back on, etc.?

I mean, if a DC's hw goes bad, lightning or whatever, there must be a way to remove it from the AD without rebuilding one just to remove it? The thing is, every time I power this thing on, it causes problems in our production environment. People be gettin peeved, if you know what I mean!

I'm trying to promote a new DC and I get errors about this old one, so step one is to remove the old one!

SO, if there is a way to remove a DC from AD without powering it on, that's what I need to do.

The new one has all the FSMO roles, or claims too.

Step one, remove old DC without turning it back on. Is there a way?  I sure can't find it yet!

Thank you kindly...
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 2000 total points
ID: 37782331
Yes you don't need to turn the old one back on, many times it can't be.  That is why you can run metadata cleanup    http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

Thanks

Mike
0
 

Author Closing Comment

by:NeoDavidShepherd
ID: 37782660
Thank you for the clarification. I misunderstood what you were saying!

Much appreciated!  I love a clean tutorial link...  (I'm a DC virgin)
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37782672
Glad to help, good working getting rid of that dead DC
0
 

Author Comment

by:NeoDavidShepherd
ID: 37782680
Also, thanks very much to  motnahp00, for information I will probably go over to learn the details of what's happening.

The other answer got me there quicker, but knowing the details is MARVELOUS.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question