Professional Documents
Culture Documents
Complete Step by Step to Remove an Orphaned Domain Controller - AD and Exchange Quantum Singularity
Preface
I think at this time you're probably thinking, "What, another blog on how to remove an Orphaned DC?" I know. There are many out there, and I commend all the ones I've read. I
thought to put together a complete step by step with all the little nuances that are involved with links and explanations. If I've forgotten any, I do hope someone is kind of enough to
post a comment indicating, or even if I've made a mistake. I would do the same.
In a nutshell, I wrote this is in response to questions that have come up numerous times in the AD NNTP newsgroups and Microsoft Social Forums. The question isn't usually asked
directly, because in some cases some may not have realized these steps are required, rather how to remove an orphaned DC is normally a response after diagnosing a specific DC or
replication issue, such as not being able to introduce a new DC with the same name as a failed one, or a DC was lost and there are numerous Event log replication errors, as well as
DCDIAG and other errors, to something simple as having ran the procedure but may have forgotten a step or two.
To point out, many of the steps were taken from the following link, but I've extrapolated the steps and added additional information, links, and explanations.
How to remove completely orphaned Domain Controller
http://support.microsoft.com/kb/555846
1/9
10/8/13
Complete Step by Step to Remove an Orphaned Domain Controller - AD and Exchange Quantum Singularity
http://support.microsoft.com/kb/325473
How to migrate a DHCP database from Windows 2000 Server to Windows, Nov 9, 2009
http://www.google.com/url?
sa=t&source=web&cd=5&sqi=2&ved=0CCUQFjAE&url=http%3A%2F%2Fblogs.technet.com%2Fb%2Fnetworking%2Farchive%2F2009%2F11%2F09%2Fhowto-migrate-a-dhcp-database-from-windows-2000-server-to-windows-server-2008-or-windows-server-2008r2.aspx&ei=IZCwTP7ADcK88ga_5cSvCQ&usg=AFQjCNFaNCXFfYCbpjjnIrAkaQ-3PjAd1Q
Was WINS installed?
If you don't have a backup that you can retrieve the WINS database, your best bet is to reinstall WINS services and start from scratch. If the WINS server had a partner,
you can possibly use that to reinitiate the database. If you do have a backup and can restore the WINS files, follow this link:
How to migrate a WINS Database from Windows 2000-based WINS server (Applies to all Windows 2000 and newer Windows versions)
http://support.microsoft.com/kb/875419
Was DNS installed?
No worries as long as the zones were AD Integrated. They'll just replicate over from another DC automatically. No need to manually create the zones. If you do try to
manually create the zones and they are AD Integrated, you'll introduce a duplicate zone issue in the AD database, which is another topic to clean them up.
Any other applications or services installed?
Dep[ending on the application or service installed, hopefully you'll have either a backup that you can retrieve the files, or you'll have to reinstall. For any third party
application, you'll need to refer to the documentation or contact the vendor for assistance.
2. Use the following knowledgebase to run a Metadata Cleanup to remove common Domain Controller objects and settings from Active Directory.
A. For Windows 2003
NTDSUTIL in 2003 and newer automatically removes the Computer Account and FRS Objects from Active Directory, but if you like, you can still use these steps to
insure the objects were removed.
How to remove data in Active Directory after an unsuccessful domain controller demotion
http://support.microsoft.com/kb/216498
B. For Windows 2000, you must use ADISEdit to remove the Computer Account and the FRS Object from Active Directory.
Use ADSIEdit to delete the computer account. To do this, follow these steps:
1.
msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx
2/9
10/8/13
Complete Step by Step to Remove an Orphaned Domain Controller - AD and Exchange Quantum Singularity
1.
2.
3.
4.
5.
Click Start, click Run, type adsiedit.msc in the Open box, and then click OK.
Expand the Domain NC container.
Expand DC=Your Domain Name, DC=COM, PRI, LOCAL, NET.
Expand OU=Domain Controllers.
Right-click CN=domain controller name, and then click Delete.
If you receive the "DSA object cannot be deleted" error message when you try to delete the object, change the UserAccountControl value. To change the
UserAccountControl value, right-click the domain controller in ADSIEdit, and then click Properties. Under Select a property to view, click
UserAccountControl. Click Clear, change the value to 4096, and then click Set. You can now delete the object.
