Trusts 'n' DNS

[Steve W]

I'm trying to do a couple of things. First, I have an orphaned child domain
I'm trying to get rid us. Yes, I've gone through ADSIEdit, no entries
relevant to the domain. I have used ntdsutil, found the domain, selected it
and tried to remove it. I get this error:

"DsRemoveDsDomainW error 0x2162 (The requested domain could not be deleted
because there exist domain controllers that still host this domain.)

Where else could I find the domain controller reference besides those two
applications?

Secondly, and probably related, I can't create a trust relationship to
another domain. This domain is using the DC that was originally set up as
the child domain. Could active directory still be associating the DC with
the orphaned child domain? It won't let me create a trust relationship.

So, here is a quick diagram. My domain is a.com, I set up the other DC as
b.a.com. I relocated the DC at the sister company and realized I didn't want
it structured that way, so I demoted and re-promoted the DC to c.com. My
domain here still has an entry under 'Domains and Trusts' for b.a.com. I
need to eradicate it.

TIA

 

[Herb Martin]

I'm trying to do a couple of things. First, I have an orphaned child domain
I'm trying to get rid us. Yes, I've gone through ADSIEdit, no entries
relevant to the domain. I have used ntdsutil, found the domain, selected it
and tried to remove it. I get this error:

It's better to use NTDSUtil FIRST, before even attempting ADSIEdit
which requires more knowledge and can easily remove only part of
the problem.

ADSIEdit should be reserved for those cases where you have done
the NTDSUtil, it seemed to succeed but even then left traces.

"DsRemoveDsDomainW error 0x2162 (The requested domain could not be deleted
because there exist domain controllers that still host this domain.)

Remove each DC FIRST. Then the domain.

Where else could I find the domain controller reference besides those two
applications?

Did you use NTDSUtil to search for the DCs? (You don't mention that
above if you did it.)

Secondly, and probably related, I can't create a trust relationship to
another domain.

Usually this is due to DNS problems if you mean the same forest. If you
mean to an external NT domain or different forest that is usually a NetBIOS
problem -- and frequently a WINS Server (or WINS client on the DCs) issue.

Describe your DNS configuration AND make sure your DCs are all
proper DNS clients. (See below for DNS outline.)

This domain is using the DC that was originally set up as
the child domain.

In some sense that is not technically possible -- do you mean that you
had a DC, DCPromo it to non-DC, then DCPromo'd it to a new DC
in the other domain?

While it is possible that the old Domain still has the object for the DC
(same name too) but that would never happen if you were to always
do the DCPromo online and let it remove the DC from the domain it is
leaving.

This does however assume your DNS is correct -- which is NOT a good
bet due to your trust problems.

Could active directory still be associating the DC with
the orphaned child domain? It won't let me create a trust relationship.

Run DCDiag and ReplMon OR RepAdmin on each DC/domain.

Find out where you stand before you muck with it further. Also consider
a FULL + SYSTEM STATE backup -- but this might be too late if you
have mucked things up with ADSIEdit and don't have a prior backup.

So, here is a quick diagram. My domain is a.com, I set up the other DC as
b.a.com. I relocated the DC at the sister company and realized I didn't want
it structured that way, so I demoted and re-promoted the DC to c.com. My
domain here still has an entry under 'Domains and Trusts' for b.a.com. I
need to eradicate it.

DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

....or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /serverC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

 

[Steve W]

Herb,

Thanks for your in depth explanation, it helps a great deal. Below you asked
about me using the DC that was originally set up as the child domain. This
is a separate company owned by the same family, so originally I set it up on
our network and made it a child. I moved it to the other facility (connected
via VPN), decided I didn't like that scheme. Demoted it, re-promoted it as a
separate domain, and I am trying to create a trust relationship.

Thanks

Steve

I'm trying to do a couple of things. First, I have an orphaned child domain
I'm trying to get rid us. Yes, I've gone through ADSIEdit, no entries
relevant to the domain. I have used ntdsutil, found the domain, selected it
and tried to remove it. I get this error:

It's better to use NTDSUtil FIRST, before even attempting ADSIEdit
which requires more knowledge and can easily remove only part of
the problem.

ADSIEdit should be reserved for those cases where you have done
the NTDSUtil, it seemed to succeed but even then left traces.

