Forcfully (manually) removing a domain

[John Rosenlof]

Hi,

As per the advice that I got here, I followed what KB 216498 said and I
successfully removed a domain from Active Directory. The domain that was
removed was had a trust relationship with our current (surviving) domain and
consequently at the logon screen of the computers it was listed as an
available domain to log onto. My question has a couple of parts---1) Now
that I've removed the trust and the computer metadata from AD, will that
disappear on the workstations, or do I have to manually remove it as well?
and 2) We want to rejoin the computer that was removed and we want to keep
the same domain and computer name. Will this cause any problems if that
domain is still listed on the workstations before it is rejoined?

Thank you in advance for any help that can be given, and let me know if I
outlined our problem clearly.

-John

 

[Herb Martin]

Hi,

As per the advice that I got here, I followed what KB 216498 said and I
successfully removed a domain from Active Directory. The domain that was
removed was had a trust relationship with our current (surviving) domain and
consequently at the logon screen of the computers it was listed as an
available domain to log onto. My question has a couple of parts---1) Now
that I've removed the trust and the computer metadata from AD, will that
disappear on the workstations, or do I have to manually remove it as well?
and 2) We want to rejoin the computer that was removed and we want to keep
the same domain and computer name. Will this cause any problems if that
domain is still listed on the workstations before it is rejoined?

It should disappear after the domain and it's trust are gone,
replicated etc.

IF this was an external trust you should also deleted this
from the machine domain.

Thank you in advance for any help that can be given, and let me know if I
outlined our problem clearly.

 

[ptwilliams]

1) Now that I've removed the trust and the computer metadata from AD, will

that disappear on the workstations, or do I have to manually remove it as
well?

There's no metadata on non-NT5.x DCs.

2) We want to rejoin the computer that was removed and we want to keep the
same domain and computer name. Will this cause any problems if that
domain is still listed on the workstations before it is rejoined?

Err...do you mean you wish to create a new domain with the same machine and
name, etc.?

If so, the fact that the NetBT Name is still showing will probably cause a
NetBT name conflict.

If you have a WINS server you will need to prune the database -to remove the
now-stale registrations for this domain.

You may also need to remove this NetBT name from each workstations NetBT
domain-list cache. This is a parameter underneath the Winlogon registry
key. However, once you prune it from WINS things will probably be OK.


--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


Hi,

As per the advice that I got here, I followed what KB 216498 said and I
successfully removed a domain from Active Directory. The domain that was
removed was had a trust relationship with our current (surviving) domain and
consequently at the logon screen of the computers it was listed as an
available domain to log onto. My question has a couple of parts---1) Now
that I've removed the trust and the computer metadata from AD, will that
disappear on the workstations, or do I have to manually remove it as well?
and 2) We want to rejoin the computer that was removed and we want to keep
the same domain and computer name. Will this cause any problems if that
domain is still listed on the workstations before it is rejoined?

Thank you in advance for any help that can be given, and let me know if I
outlined our problem clearly.

-John

 

[John Rosenlof]

Thanks for the response. I appreciate the help.
A couple of questions--
How long should it take to remove itself from the list? It's been a few
days and it's still there?
What is an external trust?

Thank you
-John

 

[John Rosenlof]

Thanks for your response. I appreciate it.
We don't have a WINS server. We are just running Win2kServer with DNS. We
had a server in another root domain get its OS re-installed and the person
just gave it it's old name again. In addition to the fact that the trust
was never cleanly broken, this caused problems. I went through the
procedure for metadata cleanup last week, as the KB article 216498 showed,
but the name of the old domain is still showing up at the logon screen of
all the computers in the domain. You mentioned that there was a key or a
value in the registry that I could delete to take that out. Is this the
only option now, or should I wait a little while longer? If that is the
case, will I have to manually do that on each computer in the domain, or is
there some sort of "refresh" that I could do to force all of the computers
to receive that change?

Thanks,
-John

 

[Herb Martin]

Thanks for the response. I appreciate the help.
A couple of questions--
How long should it take to remove itself from the list? It's been a few
days and it's still there?
What is an external trust?

Generally it should remove on the next boot after
replication of the DCs.

Once the DCs don't know about the trust (it is removed)
and the machine rebuilds (re-queries) from the DCs this
should go.