Note The FRS subscriber object is deleted when the computer object is deleted because it is a child of the computer account.
Use ADSIEdit to delete the FRS member object. To do this, follow these steps:
1.
1.
1.
2.
3.
4.
5.
6.
7.
Click Start, click Run, type adsiedit.msc in the Open box, and then click OK
Expand the Domain NC container.
Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET.
Expand CN=System.
Expand CN=File Replication Service.
Expand CN=Domain System Volume (SYSVOL share).
Right-click the domain controller you are removing, and then click Delete.
3. If the failed DC held any of the FSMO Roles, you need to seize the FSMO to alternative Domain Controller
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
http://support.microsoft.com/kb/255504
How to view and transfer FSMO roles in Windows Server 2003 using the GUI
http://support.microsoft.com/kb/324801
4. If the failed DC held the PDC Emulator Role, you need to configure a new authoritative timeserver in the domain. The first link is my blog with complete steps. It was compiled
using the following two Microsoft KBs, among other links.
Configuring the Windows Time Service for Windows Server
Scroll down to the section "Transferring the PDC Emulator Role"
Published by acefekay on Sep 18, 2009 at 8:14 PM 3050 1
http://msmvps.com/blogs/acefekay/archive/2009/09/18/configuring-the-windows-time-service-for-windows-server.aspx
How to configure an authoritative timerver in Windows 2000
http://support.microsoft.com/kb/216734
How to configure an authoritative time server in Windows Server 2003
http://support.microsoft.com/kb/816042
5. Remove old computer account by using "Active Directory Sites and Services" tool.
msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx
3/9
10/8/13
Complete Step by Step to Remove an Orphaned Domain Controller - AD and Exchange Quantum Singularity
6. Remove any old WINS records of the orphaned Domain Controller from the WINS database. If there are WINS replication partners, when you delete them, choose the
"Tombstone" option.
Deletion of WINS Database Records
If WINS records deleted this way have been replicated to other WINS servers, these additional records will not be removed fully. The records on other WINS ...
http://technet.microsoft.com/en-us/library/cc959263.aspx
Deleting and tombstoning records: Windows Internet Name Service (WINS)
Jan 21, 2005 ... If the WINS records deleted in this way exists in WINS data replicated to other WINS servers on your network, these additional records are ...
http://technet.microsoft.com/en-us/library/cc782886(WS.10).aspx
8. Go through DNS with a fined-toothed comb to delete all references for the old DC. You'll need to delete records such as such as SRV, host, LdapIPddress, and GcIpAddress.
msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx
4/9
10/8/13
Complete Step by Step to Remove an Orphaned Domain Controller - AD and Exchange Quantum Singularity
Drill down into every record under both domain.local and _msdcs.domain.local.
Under the domain.local zone:
Delete the A (host record) for the failed DC
Delete the LdapIpAddress: Under domain.local, you will see a record such as (same as parent) A 192.168.1.10 (using this IP as an example). Delete it.
Delete any reference in the DomainDnsZones. If the DomainDnsZones folder exists, expand it. Check and delete any reference to the failed DC's FQDN and IP
address.
Delete any reference in the ForestDnsZones. If the ForestDnsZones folder exists, expand it. Check and delete any reference to the old DC's FQDN and IP address.
To make sure all records are gone, fully expand each folder under the domain.local zone, and delete any references you see such as for the kerberos and ldap SRV
references. The subfolders are:
_sites
_tcp
_udp
domaindnszones
forestdnszones
Under the _msdcs.domain.local zone:
Delete the GcIpAddress: Click on the _gc._msdcs.domain.local folder. Delete the IP Address for the old DC.
Delete the DC's GUID ALIAS: Click on _msdcs.domain.local. You will see an ALIAS record with a long GUID number as the name pointing to the old DC's FQDN.
Delete it.
To make sure all records are gone, fully expand each subfolder under the _msdcs.domain.local zone. Make sure you do not see any references to the failed DC. If so,
please delete them. The subfolders are:
dc
domains
gc
pdc
9. Delete the NameServer reference in all DNS zones' properties, Nameserver tab.
Right-click DNS server name, properties
Nameserver Tab
Remove the old DC FQDN and/or IP
Repeat for every zone that exists
10. Run a DNSLINT report. Make sure the old DC is no longer listed anywhere in DNS. If it still does, go back to Steps #8 and #9.
