Cannot Remove the cname record in the _msdcs.root domain of forest zone in DNS

I'm trying to finish cleanup after having to seize fsmo roles from the operations master which failed in our domain.  Seizure of the roles went well, Metadata cleanup (MS KB Article 216498) went perfectly up to item 17, where it says,

Remove the cname record in the _msdcs.root domain of forest zone in DNS. Assuming that DC will be reinstalled and re-promoted, a new NTDS Settings object is created with a new GUID and a matching cname record in DNS. You do not want the DCs that exist to use the old cname record.

I can drill down to _msdcs.root and find the CNAME reference to the defunct server, but can't delete it.  When I click the CNAME to select it, the red X in the MMC turns black.  Here's a screenshot showing the MMC:  

  DNS MMC.  Note the black X.
Can anybody offer a possible solution to this?
dcmathisAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
To cleanup the SRV records all you should have to do is stop/start the netlogon service on the domain controllers.

Will.
dcmathisAuthor Commented:
Thanks Will, but that didn't work.  The dead server, teller, is still showing up in the _msdcs.gvnw.com area as well as elsewhere in the forward lookup zones area.  Can't delete it anywhere.  I thought that maybe some of the roles didn't get moved during the seize, but everything shows to be where it's supposed to be.
Will SzymkowskiSenior Solution ArchitectCommented:
What is the exact error message when you try to delete it?

Are you using an account that has the proper permissions?

Will.
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

dcmathisAuthor Commented:
Don't get an error.  The option just doesn't exist.  The X that is in the toolbar is black instead of red. also, if I right-click on the cname entry, my only options are properties and help.
Will SzymkowskiSenior Solution ArchitectCommented:
Can you click on the entry and just press delete or backspace?
dcmathisAuthor Commented:
Oh, and yes, I'm using an account with the proper permissions.
dcmathisAuthor Commented:
Nosir.  backspace and delete have no effect.
Will SzymkowskiSenior Solution ArchitectCommented:
What I would recommend you try is doing this from an elevated command prompt using the DnsCmd command.

See what error you get from there might provide more detail.

Will.
dcmathisAuthor Commented:
interestingly, I can delete from the reverse lookup zones with no problem.
dcmathisAuthor Commented:
Which switch would you recommend?  initially I thought /recorddelete, but I'm not sure that's the one I need to use.
Will SzymkowskiSenior Solution ArchitectCommented:
Yes use RecordDelete switch. I have provided an example below...
dnscmd dc.example.com /RecordDelete example.com testdelete A /F

Open in new window


That should do it.

Will.
dcmathisAuthor Commented:
Thanks Will.  I've got a question on usage.  We have a single domain forest.  Four sites, one DC in each site (well except for the site where the dc died).  The DC that died was in the Colorado site (dc-colorado.domain.com with ip of 172.24.54.9).  The server that seized the fsmo is in the Texas site (dc-texas.domain.com).  

Given that the syntax and usage for the command is this:
Usage: DnsCmd <ServerName> /RecordDelete <Zone> <NodeName>
              <RRType> <RRData> [/f]

  NOTE: Deletion of RRSIG and NSEC records is not supported.
  <Zone>      -- FQDN of a zone of /RootHints or /Cache
  <NodeName>  -- name of node from which a record will be deleted
                   - "@" for zone root OR
                   - FQDN of a node (DNS name with a '.' at the end) OR
                   - single label for name relative to zone root ) OR
                   - service name for SRV only (e.g. _ftp._tcp)
  <RRType>:       <RRData>:
    A             <IP Address>
    SRV           <Priority> <Weight> <Port> <HostName>
    AAAA          <IPv6 Address>
    MX            <Preference> <ServerName>
    NS,CNAME,PTR  <HostName>
    For help on how to specify the <RRData> for other record
      types see "DnsCmd /RecordAdd /?"
    If <RRData> is not specified deletes all records with of specified type
  /f --  Execute without asking for confirmation

I'm thinking that my syntax should be something like this.

dnscmd dc-texas.domain.com /recorddelete domain.com dc-colorado.domain.com A:172.24.54.9/f

Open in new window


Am I even close to right?
Will SzymkowskiSenior Solution ArchitectCommented:
Yeah that looks good. You might want to put a space after 9 /F.

Will.
dcmathisAuthor Commented:
Hmm... I'm getting an error:

Command failed:  ERROR_INVALID_PARAMETER     87    0x57

Check the required arguments and format of your command.

Open in new window


Any thoughts?
Will SzymkowskiSenior Solution ArchitectCommented:
Try doing it exactly like i did in my example. This worked in my lab environment with no issues.  I have modified yours below...

dnscmd dc-texas.domain.com /recorddelete domain.com dc-colorado A /f

Open in new window


For the NodeName just type dc-colorado

WIll.
dcmathisAuthor Commented:
Nope, that gives a different error:

Command failed:  DNS_ERROR_INVALID_ZONE_TYPE     9611    0x258B

Open in new window

dcmathisAuthor Commented:
Will, I think I know what's happening, although I don't know what to do about it.  The zone that I'm trying to remove the record from is a secondary zone.  The primary zone was housed on the DC that went down.  I successfully seized the fsmo roles, but apparently I'm not in charge of dns at this time.  So I THINK that's why i'm getting the invalid zone type error.

Any thoughts?
Will SzymkowskiSenior Solution ArchitectCommented:
Secondary Zone? Why would you have one of those? Secondary Zones are read only. If this is a DC then it should not have any Secondary Zones for the domain they should all be primary and AD-Integrated.

Will.
dcmathisAuthor Commented:
Well, the dc that died housed DNS originally and was also the PDC under windows2000.  At that time and until fairly recently, all internet traffic left our organization via our colorado location, so having a primary dns in each office wasn't that necessary.  As we moved forward, the roles were kept the same even until server2008R2.  We have a dc in each of four different locations around the country.  As for why we have it that way, and never changed it, I suppose that the most likely answer is, "it seemed like a good idea at the time."

The question now is what can we do about it.  I know that I can configure a new primary zone in each location, but we really need some of the information form the existing secondary.
Will SzymkowskiSenior Solution ArchitectCommented:
So to answer your initail quesiton you cannot remove recrods from Secondary Zones because they are read-only. This is why those commands that i provided eariler will not work.

However, I would remove the secondary zone and just create a new Primary Zone. You can take a screenshot of the secondary zone and add these records after the Primary Zone is created.

Will.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dcmathisAuthor Commented:
Sounds like a plan.  Thanks for all of your help Will.  Sorry to have lead both of us on a wild goose chase.
dcmathisAuthor Commented:
Although my question wasn't answered in the manner that I was looking for, Will stuck with me until I figured out what the problem actually was and how to take care of it.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.