AD Server removed but not demoted.

[Guest]

The scenario is as follows
Head office 4 win 2k servers including 1 active directory domain
controler 192.168.0.xxx
Branch office one one win2k server with AD 192.16.10.11 connected via
VPN via external firewall



.. DNS shows this server and some printers at branch office
Due to the fact that no one was authenticating against the branch
officer server and the fact that there was for some unknown reason an
intermittent excessive and expensive amount of traffic between the
sites replication was disabled at head office as a "trouble shooting
measure" and never restored. 2 months later the branch office was
suddenly closed and all equipment shipped to head office.

Problem
error messages due to missing site.

Proposed solutions

solution one

Bring Branch up server up offline and change iuts IUP address to the
192.168.0.xxx range
Alter the DNS entry for the server in the head office accordingly and
delete the DNS entries for the branch office printer
Connect the Branch officed server to the head office lan
Enable replications, wait a couple of hours and demote the branch
office server then disconnect.


solution two

As above but enable currently disabled 2nd NIC in head office AD
Server. Connect without altering any DNS entries, enable replicaion
wait and demote.

Comments gratefully received

 

[Jimmy Andersson [MVP]]

You need to do a metadata cleanup with NTDSUTIL, you can also use ADSIEdit
from the Win2K Support Tools or Ldp.exe to remove it, they are low-level AD
editors. Don't forget to clean up in Sites and Services, DNS and WINS.

Also see these KB article:
Q216498 - How to remove data in the AD after an unsuccessful DC demotion:
http://support.microsoft.com/support/kb/articles/Q216/4/98.ASP

Deleting Objects from Active Directory Using Ldp.exe:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q244344

Domain Controller Server Object Not Removed After Demotion:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q216364

Error Deleting a Domain Controller Account in Active Directory Users and
Computers:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q247393

Regards,
/Jimmy

 

[Guest]

SO are you saying that there is no point in reconecting the old
machine and demoting it?

 

[Jimmy Andersson [MVP]]

Well, you can try it if you want. I don't say it won't be successful...

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Active Directory
---------- www.qadvice.com ----------

 

[Guest]

The machine has been offline for more than 60 days. Is that an issue
-remembering that I only want to bring it up long enough to demote it

 

[Jimmy Andersson [MVP]]

You'll probably get an issue with lingering objects due to the tombstone
lifetime value.

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Active Directory
---------- www.qadvice.com ----------

 

[Kevin Bowersock]

I am with Jimmy on this one.
Bringing the old box back online would probably be a lot more trouble than
it is worth.
The KB is a pretty much cookbook. And it works really well.
Unless you have data you need to get off of the old box.
I would Just metadata cleanup the AD and flatten the old box.

(e-mail address removed)
This posting is provided "AS IS"
with no warranties, and confers no rights
--------------------
| Reply-To: "Jimmy Andersson [MVP]" <[email protected]>
| From: "Jimmy Andersson [MVP]" <[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
| Subject: Re: AD Server removed but not demoted.
| Date: Tue, 6 Jan 2004 23:49:30 +0100
| Lines: 42
| Organization: Q Advice AB
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.3790.0
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Message-ID: <e1O9#[email protected]>
| Newsgroups: microsoft.public.win2000.active_directory
| NNTP-Posting-Host: h51n4fls20o1048.bredband.comhem.se 81.226.252.51
| Path:
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!cpmsftngxa09.phx.gbl!TK2MSFTNGP08.
phx.gbl!TK2MSFTNGP10.phx.gbl
| Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.active_directory:61579
| X-Tomcat-NG: microsoft.public.win2000.active_directory
|
| Well, you can try it if you want. I don't say it won't be successful...
|
| Regards,
| /Jimmy
| --
| Jimmy Andersson, Q Advice AB
| Microsoft MVP - Active Directory
| ---------- www.qadvice.com ----------
|
|
| | > SO are you saying that there is no point in reconecting the old
| > machine and demoting it?
| >
| >
| > >You need to do a metadata cleanup with NTDSUTIL, you can also use
| ADSIEdit
| > >from the Win2K Support Tools or Ldp.exe to remove it, they are
low-level
| AD
| > >editors. Don't forget to clean up in Sites and Services, DNS and WINS.
| > >
| > >Also see these KB article:
| > >Q216498 - How to remove data in the AD after an unsuccessful DC
demotion:
| > >http://support.microsoft.com/support/kb/articles/Q216/4/98.ASP
| > >
| > >Deleting Objects from Active Directory Using Ldp.exe:
| > >http://support.microsoft.com/default.aspx?scid=kb;en-us;Q244344
| > >
| > >Domain Controller Server Object Not Removed After Demotion:
| > >http://support.microsoft.com/default.aspx?scid=kb;en-us;Q216364
| > >
| > >Error Deleting a Domain Controller Account in Active Directory Users
and
| > >Computers:
| > >http://support.microsoft.com/default.aspx?scid=kb;en-us;Q247393
| > >
| > >Regards,
| > >/Jimmy
| >
|
|
|

 

[Rick Rieser [MSFT]]

If the DC is at SP4 you can demote it offline using the dcpromo
/forceremoval. This would save you from having to rebuild. Take a look at
kb:332199 Using the DCPROMO /FORCEREMOVAL Command to Force the Demotion of
Active
http://support.microsoft.com/?id=332199
This would allow you to demote the DC, then you'd still need to do a
metadata cleanup on AD per kb: 216498 HOW TO: Remove Data in Active
Directory After an Unsuccessful Domain
http://support.microsoft.com/?id=216498

Rick Rieser, (e-mail address removed)
This posting is provided "AS IS" with no warranties, and confers no rights.