Here are some links to understand how to use it.
Dnslint Overview: Domain Name System(DNS)
Prior to the development of DNSLint, the nslookup utility was frequently ...
http://technet.microsoft.com/en-us/library/cc736981(WS.10).aspx
Support WebCast: Microsoft Windows: Using the DNSLint Utility
http://support.microsoft.com/?id=329982
Description of the DNSLint utility
Dec 3, 2007 ... DNSLint is a Microsoft Windows utility that helps you to diagnose common DNS name resolution issues.
http://support.microsoft.com/kb/321045
How to use DNSLint to troubleshoot Active Directory replication issues
This article describes how to use the DNSLint utility to troubleshoot Active ...
http://support.microsoft.com/kb/321046
5/9
10/8/13
Complete Step by Step to Remove an Orphaned Domain Controller - AD and Exchange Quantum Singularity
posting is AS-IS and offers no guarantees and confers no rights from Microsoft or myself. Here are a couple of links explaining the steps, as well as the steps posted below.
This was archived at this site from an old Newsgroup post I made back in 3/11/2003:
http://www.pcreview.co.uk/forums/manually-remove-ad-t1448839p2.html
Remove failed DC from AD manually Never been easier (step by step with screen shots)
Unlike Windows 2000 and 2003, Windows 2008 & Windows 2008 R2 have new GUI tools to remove a failed DC from the AD database.
http://fawzi.wordpress.com/2010/11/11/remove-failed-dc-from-ad-manually-never-been-easier/
1) On another DC in the domain run NTDSUTIL to move the FSMO's, er seize them! DOH. (If this is the only DC, then don't worry about it)
2) Make sure DNS is 100% solid on the working DC. (If only one DC, don't worry about it for now, but configure it correctly before promoting it to a new DC).
3) Make sure working DC is also a GC. (If just one DC, don't worry about it).
4) Boot corrupted DC into DSRM, edit the registry change HKLM\SYSTEM\CCS\Control\ProductOptions change the ProductType value from LanmanNT to ServerNT. This key
dictates if the machine is a DC or just a server. ServerNT means it's not a DC.
5) Command prompt > net stop ntfrs to stop FRS.
6) Delete the Winnt\Sysvol and NTDS directories.
7) Reboot the now former DC
8) Log into the now member server. Change it to a stand alone, by joining a workgroup (My Computer Properties, Network ID tab, remove it from the old domain).
9) Reboot the now stand alone server.
10) If there is only one DC in the domain, skip this step, otherwise, on the good DC delete the disabled computer account for the old, now defunct DC.
11) Now on this new stand alone machine, set the Primary DNS Suffix to the new domain name that you want (In My Computer. Properties, Network ID Tab, Properties, More,).
Reboot.
12) Make sure that DNS is configured with the new domain name and updates set to YES.
13) Run DCPROMO to create a new domain or join the domain/tree/forest again.
14) Reboot
msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx
6/9
10/8/13
Complete Step by Step to Remove an Orphaned Domain Controller - AD and Exchange Quantum Singularity
Johnny, you'll need to manually rip out the failed DC from the AD database. That's what this article addresses. I know it's a bit late responding, but have you ever resolved
this?
Ace
# Ace Fekay's Active Directory, Exchange and Windows Infrastructure Services Blog said on Friday, January 06, 2012 9:27 AM
Active Directory Lingering Objects, Journal Wraps, Tombstone Lifetime, and Event IDs 13568, 13508, 1388
# Moneer said on Tuesday, March 13, 2012 8:31 AM
Great article. Dumb question: would this work for a server that has been physically removed from the domain but keeps showing up in Group Policy Management? I thought it
was correctly removed but it is causing us some problems, and it is now physically removed.
Thanks
# Neilrahc said on Monday, October 22, 2012 3:12 PM
Very helpful and satisfying that you took the time and care to create a great resource which comprehensively covers this task. Thanks!
