question

BudSpencer-1696 avatar image
0 Votes"
BudSpencer-1696 asked DSPatrick commented

removing a DNS-settings container under demoted dc (2012)

Hello,
Background:
We had previously a 2012 dc server1 which had FSMO -> PDC, RID and infrastructure roles.
Those roles were transferred successfully with active directory users and computers and operation masters from server1 to server2 and then checked with netdom query fsmo that they were on server2 and left it to replicate.

After that and checked diagnostics
dcdiag /test:dns /e /v

replications
repadmin /replsummary
repadmin /showrepl
repadmin /showrepl /errorsonly
repadmin /istg * /verbose

none of them had errors and after everything was pass the server1 was demoted it was successfull.

Then checked sites and service and server was still to be found as it should be after demote but to our amazement it was not clean from container DNS-Settings.
83215-dns-settings.png

The container has attribute distinguishedName CN=DNS Settings,CN=server1,CN=Servers,CN=Site1,CN=Sites,CN=Configuration,DC=domain,DC=com

After that cleaned up the zones from that demoted server I ran diagnostics
dcdiag /test:dns /e /v

replications
repadmin /replsummary
repadmin /showrepl
repadmin /showrepl /errorsonly
repadmin /istg * /verbose

none of them had also errors

After googling around found out that this server was infact still KeyMasterServer and queried it with this command.

Get-DnsServerDnsSecZoneSetting -ZoneName my.domain.com

ZoneName : my.domain.com
IsKeyMasterServer : False
KeyMasterServer : server1.my.domain.com
KeyMasterStatus : Offline
DenialOfExistence : NSec3
NSec3HashAlgorithm : RsaSha1
NSec3Iterations : 50
NSec3OptOut : False
IsNSec3SaltConfigured : True
NSec3RandomSaltLength : 8
NSec3UserSalt : -
DnsKeyRecordSetTTL : 00:00:00
DSRecordSetTTL : 00:00:00
DSRecordGenerationAlgorithm : {​​​​​​​Sha1, Sha256}​​​​​​​
DistributeTrustAnchor : {​​​​​​​None}​​​​​​​
EnableRfc5011KeyRollover : True
ParentHasSecureDelegation : False
SecureDelegationPollingPeriod : 12:00:00
PropagationTime : 2.00:00:00
SignatureInceptionOffset : 01:00:00

Cause the server was allready demoted i decided to seize the role to another server which was also now the holder of fsmo roles.

Reset-DnsServerZoneKeyMasterRole -ZoneName my.domain.com -KeyMasterServer server2.my.domain.com –SeizeRole -Force

after that the role was found to be
Get-DnsServerDnsSecZoneSetting -ZoneName my.domain.com

ZoneName : my.domain.com
IsKeyMasterServer : True
KeyMasterServer : server2.my.domain.com
KeyMasterStatus : Online
DenialOfExistence : NSec3
NSec3HashAlgorithm : RsaSha1
NSec3Iterations : 50
NSec3OptOut : False
IsNSec3SaltConfigured : True
NSec3RandomSaltLength : 8
NSec3UserSalt : -
DnsKeyRecordSetTTL : 00:00:00
DSRecordSetTTL : 00:00:00
DSRecordGenerationAlgorithm : {Sha1, Sha256}
DistributeTrustAnchor : {None}
EnableRfc5011KeyRollover : True
ParentHasSecureDelegation : False
SecureDelegationPollingPeriod : 12:00:00
PropagationTime : 2.00:00:00
SignatureInceptionOffset : 01:00:00

The question now is, how can this container be removed from sites and services && ad cleanly. We have no DNSSEC in use.

I allready checked with ntdsutil that this dc is not found from any sites or domains with list servers in site commande anymore.

Can i just delete it under server1 in sites and services since the similar DNS-Settings is now found from the server2 in sites and services. Before the seize it was not there. Or should i do some trickery with ldifde perhaps?


windows-active-directorywindows-server-2012windows-dhcp-dnswindows-server-migrationwindows-server-management
dns-settings.png (19.7 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SunnyQi-MSFT avatar image
0 Votes"
SunnyQi-MSFT answered BudSpencer-1696 commented

Hi,

Thanks for posting in Q&A platform.

Can I just delete it under server1 in sites and services since the similar DNS-Settings is now found from the server2 in sites and services.

After discussing with our AD DS support engineer, you could delete it under server1 in sites and services manually.

Best Regards,
Sunny


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Nice, thx i'll try it and post how it goes.

0 Votes 0 ·

Will waiting for your good news :)

0 Votes 0 ·

Yes, everything seems ok.

0 Votes 0 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered DSPatrick commented
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi thanks for the answer but as mentioned there is no server1 when i List servers in site with ntdsutil.

0 Votes 0 ·
BudSpencer-1696 avatar image
0 Votes"
BudSpencer-1696 answered

i did a bit digging
c:\Windows\System32>ldifde -f c:\temp\ldifde.txt -s server2.my.domain.com -d "dc=domain,dc=com" -r "(name=server1)" -p subtree
Connecting to "server2.my.domain.com"
Logging in as current user using SSPI
Exporting directory to file c:\temp\ldifde.txt
Searching for entries...
Writing out entriesldap://domain.com/dc=domain,dc=com

No Entries found

The command has completed successfully

but when i do nslookup for the domain
c:\Windows\System32>nslookup my.domain.com
Server: server2.my.domain.com
Address: add.res.sre.mvd <<< ip address is removed

DNS request timed out.
timeout was 2 seconds.

Name: my.domain.com
Addresses: add.res.sre.mvd. <<< ip address is removed
add.res.sre.mvd. <<< ip address is removed



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BudSpencer-1696 avatar image
0 Votes"
BudSpencer-1696 answered

if somebody could see the answer to this i would be so appreciated.
https://www.experts-exchange.com/questions/29088961/msDNS-ServerSettings-Object-Deletion.html

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.