question

techcoor-9538 avatar image
0 Votes"
techcoor-9538 asked techcoor-9538 answered

How to get the domain to forget an old domain controller.

When I run dcdiag I am still seeing the Windows Server 2008 that was replaced. Dcdiag recognizes the Windows Server 2008 as a DC. Dcdiag is also listing the Windows Server 2008 as a DNS that is not working and Ldap search capability attribute search failed .

What I did is reuse the ip address that was used on the Windows Server 2008 on the Windows Server 2019.

If power the Windows Server 2008 instead of the Windows Server 2019, then use dcpromo /forceremoval command, Windows Server 2008 wants to install a domain controller so Windows Server 2008 thinks there is no DC. I could not install the DC anyway because the level is Windows Server 2016.

windows-server-2019
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

techcoor-9538 avatar image
0 Votes"
techcoor-9538 answered

Found "this behavior is identical to what you'd experience if you had an incorrect name server entry for the _msdcs delegation. In the DNS Manager, are you actually looking at the delegation node (i.e. the grayed-out node labeled _msdcs under mbc.ca.gov)?
Note that this is different than the content of _msdcs.mbc.ca.gov - which would contain only the "valid" records
hth
Marcin"

https://social.technet.microsoft.com/Forums/windows/en-US/6232ce48-1566-476d-8f9f-4c5d2c417eb0/missing-glue-a-record-error-details-9714-type-win32-description-dns-name-does-not-exist

Found _VLMCS and _ldap records in DC1.
Found _ldap record in DC2.

That fixed finding the old Windows Server 2008.

In Summary had to do metadata clean.
DSPatrick had a link for the procedure but I missed where the deletion was done. I found graphic images easier to follow and did the deletion following
https://www.dtonias.com/forced-removal-domain-controller/#:~:text=Open%20the%20Active%20Directory%20Sites%20and%20Services%20console%2C,accepting%20the%20warnings%20by%20clicking%20the%20Delete%20button.

Daisy Zhou gave the same procedure as above with the order switched. Do not know if the order matters.

Had reboot to remove the "The program lsass.exe, with the assigned process ID 864, could not authenticate locally by using the target name ldap/DC"

To remove the "TEST: Delegations (Del)
Delegation information for the zone: domain.
Delegated domain name: _msdcs.domain.
Error: DNS server: DC.domain.
IP:<Unavailable> [Missing glue A record]
[Error details: 9714 (Type: Win32 - Description: DNS name does not exist.)]"
Used https://social.technet.microsoft.com/Forums/windows/en-US/6232ce48-1566-476d-8f9f-4c5d2c417eb0/missing-glue-a-record-error-details-9714-type-win32-description-dns-name-does-not-exist as reference.

I had to go through every entry in Foward Lookup Zones, _msdcs.domain and delete all entries for the Windows Server 2008.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

You can perform cleanup to remove the failed / non-existent domain controller.
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-manually-removing-a-domain-controller-server/ba-p/280564

--please don't forget to Accept as answer if the reply is helpful--


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello @techcoor-9538,

Thank you for posting here.

Based on the description "What I did is reuse the ip address that was used on the Windows Server 2008 on the Windows Server 2019.", I am not sure how you reuse the ip address that was used on the Windows Server 2008 on the Windows Server 2019.

In my opinion, it may be incorrectly reuse the ip address that was used on the Windows Server 2008 on the Windows Server 2019, or the information about old Windows Server 2008 DC is not removed from the domain completely.


How many DCs are there in your domain now? Please run nltest /dclist:domain.com on one DC to check.

If you have multiple DCs (also as GCs and DNS servers) except the Windows Server 2008 DC and the Windows Server 2019 DC.
You can transfer FSMO roles to one DC except the Windows Server 2008 DC and the Windows Server 2019 DC.

Then demote Windows Server 2008 DC.

1.Logon the Windows Server 2008 DC with domain Administrator.
2.Remove a domain controller from your Active Directory domain by using Dcpromo.exe.

If you you try to remove a domain controller from your Active Directory domain by using Dcpromo.exe and fail. Please perform the metadata cleanup for the Windows Server 2008 DC as below.

1.Logon one good DC with domain Administrator.
2.Open CMD (run as Administrator).
3.Run the following commands one by one.
97686-meta.png


After that, we can check the following information (all information about old Windows Server 2008 DC should be removed):

1.To remove the failed server object from the domain controllers container.
97687-meta1.png

2.To remove the failed server object from the sites.
97706-meta2.png

3.To remove the failed server object from DNS manager.
Remove all the DNS records corresponding to this failed DC name.
97688-meta3.png

For more information above failed domain controller, we can refer to the link below.