# Yan Shtulberg said on Monday, March 25, 2013 8:34 AM
Perfect admin guide - thank you
# maidilu*@gmail.com said on Tuesday, April 16, 2013 6:01 AM
Paul hit two 3-pointers, Bryant made a layup, and his block of James led to Durant's dunk that made it 136-126. Griffin had one last forceful dunk to help close it out, throwing
a pass to himself off the backboard and climbing high in his neon green sneakers to slam it home and make it 142-134.Harden had 15 points in his home arena, where the
sights of the game were on the floor and the sounds were at the rim ?which shook repeatedly after thunderous dunks for most of the game before, as usual, players tried to
make some stops down the stretch.
# tstqfaxh@gmail.com said on Wednesday, April 17, 2013 3:21 AM
Les gens, les coureurs et les non-coureurs semblables, peuvent prendre beaucoup plus que nous pensons que nous pouvons. Nous pouvons continuer mme quand nos jambes
sont lancinante et nos curs sont briss. Cette journe horrible d'vnements ne faiblira pas l'endurance de courage collectif de l'Amrique. Nous allons seulement finir fort.
# pysbiws@gmail.com said on Wednesday, April 17, 2013 5:19 AM
Les attentats la ligne d'arrive du marathon de Boston a secou la nation. Beaucoup d'enfants entendirent leurs parents en parler, ou pris un coup d'il sur la couverture de
nouvelles. Comment un parent peut discuter effectivement le cas?
# Wayne said on Thursday, June 20, 2013 9:52 AM
This is excellent, I only have one question for now, Is there any point during this process that I would have continued service issues on the existing DC's, potential slowdown
when running the forced replication maybe. I know I should do this off hours but didn't know if I needed to plan a maintenance window and alert the user population.
# Dave said on Tuesday, June 25, 2013 3:00 PM
Hi there, thanks for all the effort to detail this. Unfortunately I find it a bit confusing. I assume that most of the steps above are to be undertaken on another DC? If so what do I
need to do, if anything on the tombstoned DC? At the end there is a section about manually altering a DC, I take it these are things I should be doing on the broken DC to
make it not a DC, but they allude to a method >>"/forceremoval switch" as being easier than the manual one detailed, but if this easier method is something I can use, what is it?
dcpromo /forceremoval maybe? If so, do I run that on the dead DC before doing all the steps detailed above on the live DCs and do I do that with it still attached to the
network? I have gleaned from the rest of the net that once it gets tombstoned to disconnect it's network card quickly, so do I need to connect that again and do the "...
/forceremeoval" thing and then run through the main steps in your article?
Leave a Comment
Title (required)
re: Complete Step by Step to Remove an Orphaned Domain Controller
Name: (required)
Website: (optional)
Comments (required)
Remember Me?
Enter the numbers above:
Submit
Search
msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx
7/9
10/8/13
Complete Step by Step to Remove an Orphaned Domain Controller - AD and Exchange Quantum Singularity
Go
This Blog
Home
Contact
Tags
Active Directory
Active Directory DNS domain name
Active Directory Groups
Active Directory Sites
AD
AD Integrated Zones
AD Sites
ADSI Edit
client side resolver
Client side resolver service
dead DC
DNS
DNS & WINS Resolution Process
DNS domain name
DNS resolver
DomainDnsZones
Duplicate Zones
exchange on a DC
ForesDnsZones
remove a failed DC
removing Exchange
single label name
TCP/IP
tombstone
windows 2003
Community
Home
Blogs
Media
Groups
Archives
August 2012 (1)
June 2012 (1)
February 2012 (3)
January 2012 (2)
December 2011 (2)
November 2011 (1)
August 2011 (1)
February 2011 (2)
January 2011 (1)
December 2010 (1)
October 2010 (7)
August 2010 (1)
May 2010 (3)
February 2010 (1)
January 2010 (1)
November 2009 (4)
September 2009 (6)
August 2009 (7)
Syndication
RSS for Posts
Atom
RSS for Comments
Email Notifications
Your Email Address
Go
msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx
8/9
10/8/13
Complete Step by Step to Remove an Orphaned Domain Controller - AD and Exchange Quantum Singularity
Questions? Contact Susan at Susan-at-msmvps.com. Each post's copyright held by the original author. All rights reserved. Blog site is an independent site not sponsored by
Microsoft.
Our servers would like to thank www.ownwebnow.com and www.exchangedefender.com. We wouldn't be here without the generosity of Vlad Mazek and his companies.
msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx
9/9