Removing Domain Machine Account
neeraj kashyap
I have deleted one of our DC purposly through ntdsutil. Now I want to know
that is it safer to delete all dns records like gc,ldap,kerberos & other in
dns for deleted DC manully.
If there is other way? Pls. tell me
Thanks in advance
Jorge Silva
Hi
Assuming that this Dc is an Aditional Dc for an existent domain:
- Disconnect the Dc from network and run dcpromo /forceremoval. If this
Fails and you're running
- Windows 2000, make sure that you install SP4 then try again, if it fails
again then:
Navigate to:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions]
Change "ProductType"="LanmanNT" to "ProductType"="ServerNT"
Follow
Domain controllers do not demote gracefully when you use the Active
Directory Installation Wizard to force demotion in Windows Server 2003 and
in Windows 2000 Server
http://support.microsoft.com/kb/332199/en-us
- Then remove all references to that Dc on AD database (Metadata cleanup).
- Remove any Dns references to the Dc. - nltest /dsderegdns:<dns host name>
- Verify that FRS member objects (FRS and DFS) are removed, and remove them
if they are present.
- If necessary seize any left Op Master roles that were hosted by that Dc.
*Note: The domain controller that seizes the role must be fully up-to-date
with the updates performed on the previous role owner. Because of
replication latency, it is possible that the domain controller might not be
up-to-date. To check the status of updates for a domain controller, use the
Repadmin.exe /Showutdvec switch.
*C:\> repadmin/showutdvec server2. mydomain.com dc= mydomain,dc=com
*C:\> repadmin/showutdvec server3. mydomain.com dc= mydomain,dc=com
- If some discrepancies Use the Repadmin /Syncall switch to make the
replication happen immediately.
- If the domain controller that you are demoting is a DNS server or global
catalog server, you must create a new GC or DNS server to satisfy load
balancing, fault tolerance, and configuration settings in the forest, don't
forget that you need at least one GC per Forest..
-Dont forget to export the *EFS* certificate. If one of these two dcs is
the first dc that was installed in your domain then the EFS certificate
resides locally on that dc. When you remove the dc before you export the
efs certificate you will loose it. Without this certificate you are not
able to recover efs encrypted files.
http://support.microsoft.com/?scid=kb%3Ben-us%3B241201&x=5&y=13
- When you use the remove selected server command in NTDSUTIL, the NTDSDSA
object, the parent object for incoming connections to the domain controller
that you forcibly demoted is removed. The command does not remove the parent
server objects that appear in the Sites and Services snap-in. Use the Active
Directory Sites and Services MMC snap-in to remove the server object if the
domain controller will not be promoted into the forest with the same
computer name
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
http://support.microsoft.com/kb/255504/
Overview of Active Directory Objects That Are Used by FRS
http://support.microsoft.com/kb/296183/
Wizard to force demotion in Windows Server 2003 and in Windows 2000 Server
http://support.microsoft.com/kb/332199
How to remove data in Active Directory after an unsuccessful domain
controller demotion
http://support.microsoft.com/?kbid=216498
How To Remove Orphaned Domains from Active Directory
http://support.microsoft.com/default.aspx?scid=kb;en-us;230306
Clean up server metadata
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"neeraj kashyap" <neeraj...@discussions.microsoft.com> wrote in message
news:78E04881-2F31-4B85...@microsoft.com...