• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 798
  • Last Modified:

AD Sites/Servers Domain Controller deletion

Hi all,
Can someone help shed some light on the role of AD Sites and Services > Sites > Default-First-Site-Name > Servers?  I'm assuming these are records of domain controllers.  

When I log in to this path, I see 4 servers, 2 of which are my current DCs.  The other 2 servers are old DCs, one of which is long gone, and one of which is currently powered off.  Can I just delete these 2 old servers?  Should I at least power on the existing old DC and run dcpromo on it?  

domain functional level = server 2003
1 Primary DC (server 2008 R2)
1 backup DC (server 2008 R2)

Thanks in advance!
0
cuiinc
Asked:
cuiinc
  • 2
  • 2
  • 2
2 Solutions
 
Mike KlineCommented:
Yes delete the one that is long gone.   The one that is powered off if you haven't gracefully demoted it doing that is what I'd do.   How long has it been off?  If it longer than the Tombestone Lifetime you can delete it using metadata cleanup procedures

http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

Thanks

Mike
0
 
cuiincAuthor Commented:
when i'm running dcpromo, it gives me the error: "The operation failed because: Managing the network session with [ourprimaryDC.domain.com] failed.  'Logon failure: the target account name is incorrect.' "

I'm logged into this old DC as our primary administrator, which is a member of the domain admins group.  Further, while running dcpromo, i was never prompted to enter any user credentials.  The most i was prompted for was to specify a new administrator password.  I'm not sure what this is for, but it doesn't matter what i enter here, the AD install wizard still fails.  any ideas????
0
 
Mike KlineCommented:
Do you plan to wipe this box or do you want to still use it for something else?   You could use dcpromo /forceremoval  and then metadata cleanup or try and fight through all the errors
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
SandeshdubeySenior Server EngineerCommented:
You are getting error "Logon Failure: target account name is incorrect" this indicates that the secure channel between the DC's are broken.

Refer below link to fix the issue:
http://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/e9c162cb-1e26-43e0-80df-73c491c22aac/
http://social.technet.microsoft.com/Forums/ar/winserverDS/thread/61841544-ac49-49cc-8db0-ecc511941c95

Alternaltely as you are planning to remove old dc instead of fixing the error you can forcefully demote DC followed by metadata cleanup as Mike suggested.If faulty DC is fsmo role holder server the you need to seize the FSMO role on other DC.

Forcefull removal of DC: http://support.microsoft.com/kb/332199
Metadata cleanup: http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Seize FSMO role: http://www.petri.co.il/seizing_fsmo_roles.htm

Also dont forget to configure authorative time server role on PDC role holder server. http://support.microsoft.com/kb/816042.

Once metadata cleanup is performed verify the health of online DC by dcdiag /q and repadmin /replsum.I will also recommend to take backup of old DC before you proceed with demotion.
 
Hope this helps
0
 
cuiincAuthor Commented:
I'm trying to fix the secure channel between DCs, per your article (http://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/).  Am I correct in assuming "Server1" is my current, working DC, and "Server2" is this old DC, which I'm trying to decomission, and which isn't recognizing or perhaps getting replica info from my PDC?

Also, I'm confused by Step #4:
"4. Reset the Server domain controller account password on Server1 (the PDC
emulator).
To do so, open a command prompt and type: netdom /resetpwd /server:server2
/userd:domain.com\administrator /passwordd:password, and then press Enter."

Am I REQUIRED to reset the DC acct pswrd for the user "domain.com\administrator" or can this be any Domain Admin acct within our organization?  We currently don't have or use domain.com\administrator...
0
 
SandeshdubeySenior Server EngineerCommented:
yes, you are correct "Server1" is working/healthy DC and "Server2" is old DC whose secure channel is broken.

As the secure channel of Server2 is broken.

1.You need to stop KDC service on server2,load kerbtray and purge the ticket on server2.

2.Then logon to server1 and execute the reset command.netdom /resetpwd /server:server2
 /userd:domain.com\administrator /passwordd:password.

3.Run repadmin /syncall /AdeP to sync on server2.

4.start kdc on Server2 and force replication by repadmin or AD sites and services and check the health of DC.

You can use domain admin account to perform the same.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now