removing a DNS-settings container under demoted dc (2012)

Bud Spencer 21 Reputation points
2021-03-31T08:49:49.41+00:00

Hello,
Background:
We had previously a 2012 dc server1 which had FSMO -> PDC, RID and infrastructure roles.
Those roles were transferred successfully with active directory users and computers and operation masters from server1 to server2 and then checked with netdom query fsmo that they were on server2 and left it to replicate.

After that and checked diagnostics
dcdiag /test:dns /e /v

replications
repadmin /replsummary
repadmin /showrepl
repadmin /showrepl /errorsonly
repadmin /istg * /verbose

none of them had errors and after everything was pass the server1 was demoted it was successfull.

Then checked sites and service and server was still to be found as it should be after demote but to our amazement it was not clean from container DNS-Settings.
83215-dns-settings.png

The container has attribute distinguishedName CN=DNS Settings,CN=server1,CN=Servers,CN=Site1,CN=Sites,CN=Configuration,DC=domain,DC=com

After that cleaned up the zones from that demoted server I ran diagnostics
dcdiag /test:dns /e /v

replications
repadmin /replsummary
repadmin /showrepl
repadmin /showrepl /errorsonly
repadmin /istg * /verbose

none of them had also errors

After googling around found out that this server was infact still KeyMasterServer and queried it with this command.

Get-DnsServerDnsSecZoneSetting -ZoneName my.domain.com

ZoneName : my.domain.com
IsKeyMasterServer : False
KeyMasterServer : server1.my.domain.com
KeyMasterStatus : Offline
DenialOfExistence : NSec3
NSec3HashAlgorithm : RsaSha1
NSec3Iterations : 50
NSec3OptOut : False
IsNSec3SaltConfigured : True
NSec3RandomSaltLength : 8
NSec3UserSalt : -
DnsKeyRecordSetTTL : 00:00:00
DSRecordSetTTL : 00:00:00
DSRecordGenerationAlgorithm : {​​​​​​​Sha1, Sha256}​​​​​​​
DistributeTrustAnchor : {​​​​​​​None}​​​​​​​
EnableRfc5011KeyRollover : True
ParentHasSecureDelegation : False
SecureDelegationPollingPeriod : 12:00:00
PropagationTime : 2.00:00:00
SignatureInceptionOffset : 01:00:00

Cause the server was allready demoted i decided to seize the role to another server which was also now the holder of fsmo roles.

Reset-DnsServerZoneKeyMasterRole -ZoneName my.domain.com -KeyMasterServer server2.my.domain.com –SeizeRole -Force

after that the role was found to be
Get-DnsServerDnsSecZoneSetting -ZoneName my.domain.com

ZoneName : my.domain.com
IsKeyMasterServer : True
KeyMasterServer : server2.my.domain.com
KeyMasterStatus : Online
DenialOfExistence : NSec3
NSec3HashAlgorithm : RsaSha1
NSec3Iterations : 50
NSec3OptOut : False
IsNSec3SaltConfigured : True
NSec3RandomSaltLength : 8
NSec3UserSalt : -
DnsKeyRecordSetTTL : 00:00:00
DSRecordSetTTL : 00:00:00
DSRecordGenerationAlgorithm : {Sha1, Sha256}
DistributeTrustAnchor : {None}
EnableRfc5011KeyRollover : True
ParentHasSecureDelegation : False
SecureDelegationPollingPeriod : 12:00:00
PropagationTime : 2.00:00:00
SignatureInceptionOffset : 01:00:00

The question now is, how can this container be removed from sites and services && ad cleanly. We have no DNSSEC in use.

I allready checked with ntdsutil that this dc is not found from any sites or domains with list servers in site commande anymore.

Can i just delete it under server1 in sites and services since the similar DNS-Settings is now found from the server2 in sites and services. Before the seize it was not there. Or should i do some trickery with ldifde perhaps?

Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,526 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,822 questions
Windows DHCP
Windows DHCP
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.DHCP: Dynamic Host Configuration Protocol (DHCP). A communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses in an organization's network.
1,021 questions
Windows Server Management
Windows Server Management
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Management: The act or process of organizing, handling, directing or controlling something.
420 questions
Windows Server Migration
Windows Server Migration
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Migration: The process of making existing applications and data work on a different computer or operating system.
407 questions
0 comments
Accepted answer
  1. Sunny Qi 10,896 Reputation points Microsoft Vendor
    2021-04-01T08:09:36.053+00:00

    Hi,

    Thanks for posting in Q&A platform.

    Can I just delete it under server1 in sites and services since the similar DNS-Settings is now found from the server2 in sites and services.

    After discussing with our AD DS support engineer, you could delete it under server1 in sites and services manually.

    Best Regards,
    Sunny

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dave Patrick 426K Reputation points MVP
    2021-03-31T13:11:46.09+00:00
  2. Bud Spencer 21 Reputation points
    2021-03-31T13:17:20.21+00:00

    i did a bit digging
    c:\Windows\System32>ldifde -f c:\temp\ldifde.txt -s server2.my.domain.com -d "dc=domain,dc=com" -r "(name=server1)" -p subtree
    Connecting to "server2.my.domain.com"
    Logging in as current user using SSPI
    Exporting directory to file c:\temp\ldifde.txt
    Searching for entries...
    Writing out entriesldap://domain.com/dc=domain,dc=com

    No Entries found

    The command has completed successfully

    but when i do nslookup for the domain
    c:\Windows\System32>nslookup my.domain.com
    Server: server2.my.domain.com
    Address: add.res.sre.mvd <<< ip address is removed

    DNS request timed out.
    timeout was 2 seconds.
    Name: my.domain.com
    Addresses: add.res.sre.mvd. <<< ip address is removed
    add.res.sre.mvd. <<< ip address is removed

    0 comments
  3. Bud Spencer 21 Reputation points
    2021-04-01T07:50:38.107+00:00

    if somebody could see the answer to this i would be so appreciated.
    https://www.experts-exchange.com/questions/29088961/msDNS-ServerSettings-Object-Deletion.html

    0 comments