AD removal from Win2k Domain Controller

[Guest]

Am in the process of demoting some of our Win2k DCs and migrating to Win2k3 -
finally. Recently, did a DCPROMO on a Win2k box and all seemed to go well, as
far as the event log information. But when I started scouting around in DNS
and AD Sites and Services, I see the demoted DC referenced by name in
scattered places.

For example, it's listed in AD Sites and Services but has no connection
objects. When I run replmon on the other DCs I don't receive any replication
errors, and the event logs in the other DCs look clean. It’s also not listed
in the _msdcs container either, but in other places in DNS.

Can I just tidy up the references to the long gone DC or do I have to do the
full on metadata cleanup?

 

[Ace Fekay [MVP]]

In Cybersteve <[email protected]> stated, which I commented

Am in the process of demoting some of our Win2k DCs and migrating to
Win2k3 - finally. Recently, did a DCPROMO on a Win2k box and all
seemed to go well, as far as the event log information. But when I
started scouting around in DNS and AD Sites and Services, I see the
demoted DC referenced by name in scattered places.

For example, it's listed in AD Sites and Services but has no
connection objects. When I run replmon on the other DCs I don't
receive any replication errors, and the event logs in the other DCs
look clean. It's also not listed in the _msdcs container either, but
in other places in DNS.

Can I just tidy up the references to the long gone DC or do I have to
do the full on metadata cleanup?

Yep, just manually delete anything left over in those places you mentioned.
Also check ADUC to insure it was moved out of the DC OU.

--
Ace
Innovative IT Concepts, Inc (IITCI)
Willow Grove, PA

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only constant in life is change...

 

[Harj]

Hi,

Make sure you preform a complete metadata cleanup of that domain
controller. Your going through such lengths to upgrade and to just not
do a full metadata with a unsuccessful domain controller would just not
do considering it only takes a few minutes.
Follow through doing a metadata, verify the DC was holding no FSMO
roles.
Using ADSIedit, make sure there are no instances of the old DC.
Like you noticed, after ADSIedit is clean, make sure there are no
connection objects or DC for that matter in Sites and Services.
If this was a DNS server, make sure it's NameServer record is removed.
Take an extra two minutes to scour through DNS to remove any instances
of the old DC.
Verify replication through the remaining DC's to make sure this removal
was successful on all domain controllers.

How to remove data in Active Directory after an unsuccessful domain
controller demotion
http://support.microsoft.com/kb/216498


Good luck

Harj Singh
Power Your Active Directory Investment
www.specopssoft.com

 

[Ace Fekay [MVP]]

In Cybersteve <[email protected]> stated, which I commented

I assumed y ou had a clean demotion. When you demote it without errors, the
only places I need to look and check are in ADUC and Sites and have never
had any problems doing this. But of course, you can choose to use ADSI Edit
to take a look at the config container and the domain NC for any references,
as well as run thru the Metadata Cleanup process to see if the server is
still listed in the AD database.

But if you had a clean demotion, and you've checked ADUC and Sites &
Services, then I'll bet my paycheck that Metadata Cleanup will not show the
server any longer.

Ace