"DsRemoveDsDomainW error 0x2162 (The requested domain could not be deleted
because there exist domain controllers that still host this domain.)

Remove each DC FIRST. Then the domain.

Where else could I find the domain controller reference besides those two
applications?

Did you use NTDSUtil to search for the DCs? (You don't mention that
above if you did it.)

Secondly, and probably related, I can't create a trust relationship to
another domain.

Usually this is due to DNS problems if you mean the same forest. If you
mean to an external NT domain or different forest that is usually a NetBIOS
problem -- and frequently a WINS Server (or WINS client on the DCs) issue.

Describe your DNS configuration AND make sure your DCs are all
proper DNS clients. (See below for DNS outline.)

This domain is using the DC that was originally set up as
the child domain.

In some sense that is not technically possible -- do you mean that you
had a DC, DCPromo it to non-DC, then DCPromo'd it to a new DC
in the other domain?

While it is possible that the old Domain still has the object for the DC
(same name too) but that would never happen if you were to always
do the DCPromo online and let it remove the DC from the domain it is
leaving.

This does however assume your DNS is correct -- which is NOT a good
bet due to your trust problems.

Could active directory still be associating the DC with
the orphaned child domain? It won't let me create a trust relationship.

Run DCDiag and ReplMon OR RepAdmin on each DC/domain.

Find out where you stand before you muck with it further. Also consider
a FULL + SYSTEM STATE backup -- but this might be too late if you
have mucked things up with ADSIEdit and don't have a prior backup.

So, here is a quick diagram. My domain is a.com, I set up the other DC as
b.a.com. I relocated the DC at the sister company and realized I didn't want
it structured that way, so I demoted and re-promoted the DC to c.com. My
domain here still has an entry under 'Domains and Trusts' for b.a.com. I
need to eradicate it.

DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

...or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /serverC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

TIA

 

[Herb Martin]

Herb,

Thanks for your in depth explanation, it helps a great deal. Below you asked
about me using the DC that was originally set up as the child domain.

That's what I try to do rather than giving ONLY context dependent
answers -- especially when the problem is a tough one.

Also, if you haven't read the relevant NTDSutil then see below.

This
is a separate company owned by the same family, so originally I set it up on
our network and made it a child. I moved it to the other facility (connected
via VPN), decided I didn't like that scheme. Demoted it, re-promoted it as a
separate domain, and I am trying to create a trust relationship.

Why are you "trying to create a trust" if these are Parent-Child? Within a
single Forest the trusts are AUTOMATIC.

Now if you did not use a single forest and merely a parent-child DNS name
then it is important that you point that out to us -- as this is NOT
normally
what people mean when they say Parent-Child in the context of AD Domains
(it wouldn't be a domain parent child, merely DNS in fact.)

For cleaning up DCs and Domains you should at first follow on of the step
by steps you can find through Google:

NTDS metadata cleanup

Search Google for:

[ NTDS "metadata cleanup" remove DC Domain ]

No need to add either site:microsoft.com OR microsoft:
since the NTDS and other terms make it Microsoft specific
by itself.

Unless you WISH to restrict answers to the site:microsoft.com
for some reason.

[ NTDS "metadata cleanup" remove DC Domain site:microsoft.com ]

Key points to NOTE when doing the metadata cleanup:

You CONNECT to a WORKING DC.
You SELECT the missing/dead DC or DOMAIN

'Connect' and 'Select' are technical terms in this context.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Thanks

Steve

I'm trying to do a couple of things. First, I have an orphaned child domain
I'm trying to get rid us. Yes, I've gone through ADSIEdit, no entries
relevant to the domain. I have used ntdsutil, found the domain,

selected
it

and tried to remove it. I get this error:

It's better to use NTDSUtil FIRST, before even attempting ADSIEdit
which requires more knowledge and can easily remove only part of
the problem.

ADSIEdit should be reserved for those cases where you have done
the NTDSUtil, it seemed to succeed but even then left traces.

"DsRemoveDsDomainW error 0x2162 (The requested domain could not be deleted
because there exist domain controllers that still host this domain.)

Remove each DC FIRST. Then the domain.

Where else could I find the domain controller reference besides those two
applications?

Did you use NTDSUtil to search for the DCs? (You don't mention that
above if you did it.)

Secondly, and probably related, I can't create a trust relationship to
another domain.