One must wonder if your DCs are replicating and if the
machines are properly authenticating with (a replicated)
DC.

PT mentioned WINS issues but that is generally only
an issue for domains and servers continuing to show
up in the BROWSE lists.

(The code in the GINA which builds the logon list of
domains does not use directly -- except may to find
it's own DC. GINA==logon screen)

The machines do however remember that list (I believe)
between boots, in case they are offline, and so it can
survive reboots if the machine is not authenticating.

Most authentication problems are really DNS issues
in Win2000+ Domains:

DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2

Restart NetLogon on any DC if you change any of the above that
affects a DC and/or use:

nltest /dsregdns /serverC-ServerNameGoesHere

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

 

[Guest]

The registry value for the cache is:

HKLM\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon\ DomainCache

This is on a per-machine basis.


However, as Herb said, this should disappear upon reboot of workstations
(and within a couple of hours from the browse list) when the domain and the
trust are gone. You mention kb216498 but you've not stated whether or not
you followed kb230306:
-- http://support.microsoft.com/?kbid=230306

kb216498 is for the unsuccessful removal of a DC within an existing domain;
kb230306 is for removing an 'orphaned' domain.

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

 

[Guest]

Very interesting indeed!!! So Winlogon doesn't pull the domain name(s) from
WINS? Where does it grab this info. from then? I noticed a forum post
stating that the reg key that I listed in my other post pulls this cache from
WINS -not that I doubt you over them, I'm just interested in all of this -I
like to understand ;-)

Could you explain how MSGINA builds the domain list please Herb?

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

 

[Herb Martin]

Very interesting indeed!!! So Winlogon doesn't pull the domain name(s) from
WINS? Where does it grab this info. from then? I noticed a forum post
stating that the reg key that I listed in my other post pulls this cache from
WINS -not that I doubt you over them, I'm just interested in all of this -I
like to understand ;-)

Could you explain how MSGINA builds the domain list please Herb?

It gets the trusted list from it's own (P or B or 2k)DC
-- the one the machine authenticates with and sets up
a secure channel.

The trust list is a fixed list with the domain database.
(NT SAM or Win2000+ AD.)

It has to be this way so that ONLY trusted domains
appear in the list.

Browsing is NOT controlled by trusts (as I am sure
pt knows) even though many people believe that so
the BROWSE domain list is retrieved from the
Helper Browser with the Master Browser providing
the list of Helper Browsers.

The Master Browser gets the (foreign) domain list
from the Domain Master Browser which gets the
list through any/all of broadcast, lmhosts, or WINS.

The reason for this is that a user might have multiple
domain accounts and not need the trust to access
resources.

 

[John Rosenlof]

Thanks again for the info. That helped out because just to check on the
authentication, I unplugged my PC from the ethernet port and attempted to
sign on to the domain. It signed on without a problem which tells me that
it is caching the info and not refreshing it. How do fix this? Is it a
setting in GP? The DC's are both replicating properly and the DNS records
are cleaned of the old domain. I just can't get that stupid domain to not
be listed on the logon screen.

About the GINA--could you either explain that a little more or refer me to
an article that explains it? I've never heard about it, and I'm always open
to learning new stuff.
Thanks!
-John

 

[Herb Martin]

Thanks again for the info. That helped out because just to check on the
authentication, I unplugged my PC from the ethernet port and attempted to
sign on to the domain. It signed on without a problem which tells me that
it is caching the info and not refreshing it. How do fix this?

That part is normal. It is so a machine can log you
onto (your own) machine when it travels or the net
is down (e.g., a laptop.)

Is it a
setting in GP? The DC's are both replicating properly and the DNS records
are cleaned of the old domain. I just can't get that stupid domain to not
be listed on the logon screen.

You can change the number of cached logons but let's
fix the real problem first.

It's probably a DNS issue:

DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2

Restart NetLogon on any DC if you change any of the above that
affects a DC and/or use:

nltest /dsregdns /serverC-ServerNameGoesHere

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

About the GINA--could you either explain that a little more or refer me to
an article that explains it? I've never heard about it, and I'm always open
to learning new stuff.

It's not usually imporatant -- I just happen to have worked
with the signon source code, writing and advising on the
writing of a custom GINA: Graphical Identification 'n
Authentication.

