question

DaneBriggs-5625 avatar image
0 Votes"
DaneBriggs-5625 asked Thameur-BOURBITA commented

Domain Controller SRV Records remain after DC Demotionn

I have a client that has an issue with SRV records being not removed after a Domain Controller is demoted. I have to manually search through all sites, _tcp, _udp, etc and manually delete the SRV records. Additionally after I removed some unused sites in AD Sites and Services, they were partially removed from DNS. There are no errors during demotion, no related errors in DCDIAG and no replication errors. The client's DNS is setup different than I normally set them up but should be fine.

They have 2 zones (both Active Directory Replicated Zones)
contoso.com (all host records, srv records, sites etc) - SRV records are left after DC demotion. Removing sites using AD Sites and Services works here.
_msdcs.contoso.com (Only SRV records and sites, DC, GC, etc - No host records) - SRV records are left after DC demotion. Removing sites using AD Sites and Services does not work here.


Has anyone seen this before? Feels like permissions issue.

windows-active-directorywindows-dhcp-dns
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

5 Answers

Thameur-BOURBITA avatar image
0 Votes"
Thameur-BOURBITA answered Thameur-BOURBITA commented

Hi,

If the DNS zone is active directory integrated zone, the SRV DNS record should be removed automatically or created automatically during the demotion or promotion.
Do you have the same behavior when you promote new DC or create new site ?

Please don't forget to mark helpful reply as answer

· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaneBriggs-5625 avatar image DaneBriggs-5625 ·

Nope, it adds it perfectly fine.

Something new I just observed, there are 2 SRV records for each type of SRV record doe each DC (LDAP, Kerberos, Etc) .

DC1.contoso.com
DC1.CONTOSO.COM

One record is removed when demoted but the other remains.

0 Votes 0 ·
Thameur-BOURBITA avatar image Thameur-BOURBITA DaneBriggs-5625 ·

Yes it's known issue since windows 2016. You should be sure that the domain controller are up to date to be able to use one of the solution below:

183847-image.png


dns-registers-duplicate-srv-records-for-dc




Please don't forget to mark helpful reply as answer

0 Votes 0 ·
image.png (55.6 KiB)
DSPatrick avatar image
0 Votes"
DSPatrick answered DaneBriggs-5625 commented

You can follow along here to do metadata cleanup.
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-manually-removing-a-domain-controller-server/ba-p/280564

--please don't forget to upvote and Accept as answer if the reply is helpful--



· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaneBriggs-5625 avatar image DaneBriggs-5625 ·

No residual metadata after demotion.

0 Votes 0 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered

A possible work-around for the upper / lower case.
https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/dns-registers-duplicate-srv-records-for-dc#workaround-1-prevent-duplicate-srv-records

--please don't forget to upvote and Accept as answer if the reply is helpful--



5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaneBriggs-5625 avatar image
0 Votes"
DaneBriggs-5625 answered Thameur-BOURBITA commented

Great information guys! I appreciate your help!

Any thoughts on why when I delete a Site in AD Sites and Services it deletes out of the contoso.com zone but not _msdcs.contoso.com?

My assumption is that it has something to do with the way the previous engineer setup the separate zones.

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thameur-BOURBITA avatar image Thameur-BOURBITA ·

I think it can be due to duplicate SRV record. when a SRV record generated for a AD site , the site name will be created automatically in DNS:

SiteName._site.ldap._msdcs.Domain_Name

0 Votes 0 ·
vinixwu avatar image
0 Votes"
vinixwu answered Thameur-BOURBITA commented

I have a similar issue. I have a Windows Server 2012 R2 server as domain controller(named DC2), then I setup a QNAP TS-831X NAS(named NAS1) to be "additional domain controller" and joined to Active Directory. The NAS suddenly stopped to be domain controller after I changed the domain controller setting of NAS1.

Since I don't want to give another try, I seized all FSMO roles to DC2, and manully deleted NAS1 from:
Active Directory Sites & Services > Sites > Servers
Active Directory Users & Computers > [Domain Name] > Domain Controllers

But when I remove NAS1 from:
DNS Manager > Forward Lookup Zones > [Domain Name] > Named Servers tab
DNS Manager > Forward Lookup Zones > _msdcs.[Domain Name] > Named Servers tab
, it added back automatically after I click refresh.

How to fix it?

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thameur-BOURBITA avatar image Thameur-BOURBITA ·

Hi,

Please open new thread for your issue.

0 Votes 0 ·