Solved

AD Sites/Servers Domain Controller deletion

Posted on 2013-11-05
6
752 Views
Last Modified: 2013-11-07
Hi all,
Can someone help shed some light on the role of AD Sites and Services > Sites > Default-First-Site-Name > Servers?  I'm assuming these are records of domain controllers.  

When I log in to this path, I see 4 servers, 2 of which are my current DCs.  The other 2 servers are old DCs, one of which is long gone, and one of which is currently powered off.  Can I just delete these 2 old servers?  Should I at least power on the existing old DC and run dcpromo on it?  

domain functional level = server 2003
1 Primary DC (server 2008 R2)
1 backup DC (server 2008 R2)

Thanks in advance!
0
Comment
Question by:cuiinc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39625728
Yes delete the one that is long gone.   The one that is powered off if you haven't gracefully demoted it doing that is what I'd do.   How long has it been off?  If it longer than the Tombestone Lifetime you can delete it using metadata cleanup procedures

http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

Thanks

Mike
0
 
LVL 1

Author Comment

by:cuiinc
ID: 39626130
when i'm running dcpromo, it gives me the error: "The operation failed because: Managing the network session with [ourprimaryDC.domain.com] failed.  'Logon failure: the target account name is incorrect.' "

I'm logged into this old DC as our primary administrator, which is a member of the domain admins group.  Further, while running dcpromo, i was never prompted to enter any user credentials.  The most i was prompted for was to specify a new administrator password.  I'm not sure what this is for, but it doesn't matter what i enter here, the AD install wizard still fails.  any ideas????
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39626139
Do you plan to wipe this box or do you want to still use it for something else?   You could use dcpromo /forceremoval  and then metadata cleanup or try and fight through all the errors
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 500 total points
ID: 39626174
You are getting error "Logon Failure: target account name is incorrect" this indicates that the secure channel between the DC's are broken.

Refer below link to fix the issue:
http://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/e9c162cb-1e26-43e0-80df-73c491c22aac/
http://social.technet.microsoft.com/Forums/ar/winserverDS/thread/61841544-ac49-49cc-8db0-ecc511941c95

Alternaltely as you are planning to remove old dc instead of fixing the error you can forcefully demote DC followed by metadata cleanup as Mike suggested.If faulty DC is fsmo role holder server the you need to seize the FSMO role on other DC.

Forcefull removal of DC: http://support.microsoft.com/kb/332199
Metadata cleanup: http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Seize FSMO role: http://www.petri.co.il/seizing_fsmo_roles.htm

Also dont forget to configure authorative time server role on PDC role holder server. http://support.microsoft.com/kb/816042.

Once metadata cleanup is performed verify the health of online DC by dcdiag /q and repadmin /replsum.I will also recommend to take backup of old DC before you proceed with demotion.
 
Hope this helps
0
 
LVL 1

Author Comment

by:cuiinc
ID: 39628988
I'm trying to fix the secure channel between DCs, per your article (http://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/).  Am I correct in assuming "Server1" is my current, working DC, and "Server2" is this old DC, which I'm trying to decomission, and which isn't recognizing or perhaps getting replica info from my PDC?

Also, I'm confused by Step #4:
"4. Reset the Server domain controller account password on Server1 (the PDC
emulator).
To do so, open a command prompt and type: netdom /resetpwd /server:server2
/userd:domain.com\administrator /passwordd:password, and then press Enter."

Am I REQUIRED to reset the DC acct pswrd for the user "domain.com\administrator" or can this be any Domain Admin acct within our organization?  We currently don't have or use domain.com\administrator...
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 39629143
yes, you are correct "Server1" is working/healthy DC and "Server2" is old DC whose secure channel is broken.

As the secure channel of Server2 is broken.

1.You need to stop KDC service on server2,load kerbtray and purge the ticket on server2.

2.Then logon to server1 and execute the reset command.netdom /resetpwd /server:server2
 /userd:domain.com\administrator /passwordd:password.

3.Run repadmin /syncall /AdeP to sync on server2.

4.start kdc on Server2 and force replication by repadmin or AD sites and services and check the health of DC.

You can use domain admin account to perform the same.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question