Is it proper/safe to remove dns role from a demoted DC server?
Hi,
I have demoted a number of DC's recently and I see that DNS server role is still installed on all of them. Also I see in the reverse lookup zones that all the old Name server records are still there. My dns is integrated with AD.
1. Once I demote the old DC, can remove dns server role from that machine safely? I dont want zones disappearing or anything of that nature.
2. Do I have to manually delete all old name server records?
I have demoted a number of DC's recently and I see that DNS server role is still installed on all of them. Also I see in the reverse lookup zones that all the old Name server records are still there. My dns is integrated with AD.
1. Once I demote the old DC, can remove dns server role from that machine safely? I dont want zones disappearing or anything of that nature.
2. Do I have to manually delete all old name server records?
ADDS and DNS role won't automatically get removed when you demote DC
You have to manually remove those roles
Any standard primary forward / reverse lookup zones exists on DC won't get removed when you demote DC, DC demotion only remove AD integrated DNS zones from that server
hence simply uninstall ADDS and DNS server role from decommissioned server
You have to manually remove those roles
Any standard primary forward / reverse lookup zones exists on DC won't get removed when you demote DC, DC demotion only remove AD integrated DNS zones from that server
hence simply uninstall ADDS and DNS server role from decommissioned server
ASKER
Thank you Mahesh.
I took a look at the reverse zone and it shows that they are ad integrated.
reverse-zone.PNG
I took a look at the reverse zone and it shows that they are ad integrated.
reverse-zone.PNG
Then Are you sure that active directory is decommissioned from server?
Check if DC object is still available in domain controllers OU etc or if netlogon and Sysvol shares are still available on DC
If you are sure DC is decommissioned, simply decommissioned DNS role along with ADDS role and you should be fine
After that from other healthy DC, check and ensure you remove decommission DC entries if any from NS record / SRV records etc under domain.com zone and _msdcs.domain.com zone
Check if DC object is still available in domain controllers OU etc or if netlogon and Sysvol shares are still available on DC
If you are sure DC is decommissioned, simply decommissioned DNS role along with ADDS role and you should be fine
After that from other healthy DC, check and ensure you remove decommission DC entries if any from NS record / SRV records etc under domain.com zone and _msdcs.domain.com zone
ASKER
Yes. Its for sure decommissioned. When I demote and it asks if I want to delete dns delegations I have been answering no. Would that be the reason?
If you could please clarify for me about dns, since I am using AD integrated zones, that means that dns is stored in AD, so as long as I dont delete the last domain controller in my network then I dont have to worry about disappearing zones. Is that true? As opposed to primary zones which I would have to worry about location of dns server?
If you could please clarify for me about dns, since I am using AD integrated zones, that means that dns is stored in AD, so as long as I dont delete the last domain controller in my network then I dont have to worry about disappearing zones. Is that true? As opposed to primary zones which I would have to worry about location of dns server?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for your help.
When you decommission DC server, demoted DC must be automatically removed from ad integrated zone
what reverse zones you are viewing are must be non ad integrated zones (standard primary reverse zones) and hence they are still there as demoting DC won't remove them
Just ensure if your other DC's have those reverse lookup zones as AD integrated DNS zones