You can search for something like this through Google:

[ msgina microsoft: ]
or
[ msgina site:microsoft.com ]
or
[ msgina site:msdn.microsoft.com ]

 

[ptwilliams]

Great stuff!!!

Thanks Herb!


--

Paul Williams

http://www.msresource.net
http://forums.msresource.net

Very interesting indeed!!! So Winlogon doesn't pull the domain name(s) from
WINS? Where does it grab this info. from then? I noticed a forum post
stating that the reg key that I listed in my other post pulls this cache from
WINS -not that I doubt you over them, I'm just interested in all of this -I
like to understand ;-)

Could you explain how MSGINA builds the domain list please Herb?

It gets the trusted list from it's own (P or B or 2k)DC
-- the one the machine authenticates with and sets up
a secure channel.

The trust list is a fixed list with the domain database.
(NT SAM or Win2000+ AD.)

It has to be this way so that ONLY trusted domains
appear in the list.

Browsing is NOT controlled by trusts (as I am sure
pt knows) even though many people believe that so
the BROWSE domain list is retrieved from the
Helper Browser with the Master Browser providing
the list of Helper Browsers.

The Master Browser gets the (foreign) domain list
from the Domain Master Browser which gets the
list through any/all of broadcast, lmhosts, or WINS.

The reason for this is that a user might have multiple
domain accounts and not need the trust to access
resources.

 

[John Rosenlof]

I went in and changed the DNS settings to what you instructed. We have two
DC's doing DNS and the forward lookup zones for our domain were both doing
dynamic update. The reverse lookup zones were not doing it for our subnet
so I set it to do so. I made the setting to both DC's and it appears that
they both show the change as being made, although I'm not exactly sure on
how to verify that other than looking in the DNS mmc on each computer. I
then set the workstations and servers to use only those two DC's for DNS and
verified that they are set that way through ipconfig. I restarted netlogon
on the two DC's. The name of the removed domain is still listed at the
logon screen. Is there something else that I can do to remove it? Do I
just take the setting out of the registry, or is there something more?
Thanks for your patience and your help. And also, thanks for the info about
GINA.

-John

Thanks again for the info. That helped out because just to check on the
authentication, I unplugged my PC from the ethernet port and attempted to
sign on to the domain. It signed on without a problem which tells me that
it is caching the info and not refreshing it. How do fix this?

That part is normal. It is so a machine can log you
onto (your own) machine when it travels or the net
is down (e.g., a laptop.)

Is it a
setting in GP? The DC's are both replicating properly and the DNS records
are cleaned of the old domain. I just can't get that stupid domain to not
be listed on the logon screen.

You can change the number of cached logons but let's
fix the real problem first.

It's probably a DNS issue:

DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2

Restart NetLogon on any DC if you change any of the above that
affects a DC and/or use:

nltest /dsregdns /serverC-ServerNameGoesHere

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

About the GINA--could you either explain that a little more or refer me to
an article that explains it? I've never heard about it, and I'm always open
to learning new stuff.

It's not usually imporatant -- I just happen to have worked
with the signon source code, writing and advising on the
writing of a custom GINA: Graphical Identification 'n
Authentication.

You can search for something like this through Google:

[ msgina microsoft: ]
or
[ msgina site:microsoft.com ]
or
[ msgina site:msdn.microsoft.com ]


--
Herb Martin

Thanks!
-John
said
and as
an

it

as want
to

 

[Herb Martin]

I went in and changed the DNS settings to what you instructed. We have two
DC's doing DNS and the forward lookup zones for our domain were both doing
dynamic update. The reverse lookup zones were not doing it for our subnet
so I set it to do so.

Good, doing that for the reverse zones is fine but it
was not likely to have causing you any troubles --
reverse zones are nearly as important as many people
seem to think.

I made the setting to both DC's and it appears that
they both show the change as being made, although I'm not exactly sure on
how to verify that other than looking in the DNS mmc on each computer. I

Dynamic? Just watch to see if new records appear...or
get corrected or just make sure that nothing you need is
missing.

then set the workstations and servers to use only those two DC's for DNS and
verified that they are set that way through ipconfig. I restarted netlogon
on the two DC's. The name of the removed domain is still listed at the
logon screen.

