Solved

AD Sites/Servers Domain Controller deletion

Posted on 2013-11-05
6
740 Views
Last Modified: 2013-11-07
Hi all,
Can someone help shed some light on the role of AD Sites and Services > Sites > Default-First-Site-Name > Servers?  I'm assuming these are records of domain controllers.  

When I log in to this path, I see 4 servers, 2 of which are my current DCs.  The other 2 servers are old DCs, one of which is long gone, and one of which is currently powered off.  Can I just delete these 2 old servers?  Should I at least power on the existing old DC and run dcpromo on it?  

domain functional level = server 2003
1 Primary DC (server 2008 R2)
1 backup DC (server 2008 R2)

Thanks in advance!
0
Comment
Question by:cuiinc
  • 2
  • 2
  • 2
6 Comments
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
Yes delete the one that is long gone.   The one that is powered off if you haven't gracefully demoted it doing that is what I'd do.   How long has it been off?  If it longer than the Tombestone Lifetime you can delete it using metadata cleanup procedures

http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

Thanks

Mike
0
 
LVL 1

Author Comment

by:cuiinc
Comment Utility
when i'm running dcpromo, it gives me the error: "The operation failed because: Managing the network session with [ourprimaryDC.domain.com] failed.  'Logon failure: the target account name is incorrect.' "

I'm logged into this old DC as our primary administrator, which is a member of the domain admins group.  Further, while running dcpromo, i was never prompted to enter any user credentials.  The most i was prompted for was to specify a new administrator password.  I'm not sure what this is for, but it doesn't matter what i enter here, the AD install wizard still fails.  any ideas????
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
Do you plan to wipe this box or do you want to still use it for something else?   You could use dcpromo /forceremoval  and then metadata cleanup or try and fight through all the errors
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 500 total points
Comment Utility
You are getting error "Logon Failure: target account name is incorrect" this indicates that the secure channel between the DC's are broken.

Refer below link to fix the issue:
http://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/e9c162cb-1e26-43e0-80df-73c491c22aac/
http://social.technet.microsoft.com/Forums/ar/winserverDS/thread/61841544-ac49-49cc-8db0-ecc511941c95

Alternaltely as you are planning to remove old dc instead of fixing the error you can forcefully demote DC followed by metadata cleanup as Mike suggested.If faulty DC is fsmo role holder server the you need to seize the FSMO role on other DC.

Forcefull removal of DC: http://support.microsoft.com/kb/332199
Metadata cleanup: http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Seize FSMO role: http://www.petri.co.il/seizing_fsmo_roles.htm

Also dont forget to configure authorative time server role on PDC role holder server. http://support.microsoft.com/kb/816042.

Once metadata cleanup is performed verify the health of online DC by dcdiag /q and repadmin /replsum.I will also recommend to take backup of old DC before you proceed with demotion.
 
Hope this helps
0
 
LVL 1

Author Comment

by:cuiinc
Comment Utility
I'm trying to fix the secure channel between DCs, per your article (http://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/).  Am I correct in assuming "Server1" is my current, working DC, and "Server2" is this old DC, which I'm trying to decomission, and which isn't recognizing or perhaps getting replica info from my PDC?

Also, I'm confused by Step #4:
"4. Reset the Server domain controller account password on Server1 (the PDC
emulator).
To do so, open a command prompt and type: netdom /resetpwd /server:server2
/userd:domain.com\administrator /passwordd:password, and then press Enter."

Am I REQUIRED to reset the DC acct pswrd for the user "domain.com\administrator" or can this be any Domain Admin acct within our organization?  We currently don't have or use domain.com\administrator...
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
Comment Utility
yes, you are correct "Server1" is working/healthy DC and "Server2" is old DC whose secure channel is broken.

As the secure channel of Server2 is broken.

1.You need to stop KDC service on server2,load kerbtray and purge the ticket on server2.

2.Then logon to server1 and execute the reset command.netdom /resetpwd /server:server2
 /userd:domain.com\administrator /passwordd:password.

3.Run repadmin /syncall /AdeP to sync on server2.

4.start kdc on Server2 and force replication by repadmin or AD sites and services and check the health of DC.

You can use domain admin account to perform the same.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now