Proper way to remove a DC and DFSR data from a crashed server

Discussion in 'Active Directory' started by Joshua Graham, Aug 20, 2007.

  1. I had an off-site server for diaster purposes, which was not being backup
    and it crashed. I am not able to recover it, so I need to remove all the
    data in AD relevant to that server. The server was a DC, DNS, and DFSR
    member. I have searched and have not found anything beside the MS article
    216498 on how to remove a DC after an unsucessful demotion, which I can do
    but I want to make sure all the DFSR data is also removed. How do I remove
    all the DFSR data in AD.

    Thanks,

    Josh
     
    Joshua Graham, Aug 20, 2007
    #1
    1. Advertisements

  2. Mathieu CHATEAU, Aug 20, 2007
    #2
    1. Advertisements

  3. Joshua Graham

    Jorge Silva Guest

    Hi
    Assuming that this Dc is an Aditional Dc for an existent domain:
    - Disconnect (unplug the network cable) the Dc from network and run dcpromo
    /forceremoval.
    Restart the server.
    Delete the NTDS folder.

    Follow:
    Domain controllers do not demote gracefully when you use the Active
    Directory Installation Wizard to force demotion in Windows Server 2003 and
    in Windows 2000 Server
    http://support.microsoft.com/kb/332199/en-us

    - Then remove all references to that Dc on AD database (Metadata cleanup).
    - Remove any Dns references to the Dc. - nltest /dsderegdns:<dns host name>
    - If necessary seize any left Op Master roles that were hosted by that Dc.
    *Note: The domain controller that seizes the role must be fully up-to-date
    with the updates performed on the previous role owner. Because of
    replication latency, it is possible that the domain controller might not be
    up-to-date. To check the status of updates for a domain controller, use the
    Repadmin.exe /Showutdvec switch.
    *C:\> repadmin/showutdvec server2. domain.com dc= mydomain,dc=com
    *C:\> repadmin/showutdvec server3. domain.com dc= mydomain,dc=com
    - If some discrepancies Use the Repadmin /Syncall switch to make the
    replication happen immediately.
    - If the domain controller that you are demoting is a DNS server or global
    catalog server, you must create a new GC or DNS server to satisfy load
    balancing, fault tolerance, and configuration settings in the forest, don't
    forget that you need at least one GC per Forest..
    -Dont forget to export the *EFS* certificate. If one of these two dcs is the
    first dc that was installed in your domain then the EFS certificate resides
    locally on that dc. When you remove the dc before you export the efs
    certificate you will loose it. Without this certificate you are not able to
    recover efs encrypted files.
    http://support.microsoft.com/?scid=kb;en-us;241201&x=5&y=13

    - When you use the remove selected server command in NTDSUTIL, the NTDSDSA
    object, the parent object for incoming connections to the domain controller
    that you forcibly demoted is removed. The command does not remove the parent
    server objects that appear in the Sites and Services snap-in.
    Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
    http://support.microsoft.com/kb/255504/
    How to remove data in Active Directory after an unsuccessful domain
    controller demotion
    http://support.microsoft.com/?kbid=216498
    Clean up server metadata
    http://technet2.microsoft.com/Windo...5e8c-4a5c-9f66-4a486a7114fd1033.mspx?mfr=true
    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services
     
    Jorge Silva, Aug 20, 2007
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.