Those domains may still be listed in the trusts.

The reason for fixing the DNS was to make sure the
DCs replicated AND to make sure the clients authenticate,
rather than to fix the problem directly.

Is there something else that I can do to remove it? Do I
just take the setting out of the registry, or is there something more?

What setting?

Have you removed the trust from Domains and Trusts
or however you created it...?

Thanks for your patience and your help. And also, thanks for the info about
GINA.

Sure.

--
Herb Martin

-John

That part is normal. It is so a machine can log you
onto (your own) machine when it travels or the net
is down (e.g., a laptop.)


You can change the number of cached logons but let's
fix the real problem first.

It's probably a DNS issue:

DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2

Restart NetLogon on any DC if you change any of the above that
affects a DC and/or use:

nltest /dsregdns /serverC-ServerNameGoesHere

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

me

to

an article that explains it? I've never heard about it, and I'm

always
open

to learning new stuff.

It's not usually imporatant -- I just happen to have worked
with the signon source code, writing and advising on the
writing of a custom GINA: Graphical Identification 'n
Authentication.

You can search for something like this through Google:

[ msgina microsoft: ]
or
[ msgina site:microsoft.com ]
or
[ msgina site:msdn.microsoft.com ]


--
Herb Martin

Thanks!
-John
Thanks for the response. I appreciate the help.
A couple of questions--
How long should it take to remove itself from the list? It's been

a
few

days and it's still there?
What is an external trust?

Generally it should remove on the next boot after
replication of the DCs.

Once the DCs don't know about the trust (it is removed)
and the machine rebuilds (re-queries) from the DCs this
should go.

One must wonder if your DCs are replicating and if the
machines are properly authenticating with (a replicated)
DC.

PT mentioned WINS issues but that is generally only
an issue for domains and servers continuing to show
up in the BROWSE lists.

(The code in the GINA which builds the logon list of
domains does not use directly -- except may to find
it's own DC. GINA==logon screen)

The machines do however remember that list (I believe)
between boots, in case they are offline, and so it can
survive reboots if the machine is not authenticating.

Most authentication problems are really DNS issues
in Win2000+ Domains:

DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2

Restart NetLogon on any DC if you change any of the above that
affects a DC and/or use:

nltest /dsregdns /serverC-ServerNameGoesHere

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

--
Herb Martin



Thank you
-John
Hi,

As per the advice that I got here, I followed what KB 216498 said
and
I
successfully removed a domain from Active Directory. The domain
that
was
removed was had a trust relationship with our current (surviving)
domain
and
consequently at the logon screen of the computers it was

listed

as it problems
if me
know

 

[John Rosenlof]

Is there something else that I can do to remove it? Do I

What setting?

I found a setting in the registry that contains the domains listed at the
logon screen. If I deleted that, I'm assuming that that would solve this.
The only problem that I see with that is that I would have to delete that
value on all of the computers in the network. I'm hoping to find a way to
get the DC's to tell all of the computers.

Have you removed the trust from Domains and Trusts
or however you created it...?

Yes and no. The trust is broken, but it is still listed. I cleaned up and
removed all of the stuff in AD, but in Domains and Trusts I can't delete the
icon for the formerly trusted domain. When I right-click it there is no
delete option. I'm not sure, after going through the whole removal process,
how to get that deleted. Any ideas would be greatly appreciated.

Thanks again. Merry Christmas.
-John

I went in and changed the DNS settings to what you instructed. We have two
DC's doing DNS and the forward lookup zones for our domain were both doing
dynamic update. The reverse lookup zones were not doing it for our subnet
so I set it to do so.

Good, doing that for the reverse zones is fine but it
was not likely to have causing you any troubles --
reverse zones are nearly as important as many people
seem to think.

I made the setting to both DC's and it appears that
they both show the change as being made, although I'm not exactly sure on
how to verify that other than looking in the DNS mmc on each computer.

I

Dynamic? Just watch to see if new records appear...or
get corrected or just make sure that nothing you need is
missing.

then set the workstations and servers to use only those two DC's for DNS and
verified that they are set that way through ipconfig. I restarted netlogon
on the two DC's. The name of the removed domain is still listed at the
logon screen.