Usually this is due to DNS problems if you mean the same forest. If you
mean to an external NT domain or different forest that is usually a NetBIOS
problem -- and frequently a WINS Server (or WINS client on the DCs) issue.

Describe your DNS configuration AND make sure your DCs are all
proper DNS clients. (See below for DNS outline.)

This domain is using the DC that was originally set up as
the child domain.

In some sense that is not technically possible -- do you mean that you
had a DC, DCPromo it to non-DC, then DCPromo'd it to a new DC
in the other domain?

While it is possible that the old Domain still has the object for the DC
(same name too) but that would never happen if you were to always
do the DCPromo online and let it remove the DC from the domain it is
leaving.

This does however assume your DNS is correct -- which is NOT a good
bet due to your trust problems.

Could active directory still be associating the DC with
the orphaned child domain? It won't let me create a trust

relationship.

Run DCDiag and ReplMon OR RepAdmin on each DC/domain.

Find out where you stand before you muck with it further. Also consider
a FULL + SYSTEM STATE backup -- but this might be too late if you
have mucked things up with ADSIEdit and don't have a prior backup.

So, here is a quick diagram. My domain is a.com, I set up the other DC as
b.a.com. I relocated the DC at the sister company and realized I

didn't
want

it structured that way, so I demoted and re-promoted the DC to c.com. My
domain here still has an entry under 'Domains and Trusts' for b.a.com. I
need to eradicate it.

DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

...or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /serverC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

TIA

 

[Steve W]

The DC is no longer set up as a child. I understand child to be, if I have a
domain a.com, then I set up a domain as b.a.com, the b.a.com is a child of
a.com. Am I using the wrong terminology? Right now, the other DC is set up
under its own domain, not connected to our forest. I will search Google
because, although I understand the rote walkthrough of NTDSUtil, I probably
don't understand fully the context.

I do connect to the live DC, then select the domain I am trying to delete. I
get the error described below. What I think my problem is, is I don't know
how to 'find' the DC's that are associated with the orphaned domain. There
is only one DC in our small network, but previously I had an admin that set
up disaster servers, on the network, as a DC, for the purposes of moving
offsite to a storage facility in the event of an emergency. Those two
alternate, offline DCs still show up in Domain Controllers in MMC, and I
obviously can't delete the DSA objects. That's an aside, I'm saying that
only because when I run NTDSUtil, I would expect to see them under the Site
or Domain, but only the live DC shows up. Which is the source of my
confusion. What I assume I need to do is delete the old DC name that is
associated with the sister company, but it, too, does not show up. I know
I'm probably not being entirely clear.

Herb,

Thanks for your in depth explanation, it helps a great deal. Below you asked
about me using the DC that was originally set up as the child domain.

That's what I try to do rather than giving ONLY context dependent
answers -- especially when the problem is a tough one.

Also, if you haven't read the relevant NTDSutil then see below.

This
is a separate company owned by the same family, so originally I set it

up

on
our network and made it a child. I moved it to the other facility (connected
via VPN), decided I didn't like that scheme. Demoted it, re-promoted it

as

a
separate domain, and I am trying to create a trust relationship.

Why are you "trying to create a trust" if these are Parent-Child? Within a
single Forest the trusts are AUTOMATIC.

Now if you did not use a single forest and merely a parent-child DNS name
then it is important that you point that out to us -- as this is NOT
normally
what people mean when they say Parent-Child in the context of AD Domains
(it wouldn't be a domain parent child, merely DNS in fact.)

For cleaning up DCs and Domains you should at first follow on of the step
by steps you can find through Google:

NTDS metadata cleanup

Search Google for:

[ NTDS "metadata cleanup" remove DC Domain ]

No need to add either site:microsoft.com OR microsoft:
since the NTDS and other terms make it Microsoft specific
by itself.

Unless you WISH to restrict answers to the site:microsoft.com
for some reason.

[ NTDS "metadata cleanup" remove DC Domain site:microsoft.com ]

Key points to NOTE when doing the metadata cleanup:

You CONNECT to a WORKING DC.
You SELECT the missing/dead DC or DOMAIN

'Connect' and 'Select' are technical terms in this context.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Thanks

Steve


those
two DC
as

c.com.

My

b.a.com.

I

need to eradicate it.


DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

...or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /serverC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]


TIA