DNS cleanup after a DC demotion - is there a cleanup tool?

[Mike Leone]

So I still have a couple Win 2012 R2 DCs (don't judge me LOL). Anyways, today I was finally able to demote one of them. That all went fine, I also told it to remove DNS delegation when I did it. And it's all mostly gone from my DNS.

Mostly.

I still have an "_ldap" record in the site under "DomainDnsZones", and under _tcp there. And a "_gc" record.

While it's easy enough to just manually delete these few records, is there some tool that will go through and identify these for me? Luckily, I don't have that many DCs, so finding them isn't too hard. But I'm not aware of a tool that might identify such missing servers, and perhaps offer to fix it (by removing the entries that point to non-DCs - the old DC is still in the domain, just as a member server).

I haven't heard of anything, except this manual way. Not that it's difficult to fix. (will it hurt anything to just leave the entries, and not clean them up? I don't know that, either)

Thanks

--

Mike. Leone, <mailto:tur...@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

[Michael B. Smith]

Leaving them can potentially slow down the DCLocator service, which is used during the logon process. I’d clean them up.

 

I’m not aware of any tool for cleaning them up.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bhc8XLh6UQPqCx6eB_b_cn5NiA9FEAT3bijA0opy3BHqQ%40mail.gmail.com.

[Kurt Buff]

You can try this Trimarc tool, but I'd be wary of what it calls dangling SPNs.
https://github.com/Trimarc/BlueTuxedo

What it calls dangling SPNs are hosta for which there are SPNs, but no
A (and probably no PTR) record, which, if you have a highly mobile
workforce, or a lot of people who work from home and don't often
connect, can get their A records deleted due to DNS scavenging.

It's an interesting tool, though it can take a long time to generate output.

Kurt

[Charles F Sullivan]

This command can make it easier to spot SRV records in order to remove them:  Get-DnsServerResourceRecord -ZoneName <AD_Zone> | where RecordType -like SRV  Also check the DomainDnsZones and ForestDnsZones subzones to confirm no unwanted IP addresses are listed.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce6qffRxFva21jV%3DUbyfZ0MdcSaVgOr_Rxys2O5W8F3zMA%40mail.gmail.com.

--

Charlie Sullivan

Principal Windows Systems Administrator

[Philip Elder]

No. It’s like someone did a really crappy job, no pun intended, of cleaning up that mess and there’s no automagic way to remove them from what I know.

 

Sites

DNS

* All DNS integrated zones

* All FLZ and rDNS zones

ADUC

 

It’s a bit of a process to hunt and peck but once done there’s no more worries.

 

Before doing so, if the DC was a FSMO Role holder verify across the forest/domain by spot check that the FSMO Roles reside where they are supposed to:

# Check FSMO

Get-ADForest | FT SchemaMaster,DomainNamingMaster

Get-ADDomain | FT PDCEmulator,RIDMaster,InfrastructureMaster

 

We’ve seen “ghost” FSMO Role holders break things especially demotions.

 

There’s times where doing a metadata check would be good using NTDSUtil.

metadata cleanup

connections

connect to server NAME

quit

Select Operation Target

List Domains

Select Domain #

List Sites

Select Site #

List Servers in Site

Select Server #

quit

Remove Selected Server

quit

 

After running all of the above you’re golden.

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Skype: MPECSInc.

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Mike Leone
Sent: Tuesday, July 23, 2024 07:59
To: NTSysAdmin <ntsys...@googlegroups.com>
Subject: [ntsysadmin] DNS cleanup after a DC demotion - is there a cleanup tool?

 

So I still have a couple Win 2012 R2 DCs (don't judge me LOL). Anyways, today I was finally able to demote one of them. That all went fine, I also told it to remove DNS delegation when I did it. And it's all mostly gone from my DNS.

--

[Mike Leone]

On Tue, Jul 23, 2024 at 12:28 PM Philip Elder <Phili...@mpecsinc.ca> wrote:

No. It’s like someone did a really crappy job, no pun intended, of cleaning up that mess and there’s no automagic way to remove them from what I know.

 

Sites

DNS

* All DNS integrated zones

* All FLZ and rDNS zones

ADUC

 

It’s a bit of a process to hunt and peck but once done there’s no more worries.

 

Before doing so, if the DC was a FSMO Role holder verify across the forest/domain by spot check that the FSMO Roles reside where they are supposed to:

# Check FSMO

Get-ADForest | FT SchemaMaster,DomainNamingMaster

Get-ADDomain | FT PDCEmulator,RIDMaster,InfrastructureMaster

All good, thanks for the tip!

 

There’s times where doing a metadata check would be good using NTDSUtil.

metadata cleanup

connections

connect to server NAME

quit

Select Operation Target

List Domains

Select Domain #

List Sites

Select Site #

List Servers in Site

Select Server #

quit

Remove Selected Server

quit

Yep, all good, did not see the decommissioned server anywhere in the above ntdsutil output.

 

Doing another Win 2012 R2 DC decomm tomorrow, and the last one the day after - that one is a DHCP server, and so we're migrating the DHCP this afternoon to a new Win 2022 (non-DC) server, to prepare.

I did notice that if I did a "repadmin /replsummary" immediately after decommissioning, it showed it couldn't reach the decommed server. But that cleared up in a few minutes, I presume when the replication fully kicked in again.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/decb75eb26114cf4ac191178c4870425%40MPECSInc.Ca.

[Philip Elder]

Sites can do that if there’s replication links with time delays.

 

The main thing is that there’s no references anywhere to previous DCs.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bg3sOUgKVzORje3JqgSOBok-r8te8G6RDeDWT5hz6dGtg%40mail.gmail.com.