Those domains may still be listed in the trusts.

The reason for fixing the DNS was to make sure the
DCs replicated AND to make sure the clients authenticate,
rather than to fix the problem directly.

Is there something else that I can do to remove it? Do I
just take the setting out of the registry, or is there something more?

What setting?

Have you removed the trust from Domains and Trusts
or however you created it...?

Thanks for your patience and your help. And also, thanks for the info about
GINA.

Sure.

--
Herb Martin

-John

Thanks again for the info. That helped out because just to check on the
authentication, I unplugged my PC from the ethernet port and

attempted
to

sign on to the domain. It signed on without a problem which tells

me
that

it is caching the info and not refreshing it. How do fix this?

That part is normal. It is so a machine can log you
onto (your own) machine when it travels or the net
is down (e.g., a laptop.)

Is it a
setting in GP? The DC's are both replicating properly and the DNS records
are cleaned of the old domain. I just can't get that stupid domain

to
not

be listed on the logon screen.

You can change the number of cached logons but let's
fix the real problem first.

It's probably a DNS issue:

DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2

Restart NetLogon on any DC if you change any of the above that
affects a DC and/or use:

nltest /dsregdns /serverC-ServerNameGoesHere

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

About the GINA--could you either explain that a little more or refer

me

to
an article that explains it? I've never heard about it, and I'm always
open
to learning new stuff.

It's not usually imporatant -- I just happen to have worked
with the signon source code, writing and advising on the
writing of a custom GINA: Graphical Identification 'n
Authentication.

You can search for something like this through Google:

[ msgina microsoft: ]
or
[ msgina site:microsoft.com ]
or
[ msgina site:msdn.microsoft.com ]


--
Herb Martin


Thanks!
-John
Thanks for the response. I appreciate the help.
A couple of questions--
How long should it take to remove itself from the list? It's

been

a listed remove
it we
want

 

[Herb Martin]

I found a setting in the registry that contains the domains listed at the
logon screen. If I deleted that, I'm assuming that that would solve this.
The only problem that I see with that is that I would have to delete that
value on all of the computers in the network. I'm hoping to find a way to
get the DC's to tell all of the computers.

I don't think you can hurt anything by removing that
REMOVED domain -- but like all of the MS KBs
on the registry, I warn you to first backup (maybe
it's time for a System State backup anyway).

I would also just write down the key and value so
that I could type it back in.

Chances are it will just come back if the domain is
still known to the DCs.

Yes and no. The trust is broken, but it is still listed. I cleaned up and
removed all of the stuff in AD, but in Domains and Trusts I can't delete the
icon for the formerly trusted domain. When I right-click it there is no
delete option. I'm not sure, after going through the whole removal process,
how to get that deleted. Any ideas would be greatly appreciated.

You might look to see if there is a Trust delete procedure
for NTDSUtil (or ADSIEdit) -- I do not personally know
of one.

Thanks again. Merry Christmas.
-John

--
Herb Martin

have
two

Good, doing that for the reverse zones is fine but it
was not likely to have causing you any troubles --
reverse zones are nearly as important as many people
seem to think.
I

Dynamic? Just watch to see if new records appear...or
get corrected or just make sure that nothing you need is
missing.
DNS
and

Those domains may still be listed in the trusts.

The reason for fixing the DNS was to make sure the
DCs replicated AND to make sure the clients authenticate,
rather than to fix the problem directly.


What setting?

Have you removed the trust from Domains and Trusts
or however you created it...?


Sure.

--
Herb Martin

on
the

domain

to

not
be listed on the logon screen.

You can change the number of cached logons but let's
fix the real problem first.

It's probably a DNS issue:

DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2

Restart NetLogon on any DC if you change any of the above that
affects a DC and/or use:

nltest /dsregdns /serverC-ServerNameGoesHere

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

About the GINA--could you either explain that a little more or

refer
me

to
an article that explains it? I've never heard about it, and I'm always
open
to learning new stuff.

It's not usually imporatant -- I just happen to have worked
with the signon source code, writing and advising on the
writing of a custom GINA: Graphical Identification 'n
Authentication.

