[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

AD Sites/Servers Domain Controller deletion

Posted on 2013-11-05
6
Medium Priority
?
768 Views
Last Modified: 2013-11-07
Hi all,
Can someone help shed some light on the role of AD Sites and Services > Sites > Default-First-Site-Name > Servers?  I'm assuming these are records of domain controllers.  

When I log in to this path, I see 4 servers, 2 of which are my current DCs.  The other 2 servers are old DCs, one of which is long gone, and one of which is currently powered off.  Can I just delete these 2 old servers?  Should I at least power on the existing old DC and run dcpromo on it?  

domain functional level = server 2003
1 Primary DC (server 2008 R2)
1 backup DC (server 2008 R2)

Thanks in advance!
0
Comment
Question by:cuiinc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39625728
Yes delete the one that is long gone.   The one that is powered off if you haven't gracefully demoted it doing that is what I'd do.   How long has it been off?  If it longer than the Tombestone Lifetime you can delete it using metadata cleanup procedures

http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

Thanks

Mike
0
 
LVL 1

Author Comment

by:cuiinc
ID: 39626130
when i'm running dcpromo, it gives me the error: "The operation failed because: Managing the network session with [ourprimaryDC.domain.com] failed.  'Logon failure: the target account name is incorrect.' "

I'm logged into this old DC as our primary administrator, which is a member of the domain admins group.  Further, while running dcpromo, i was never prompted to enter any user credentials.  The most i was prompted for was to specify a new administrator password.  I'm not sure what this is for, but it doesn't matter what i enter here, the AD install wizard still fails.  any ideas????
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39626139
Do you plan to wipe this box or do you want to still use it for something else?   You could use dcpromo /forceremoval  and then metadata cleanup or try and fight through all the errors
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 2000 total points
ID: 39626174
You are getting error "Logon Failure: target account name is incorrect" this indicates that the secure channel between the DC's are broken.

Refer below link to fix the issue:
http://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/e9c162cb-1e26-43e0-80df-73c491c22aac/
http://social.technet.microsoft.com/Forums/ar/winserverDS/thread/61841544-ac49-49cc-8db0-ecc511941c95

Alternaltely as you are planning to remove old dc instead of fixing the error you can forcefully demote DC followed by metadata cleanup as Mike suggested.If faulty DC is fsmo role holder server the you need to seize the FSMO role on other DC.

Forcefull removal of DC: http://support.microsoft.com/kb/332199
Metadata cleanup: http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Seize FSMO role: http://www.petri.co.il/seizing_fsmo_roles.htm

Also dont forget to configure authorative time server role on PDC role holder server. http://support.microsoft.com/kb/816042.

Once metadata cleanup is performed verify the health of online DC by dcdiag /q and repadmin /replsum.I will also recommend to take backup of old DC before you proceed with demotion.
 
Hope this helps
0
 
LVL 1

Author Comment

by:cuiinc
ID: 39628988
I'm trying to fix the secure channel between DCs, per your article (http://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/).  Am I correct in assuming "Server1" is my current, working DC, and "Server2" is this old DC, which I'm trying to decomission, and which isn't recognizing or perhaps getting replica info from my PDC?

Also, I'm confused by Step #4:
"4. Reset the Server domain controller account password on Server1 (the PDC
emulator).
To do so, open a command prompt and type: netdom /resetpwd /server:server2
/userd:domain.com\administrator /passwordd:password, and then press Enter."

Am I REQUIRED to reset the DC acct pswrd for the user "domain.com\administrator" or can this be any Domain Admin acct within our organization?  We currently don't have or use domain.com\administrator...
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 2000 total points
ID: 39629143
yes, you are correct "Server1" is working/healthy DC and "Server2" is old DC whose secure channel is broken.

As the secure channel of Server2 is broken.

1.You need to stop KDC service on server2,load kerbtray and purge the ticket on server2.

2.Then logon to server1 and execute the reset command.netdom /resetpwd /server:server2
 /userd:domain.com\administrator /passwordd:password.

3.Run repadmin /syncall /AdeP to sync on server2.

4.start kdc on Server2 and force replication by repadmin or AD sites and services and check the health of DC.

You can use domain admin account to perform the same.
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question