Solved

Removing a tombstoned DC?

Posted on 2012-03-28
8
1,244 Views
Last Modified: 2012-03-29
Two DC's, one tombstoned after 60 days, and was turned back on.  oops.

That was a 2003 DC.

The current DC is 2008 R2.

Is there an good easy way to get rid of this DC so I can create a new one? (that's the problem actually, that we can't promote a new DC, so we need to remove the old one as part of our cleanup process.)

Thank you for any help,

David
0
Comment
Question by:NeoDavidShepherd
  • 3
  • 3
  • 2
8 Comments
 
LVL 21

Expert Comment

by:motnahp00
Comment Utility
Does the current W2K8R2 DC have all of the OM roles?

You can check with "netdom query fsmo".
0
 
LVL 21

Expert Comment

by:motnahp00
Comment Utility
Seize any of the missing roles to your DC using ntdsutil.

Here's some additional info from my W2K8R2 Unleashed book:

Retiring “Phantom” Domain Controllers
As is often the case in Active Directory, domain controllers might have been removed from the forest without first being demoted. They become phantom domain controllers and basically haunt the Active Directory, causing strange errors to pop up every so often. This is because of a couple remnants in the Active Directory, specifically the NTDS Settings object and the SYSVOL replication object. These phantom DCs might come about because of server failure or problems in the administrative process, but you should remove those servers and remnant objects from the directory to complete the upgrade to Windows Server 2008 R2. Not doing so will result in errors in the event logs and in the DCDIAG output as well as potentially raising the domain and forest to the latest functional level.
Simply deleting the computer object from Active Directory Sites and Services does not work. Instead, you need to use a low-level directory tool, ADSIEdit, to remove these servers properly. The following steps outline how to use ADSIEdit to remove these phantom domain controllers:
1.      Launch Server Manager.
2.      Expand the Roles node and select the Active Directory Domain Services node.
3.      Scroll down to the Advanced Tools section of the page and click on the ADSI Edit link.
4.      In the ADSIEdit window, select Action, Connect To.
5.      In the Select a Well Known Naming Context drop-down menu, select Configuration and click OK.
6.      Select the Configuration node.
7.      Navigate to Configuration\CN=Configuration\CN=Sites\CN=<Sitename>\CN=Servers\CN=<Servername>, where <Sitename> and <Servername> correspond to the location of the phantom domain controller.
8.      Right-click the CN=NTDS Settings, and click Delete.
9.      At the prompt, click Yes to delete the object.
10.      In the ADSIEdit window, select the top-level ADSIEdit node, and then select Action, Connect To.
11.      In the Select a Well Known Naming Context drop-down menu, select Default Naming Context, and click OK.
12.      Select the Default Naming Context node.
13.      Navigate to Default naming context \CN=System\CN=File Replication Service\CN=Domain System Volume(SYSVOL share)\CN=<Servername>, where <Servername> corresponds to the name of the phantom domain controller.
14.      Right-click the CN=<Servername>, and select Delete.
15.      At the prompt, click Yes to delete the object.
16.      Close ADSIEdit.
At this point, after the NTDS Settings are deleted, the server can be normally deleted from the Active Directory Sites and Services snap-in.
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
Wow who wrote that book, that is wrong information, what is odd is that it is a Windows 2008 R2 book.  The information should be better in a newer book.

Since that DC hasn't replicated in the TSL you have a few options.

1.  Just run a metadata cleanup and rebuild the DC (install the OS, promote etc0

2.  Run dcpromo /forceremoval  then a metadata cleanup then when that is done you can promote it again.

By the way metadata cleanup is much easier in 2008     http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

That is why I'm surprised about the book and not having that in there.

If that 2003 DC held FSMO roles you will have to seize them but I'm guessing it didn't

On another note, try and get a second DC up when you can

Thanks

Mike
0
 

Author Comment

by:NeoDavidShepherd
Comment Utility
Thank you very much...

Sorry to continue here, but SURELY there is a way to remove the DC without having to power it back on, etc.?

I mean, if a DC's hw goes bad, lightning or whatever, there must be a way to remove it from the AD without rebuilding one just to remove it? The thing is, every time I power this thing on, it causes problems in our production environment. People be gettin peeved, if you know what I mean!

I'm trying to promote a new DC and I get errors about this old one, so step one is to remove the old one!

SO, if there is a way to remove a DC from AD without powering it on, that's what I need to do.

The new one has all the FSMO roles, or claims too.

Step one, remove old DC without turning it back on. Is there a way?  I sure can't find it yet!

Thank you kindly...
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
Comment Utility
Yes you don't need to turn the old one back on, many times it can't be.  That is why you can run metadata cleanup    http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

Thanks

Mike
0
 

Author Closing Comment

by:NeoDavidShepherd
Comment Utility
Thank you for the clarification. I misunderstood what you were saying!

Much appreciated!  I love a clean tutorial link...  (I'm a DC virgin)
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
Glad to help, good working getting rid of that dead DC
0
 

Author Comment

by:NeoDavidShepherd
Comment Utility
Also, thanks very much to  motnahp00, for information I will probably go over to learn the details of what's happening.

The other answer got me there quicker, but knowing the details is MARVELOUS.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now