You can search for something like this through Google:

[ msgina microsoft: ]
or
[ msgina site:microsoft.com ]
or
[ msgina site:msdn.microsoft.com ]


--
Herb Martin


Thanks!
-John
Thanks for the response. I appreciate the help.
A couple of questions--
How long should it take to remove itself from the list? It's

been

a
few
days and it's still there?
What is an external trust?

Generally it should remove on the next boot after
replication of the DCs.

Once the DCs don't know about the trust (it is removed)
and the machine rebuilds (re-queries) from the DCs this
should go.

One must wonder if your DCs are replicating and if the
machines are properly authenticating with (a replicated)
DC.

PT mentioned WINS issues but that is generally only
an issue for domains and servers continuing to show
up in the BROWSE lists.

(The code in the GINA which builds the logon list of
domains does not use directly -- except may to find
it's own DC. GINA==logon screen)

The machines do however remember that list (I believe)
between boots, in case they are offline, and so it can
survive reboots if the machine is not authenticating.

Most authentication problems are really DNS issues
in Win2000+ Domains:

DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2

Restart NetLogon on any DC if you change any of the above that
affects a DC and/or use:

nltest /dsregdns /serverC-ServerNameGoesHere

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

--
Herb Martin



Thank you
-John
Hi,

As per the advice that I got here, I followed what KB 216498
said
and
I
successfully removed a domain from Active Directory. The domain
that
was
removed was had a trust relationship with our current
(surviving)
domain
and
consequently at the logon screen of the computers it was listed
as
an
available domain to log onto. My question has a couple of
parts---1)
Now
that I've removed the trust and the computer metadata from AD,
will
that
disappear on the workstations, or do I have to manually remove
it
as
well?
and 2) We want to rejoin the computer that was removed and we
want
to
keep
the same domain and computer name. Will this cause any problems
if
that
domain is still listed on the workstations before it is
rejoined?

It should disappear after the domain and it's trust are gone,
replicated etc.

IF this was an external trust you should also deleted this
from the machine domain.

Thank you in advance for any help that can be given, and

let
me

know
if
I
outlined our problem clearly.


--
Herb Martin



-John

 

[Dean Wells [MVP]]

As Herb suggested, you ADSIEDIT (or equiv.) and delete the object (of
class trustedDomain) located beneath the System container within the
domain NC, it will be named after the domain you're trying to remove.

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

I found a setting in the registry that contains the domains listed
at the logon screen. If I deleted that, I'm assuming that that
would solve this. The only problem that I see with that is that I
would have to delete that value on all of the computers in the
network. I'm hoping to find a way to get the DC's to tell all of
the computers.

I don't think you can hurt anything by removing that
REMOVED domain -- but like all of the MS KBs
on the registry, I warn you to first backup (maybe
it's time for a System State backup anyway).

I would also just write down the key and value so
that I could type it back in.

Chances are it will just come back if the domain is
still known to the DCs.

Yes and no. The trust is broken, but it is still listed. I cleaned
up and removed all of the stuff in AD, but in Domains and Trusts I
can't delete the icon for the formerly trusted domain. When I
right-click it there is no delete option. I'm not sure, after going
through the whole removal process, how to get that deleted. Any
ideas would be greatly appreciated.

You might look to see if there is a Trust delete procedure
for NTDSUtil (or ADSIEdit) -- I do not personally know
of one.

Thanks again. Merry Christmas.
-John

I went in and changed the DNS settings to what you instructed. We
have two DC's doing DNS and the forward lookup zones for our
domain were both doing dynamic update. The reverse lookup zones
were not doing it for our subnet so I set it to do so.

Good, doing that for the reverse zones is fine but it
was not likely to have causing you any troubles --
reverse zones are nearly as important as many people
seem to think.

I made the setting to both DC's and it appears that
they both show the change as being made, although I'm not exactly
sure on how to verify that other than looking in the DNS mmc on
each computer. I

Dynamic? Just watch to see if new records appear...or
get corrected or just make sure that nothing you need is
missing.

then set the workstations and servers to use only those two DC's
for DNS and verified that they are set that way through ipconfig.
I restarted netlogon on the two DC's. The name of the removed
domain is still listed at the logon screen.

Those domains may still be listed in the trusts.

The reason for fixing the DNS was to make sure the
DCs replicated AND to make sure the clients authenticate,
rather than to fix the problem directly.

