Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

default-first-site-name points to orphaned dc

Posted on 2014-12-30
10
Medium Priority
?
762 Views
Last Modified: 2014-12-30
I had a dying dc (which also held all roles).
Was able to transfer roles before it died.
Could not run dcpromo before it died.
Cleared up metadata using Active Directory Users and Computers as per this article: http://technet.microsoft.com/en-us/library/cc816907%28v=ws.10%29.aspx#bkmk_graphical
I want to promote another server using a different name, but same ip address.
To do that, I wanted to make sure that DNS was clean and found some instances of the original server in DNS.
Additionally, found that the original server is referenced as the only server in Default First Sites under Forward Lookup Zones, DomainDNSZones, and ForestDNSZones.
The domain has been divided into two sites as well, which we will call SITE-1 and SITE-2
Services look correct in them (except for the extra orphaned server entry in SITE-1)
All existing dc pass all tests in dcdiag.

Do I need to do anything to the Default First Sites entries?
Am I safe to delete the extra entries for the orphaned server under SITE-1?

Thoughts?  Things I should look out for?

Thanks!
0
Comment
Question by:dustypenguin
  • 5
  • 4
10 Comments
 

Author Comment

by:dustypenguin
ID: 40523716
Note ... also noticed that the original server is the only entry in "Forward Lookup Zones ---> <DomainName> ---> _msdcs ....
0
 
LVL 27

Expert Comment

by:DrDave242
ID: 40523838
Deleting the records that refer to the defunct DC shouldn't cause a problem, but these statements are a little worrisome:

Additionally, found that the original server is referenced as the only server in Default First Sites under Forward Lookup Zones, DomainDNSZones, and ForestDNSZones.
Note ... also noticed that the original server is the only entry in "Forward Lookup Zones ---> <DomainName> ---> _msdcs ....
Would you mind posting screenshots of each of these locations?
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 40523878
I had a dying dc (which also held all roles).
Was able to transfer roles before it died.

The server that you transferred the roles to should be the one and replace the older server in those locations
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 

Author Comment

by:dustypenguin
ID: 40523880
Remember that the DNS is divided into two sites, and the Default First Site Name entries may be redundant ( left over? Not sure of that, hence my question ?)

I'm getting that idea from this link https://social.technet.microsoft.com/Forums/windowsserver/en-US/9cdae960-f3e5-414b-87b3-40e3c6b0eafe/new-sites-and-services-setup-now-but-defaultfirstsitename-still-in-dns?forum=winserverDS

Little leery of posting screen shot.  Will see what I can do to clean one up.
0
 
LVL 27

Expert Comment

by:DrDave242
ID: 40524028
Sorry - the only reason I asked for a screenshot is so that I can be certain of the locations you're referring to. I'll do what I can without one, but I'll be making a couple of assumptions.

Additionally, found that the original server is referenced as the only server in Default First Sites under Forward Lookup Zones, DomainDNSZones, and ForestDNSZones.
DomainDnsZones\sites\Default-First-Site-Name\_tcp should contain _ldap SRV records for each domain controller in the domain that's located in the Default-First-Site-Name site and is also a DNS server.
ForestDnsZones\sites\Default-First-Site-Name\_tcp should contain _ldap SRV records for each domain controller in the forest that's located in the Default-First-Site-Name site and is also a DNS server.
If the forest contains a single domain, the records in these two locations will be identical.
If the forest was created back in the days of Windows 2000 (before the DomainDnsZones and ForestDnsZones partitions existed), your mileage may vary.

Note ... also noticed that the original server is the only entry in "Forward Lookup Zones ---> <DomainName> ---> _msdcs ....
Are you referring to the gray _msdcs folder within the DomainName zone? If so, that's the delegation that is supposed to contain name server (NS) records for each DNS server which hosts a copy of the _msdcs.DomainName zone. I have seen this delegation fail to update as new DNS servers are added, and it's simple to fix. Just right-click that gray folder and select Properties. In the Name Servers tab, click Add and add entries for each DNS server which hosts a copy of the _msdcs.DomainName forward lookup zone.
0
 

Author Comment

by:dustypenguin
ID: 40524088
   DomainDnsZones\sites\Default-First-Site-Name\_tcp should contain _ldap SRV records for each domain controller in the domain that's located in the Default-First-Site-Name site and is also a DNS server.

    ForestDnsZones\sites\Default-First-Site-Name\_tcp should contain _ldap SRV records for each domain controller in the forest that's located in the Default-First-Site-Name site and is also a DNS server.

This is where I am a little hazy.  Under _sites there are three entries; Default-First-Site-Name, SITE1 and SITE2.  The original site back in history was broken into SITE1 and SITE2.  The _tcp entries for SITE1 and SITE2 correspond correctly to the servers in each location.  There is, in reality no site that corresponds to Default-First-Site-Name .... Does that make it either discardable, or ignorable?

Just above the _sites entry is the _msdcs entry (yes, it is grey), that only has the now defunct server listed.  I understand you to believe I should still add new servers there in that scenario, correct?

Thanks for your time.

I have not given up on doing a screen shot, and will get one up eventually.
0
 
LVL 27

Expert Comment

by:DrDave242
ID: 40524129
The _tcp entries for SITE1 and SITE2 correspond correctly to the servers in each location.  There is, in reality no site that corresponds to Default-First-Site-Name .... Does that make it either discardable, or ignorable?
Either one. It's not hurting anything by remaining in DNS, but since it doesn't refer to an actual site, it's not serving any purpose either. Personally, I'd get rid of it, in the interest of keeping DNS as clean as possible, but it's up to you.

Just above the _sites entry is the _msdcs entry (yes, it is grey), that only has the now defunct server listed.  I understand you to believe I should still add new servers there in that scenario, correct?
Correct. That delegation is serving a purpose - directing queries for records in the _msdcs zone to the servers that host a copy of that zone - so it should be updated with records corresponding to those servers.
0
 

Author Comment

by:dustypenguin
ID: 40524335
So here is the screen shot.  
Red ovals are where there is a reference to (and only to) the orphaned DC.  Note that the bottom one points to the last entry in ForestDnsZones\sites\Default-First-Site-Name\_tcp   I should delete the orphaned server from these folders, and leave blank?

The pink oval is the aforementioned _msdcs zone that you suggest I add the now authoritative servers, and I assume delete the entry to the orphaned server.

I have already deleted other references to the orphaned server in the SITE2 folders.

Thanks for your help, it has been a learning experience.
Clipboard02.jpg
0
 
LVL 27

Accepted Solution

by:
DrDave242 earned 2000 total points
ID: 40524360
Thanks! You can delete those Default-First-Site-Name folders entirely, since there's no longer an existing site with that name.

The pink oval is the aforementioned _msdcs zone that you suggest I add the now authoritative servers, and I assume delete the entry to the orphaned server.
Yep, that's exactly right.
0
 

Author Closing Comment

by:dustypenguin
ID: 40524373
Thanks DrDave!  Appreciated your patience while I got it all clear in my own mind as well.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question