Delete Failed DCs from Active Directory
https://petri.com/delete_failed_dcs_from_ad

After we clean up the DC, we can run the following commands on one good and running dc.

Dcdiag /v /a >c:\dcdiag.txt

repadmin /replsum >c:\repsum.txt

repadmin /showrepl * /csv >c:\repsum.csv

If there is no any entry about the failed DC in the result after running the three commands above, then the failed DC is removed completely.


Note:
Based on my knowledge, if you want to reuse one IP (I assume IP is IP1) of the DC on another new DC, we can try the steps below:
1.Demote the DC with IP address IP1.
2.After demoting, disjoin the member server with IP address IP1.
3.Set the IP of this old machine with IP1 using another idle IP address (such as IP2).
4.Set the IP of new machine using IP1.
5.Join the new machine to domain.
6.Promote the new machine as DC.


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.



meta.png (345.6 KiB)
meta1.png (20.8 KiB)
meta2.png (22.0 KiB)
meta3.png (114.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

Just checking if there's any progress or updates?

--please don't forget to Accept as answer if the reply is helpful--






5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

techcoor-9538 avatar image
0 Votes"
techcoor-9538 answered

Walked through the Using the NTDSUtil and could not find the problem server. Quit NTDSUtil.
Decided to try a reboot. That cleared the ldap error.
Down to
TEST: Delegations (Del)
Delegation information for the zone: domain.
Delegated domain name: _msdcs.domain.
Error: DNS server: DC.domain.
IP:<Unavailable> [Missing glue A record]
[Error details: 9714 (Type: Win32 - Description: DNS name does not exist.)]


I do not see the second link giving anything new.
DaisyZhou-MSFT
All I am saying is the Windows Server 2008 had a specific NIC IP address and I reused that ip address on the new server NIC. I do not have both servers on the same network at the same time.
There are three DCs. I was not able to run the command you gave. Used Get-ADDomainController -Filter *
Not working on FSMO yet
Windows Server 2008 is already demoted but still seeing references to it.
I used the Dtonias steps to remove the Windows Server 2008 from Users and Computers and Site and Services.
Now the Windows Server 2008 does show in the reverse lookup zones, 1.168.192.in-addr.arp. Deleted the record.
The reverse lookup zone still looks difference compared to the other DCs. There is 0.in-addr.arpa, 127.in-addr.arpr and 255.in-addr-addr.arpa. The other DCs do not have such entries.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @techcoor-9538,

Thank you for posting here.

Anyway, there must be metadata about old Windows Server 2008 DC in the forest, you must find it out and delete it completely.

Why you cannot run those commands?


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

techcoor-9538 avatar image
0 Votes"
techcoor-9538 answered techcoor-9538 edited

To summarize
Using Dtonias I was able to delete the Windows Server 2008 server using Active Directory Sites and Services.
Using Dtonias I walked through the Using the NTDSUtil and could not find the problem server. This is the same procedure Daisy Zhou gave. Maybe the problem was the ntdsutil should have been run first. Do not see the Windows Server 2008 with either Active directory Users and Computers or Active Directory Sites and Services.

I am using dcdiag /v /c /d /e /s:dc3>c:\dc3diag.log. I do not see a problem using that instead of Dcdiag /v /a >c:\dcdiag.txt.
However, just to match, I did time the command I use 1 min 43 seconds and run Dcdiag /v /a >c:\dcdiag.txt. But the command did not seem to complete and I stopped after 3 minutes. I then went back to the original command. Look and find the Windows Server 2008 and I find it under DNS test

TEST: Delegations (Del)
Delegation information for the zone: carousel.local.
Delegated domain name: _msdcs.carousel.local.
Error: DNS server: DCold.

                     IP:<Unavailable> [Missing glue A record]

                     [Error details: 9714 (Type: Win32 - Description: DNS name does not exist.)]

DCold is found during DNS test of each of the domain servers.
Summary is Metadata clean did not remove all references to the old server.

Daisy Zhou had couple other commands
repadmin /replsum >c:\repsum.txt
repadmin /showrepl * /csv >c:\repsum.csv

I saw nothing there

Replication Summary Start Time: 2021-05-21 08:43:15
Beginning data collection for replication summary, this may take awhile:

Source DSA largest delta fails/total %% error
DC1 12m:01s 0 / 10 0
DC2 12m:01s 0 / 10 0
DC3 12m:01s 0 / 10 0

The second output takes up more space but there is no reference to DCold.

I will have to take a second pass at https://petri.com/delete_failed_dcs_from_ad.

In regards to Daisy Zhou notes. The Windows Server 2008 was demoted 3 years ago. I would not be able to promote Windows Server 2008 as the forest level does not support that. I am a bit concerned if I re-attach the Windows Server 2008 to the network it will cause me even more problems.






5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.