Is there something else that I can do to remove it? Do I
just take the setting out of the registry, or is there something
more?

What setting?

Have you removed the trust from Domains and Trusts
or however you created it...?

Thanks for your patience and your help. And also, thanks for the
info about GINA.

Sure.

--
Herb Martin



-John
Thanks again for the info. That helped out because just to
check on the authentication, I unplugged my PC from the ethernet
port and attempted to sign on to the domain. It signed on
without a problem which tells me that it is caching the info and
not refreshing it. How do fix this?

That part is normal. It is so a machine can log you
onto (your own) machine when it travels or the net
is down (e.g., a laptop.)

Is it a
setting in GP? The DC's are both replicating properly and the
DNS records are cleaned of the old domain. I just can't get
that stupid

domain

to
not
be listed on the logon screen.

You can change the number of cached logons but let's
fix the real problem first.

It's probably a DNS issue:

DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify
SOLELY that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2

Restart NetLogon on any DC if you change any of the above that
affects a DC and/or use:

nltest /dsregdns /serverC-ServerNameGoesHere

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

About the GINA--could you either explain that a little more or refer
me
to
an article that explains it? I've never heard about it, and I'm
always open to learning new stuff.

It's not usually imporatant -- I just happen to have worked
with the signon source code, writing and advising on the
writing of a custom GINA: Graphical Identification 'n
Authentication.

You can search for something like this through Google:

[ msgina microsoft: ]
or
[ msgina site:microsoft.com ]
or
[ msgina site:msdn.microsoft.com ]


--
Herb Martin


Thanks!
-John
Thanks for the response. I appreciate the help.
A couple of questions--
How long should it take to remove itself from the list? It's been
a
few
days and it's still there?
What is an external trust?

Generally it should remove on the next boot after
replication of the DCs.

Once the DCs don't know about the trust (it is removed)
and the machine rebuilds (re-queries) from the DCs this
should go.

One must wonder if your DCs are replicating and if the
machines are properly authenticating with (a replicated)
DC.

PT mentioned WINS issues but that is generally only
an issue for domains and servers continuing to show
up in the BROWSE lists.

(The code in the GINA which builds the logon list of
domains does not use directly -- except may to find
it's own DC. GINA==logon screen)

The machines do however remember that list (I believe)
between boots, in case they are offline, and so it can
survive reboots if the machine is not authenticating.

Most authentication problems are really DNS issues
in Win2000+ Domains:

DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify
SOLELY that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2

Restart NetLogon on any DC if you change any of the above that
affects a DC and/or use:

nltest /dsregdns /serverC-ServerNameGoesHere

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

--
Herb Martin



Thank you
-John
Hi,

As per the advice that I got here, I followed what KB 216498
said
and
I
successfully removed a domain from Active Directory. The
domain
that
was
removed was had a trust relationship with our current
(surviving)
domain
and
consequently at the logon screen of the computers it was
listed
as
an
available domain to log onto. My question has a couple of
parts---1) Now that I've removed the trust and the computer
metadata from AD,
will
that
disappear on the workstations, or do I have to manually remove
it
as
well?
and 2) We want to rejoin the computer that was removed and we
want
to
keep
the same domain and computer name. Will this cause any
problems
if
that
domain is still listed on the workstations before it is
rejoined?

It should disappear after the domain and it's trust are gone,
replicated etc.

IF this was an external trust you should also deleted this
from the machine domain.

Thank you in advance for any help that can be given, and let
me
know
if
I
outlined our problem clearly.


--
Herb Martin



-John

 

[rajiv juneja]

You could also use ADSI Edit tool to manually remove orphaned entries. It
worked for me at
least and even the entries in logon list are gone after the next bootup.
after using this tool i could
also remove the trust entries manually

 

[John Rosenlof]

Thanks guys,

It worked. I tried to use ADSIEDIT to remove the reference in the place
that was suggested in the Domain NC | System | object of class
trustedDomain, but I couldn't find it. So I used the metadata cleanup
function of ntdsutil and found the domain object and deleted it. As soon as
I did that, all of the computers automatically were updated. I appreciate
all of the help and suggestions.

