[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 775
  • Last Modified:

AD Sites/Servers Domain Controller deletion

Hi all,
Can someone help shed some light on the role of AD Sites and Services > Sites > Default-First-Site-Name > Servers?  I'm assuming these are records of domain controllers.  

When I log in to this path, I see 4 servers, 2 of which are my current DCs.  The other 2 servers are old DCs, one of which is long gone, and one of which is currently powered off.  Can I just delete these 2 old servers?  Should I at least power on the existing old DC and run dcpromo on it?  

domain functional level = server 2003
1 Primary DC (server 2008 R2)
1 backup DC (server 2008 R2)

Thanks in advance!
0
cuiinc
Asked:
cuiinc
  • 2
  • 2
  • 2
2 Solutions
 
Mike KlineCommented:
Yes delete the one that is long gone.   The one that is powered off if you haven't gracefully demoted it doing that is what I'd do.   How long has it been off?  If it longer than the Tombestone Lifetime you can delete it using metadata cleanup procedures

http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

Thanks

Mike
0
 
cuiincAuthor Commented:
when i'm running dcpromo, it gives me the error: "The operation failed because: Managing the network session with [ourprimaryDC.domain.com] failed.  'Logon failure: the target account name is incorrect.' "

I'm logged into this old DC as our primary administrator, which is a member of the domain admins group.  Further, while running dcpromo, i was never prompted to enter any user credentials.  The most i was prompted for was to specify a new administrator password.  I'm not sure what this is for, but it doesn't matter what i enter here, the AD install wizard still fails.  any ideas????
0
 
Mike KlineCommented:
Do you plan to wipe this box or do you want to still use it for something else?   You could use dcpromo /forceremoval  and then metadata cleanup or try and fight through all the errors
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
SandeshdubeyCommented:
You are getting error "Logon Failure: target account name is incorrect" this indicates that the secure channel between the DC's are broken.

Refer below link to fix the issue:
http://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/e9c162cb-1e26-43e0-80df-73c491c22aac/
http://social.technet.microsoft.com/Forums/ar/winserverDS/thread/61841544-ac49-49cc-8db0-ecc511941c95

Alternaltely as you are planning to remove old dc instead of fixing the error you can forcefully demote DC followed by metadata cleanup as Mike suggested.If faulty DC is fsmo role holder server the you need to seize the FSMO role on other DC.

Forcefull removal of DC: http://support.microsoft.com/kb/332199
Metadata cleanup: http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Seize FSMO role: http://www.petri.co.il/seizing_fsmo_roles.htm

Also dont forget to configure authorative time server role on PDC role holder server. http://support.microsoft.com/kb/816042.

Once metadata cleanup is performed verify the health of online DC by dcdiag /q and repadmin /replsum.I will also recommend to take backup of old DC before you proceed with demotion.
 
Hope this helps
0
 
cuiincAuthor Commented:
I'm trying to fix the secure channel between DCs, per your article (http://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/).  Am I correct in assuming "Server1" is my current, working DC, and "Server2" is this old DC, which I'm trying to decomission, and which isn't recognizing or perhaps getting replica info from my PDC?

Also, I'm confused by Step #4:
"4. Reset the Server domain controller account password on Server1 (the PDC
emulator).
To do so, open a command prompt and type: netdom /resetpwd /server:server2
/userd:domain.com\administrator /passwordd:password, and then press Enter."

Am I REQUIRED to reset the DC acct pswrd for the user "domain.com\administrator" or can this be any Domain Admin acct within our organization?  We currently don't have or use domain.com\administrator...
0
 
SandeshdubeyCommented:
yes, you are correct "Server1" is working/healthy DC and "Server2" is old DC whose secure channel is broken.

As the secure channel of Server2 is broken.

1.You need to stop KDC service on server2,load kerbtray and purge the ticket on server2.

2.Then logon to server1 and execute the reset command.netdom /resetpwd /server:server2
 /userd:domain.com\administrator /passwordd:password.

3.Run repadmin /syncall /AdeP to sync on server2.

4.start kdc on Server2 and force replication by repadmin or AD sites and services and check the health of DC.

You can use domain admin account to perform the same.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now