-John

I found a setting in the registry that contains the domains listed at the
logon screen. If I deleted that, I'm assuming that that would solve this.
The only problem that I see with that is that I would have to delete that
value on all of the computers in the network. I'm hoping to find a way to
get the DC's to tell all of the computers.

I don't think you can hurt anything by removing that
REMOVED domain -- but like all of the MS KBs
on the registry, I warn you to first backup (maybe
it's time for a System State backup anyway).

I would also just write down the key and value so
that I could type it back in.

Chances are it will just come back if the domain is
still known to the DCs.

Yes and no. The trust is broken, but it is still listed. I cleaned up and
removed all of the stuff in AD, but in Domains and Trusts I can't delete the
icon for the formerly trusted domain. When I right-click it there is no
delete option. I'm not sure, after going through the whole removal process,
how to get that deleted. Any ideas would be greatly appreciated.

You might look to see if there is a Trust delete procedure
for NTDSUtil (or ADSIEdit) -- I do not personally know
of one.

Thanks again. Merry Christmas.
-John

--
Herb Martin

sure
on computer.
I

check

on

the
authentication, I unplugged my PC from the ethernet port and attempted
to
sign on to the domain. It signed on without a problem which

tells
me

that
it is caching the info and not refreshing it. How do fix this?

That part is normal. It is so a machine can log you
onto (your own) machine when it travels or the net
is down (e.g., a laptop.)

Is it a
setting in GP? The DC's are both replicating properly and the DNS
records
are cleaned of the old domain. I just can't get that stupid

domain

to
not
be listed on the logon screen.

You can change the number of cached logons but let's
fix the real problem first.

It's probably a DNS issue:

DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2

Restart NetLogon on any DC if you change any of the above that
affects a DC and/or use:

nltest /dsregdns /serverC-ServerNameGoesHere

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

About the GINA--could you either explain that a little more or refer
me
to
an article that explains it? I've never heard about it, and I'm
always
open
to learning new stuff.

It's not usually imporatant -- I just happen to have worked
with the signon source code, writing and advising on the
writing of a custom GINA: Graphical Identification 'n
Authentication.

You can search for something like this through Google:

[ msgina microsoft: ]
or
[ msgina site:microsoft.com ]
or
[ msgina site:msdn.microsoft.com ]


--
Herb Martin


Thanks!
-John
Thanks for the response. I appreciate the help.
A couple of questions--
How long should it take to remove itself from the list?

It's
been

a
few
days and it's still there?
What is an external trust?

Generally it should remove on the next boot after
replication of the DCs.

Once the DCs don't know about the trust (it is removed)
and the machine rebuilds (re-queries) from the DCs this
should go.

One must wonder if your DCs are replicating and if the
machines are properly authenticating with (a replicated)
DC.

PT mentioned WINS issues but that is generally only
an issue for domains and servers continuing to show
up in the BROWSE lists.

(The code in the GINA which builds the logon list of
domains does not use directly -- except may to find
it's own DC. GINA==logon screen)

The machines do however remember that list (I believe)
between boots, in case they are offline, and so it can
survive reboots if the machine is not authenticating.

Most authentication problems are really DNS issues
in Win2000+ Domains:

DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify
SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2

Restart NetLogon on any DC if you change any of the above that
affects a DC and/or use:

nltest /dsregdns /serverC-ServerNameGoesHere

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

--
Herb Martin



Thank you
-John
Hi,

As per the advice that I got here, I followed what KB 216498
said
and
I
successfully removed a domain from Active Directory. The
domain
that
was
removed was had a trust relationship with our current
(surviving)
domain
and
consequently at the logon screen of the computers it was
listed
as
an
available domain to log onto. My question has a couple of
parts---1)
Now
that I've removed the trust and the computer metadata

from
AD,

will
that
disappear on the workstations, or do I have to manually remove
it
as
well?
and 2) We want to rejoin the computer that was removed

and
we

want
to
keep
the same domain and computer name. Will this cause any
problems
if
that
domain is still listed on the workstations before it is
rejoined?

It should disappear after the domain and it's trust are gone,
replicated etc.

IF this was an external trust you should also deleted this
from the machine domain.

Thank you in advance for any help that can be given, and let
me
know
if
I
outlined our problem clearly.


--
Herb Martin



-John