skip to content »

nikolska.ru

Remove active directory from this computer without updating forest metadata

remove active directory from this computer without updating forest metadata-71

As Brad pointed out, there are some static records in there that wouldn't get scavenged anyway.

remove active directory from this computer without updating forest metadata-27

You will want to drill down to more than just the _msdcs.container [email protected] No, it isn't "a bit aggressive." It is the out-of-the-box default.Allowing DNS to continue to hand out SRV records for a malfunctioning domain controller that is unable to refresh its own records is undesirable behavior and that's why scavenging should be on.Just out of my own curiosity, I wanted to see what would happen in a mixed environment with four different Windows Server operating systems with each set as a domain controller.Lab DC1 running Windows Server 2003 R2 was installed first and the DFL and FFL were upgraded to Windows Server 2003.I know my labs were very simple and it is rare to find a very simple AD environment or one that is perfectly healthy so it is possible there may be issues involved in the process.

My point in spending 25 hours building all these labs and writing this article is to prove that an automatic transfer of FSMO roles works all the way back to Windows Server 2003 and if AD is healthy, the process just works.

If I try to use ntdsutil to remove the orphaned domain controller's metadata I get the following error: metadata cleanup: remove selected server dc1 Binding to localhost ...

Connected to localhost using credentials of locally logged on user. Ldap extended error message is 0000208F: Name Err: DSID-031001D1, problem 2006 (B AD_NAME), data 8350, best match of: 'CN=Ntds Settings,dc1' Win32 error returned is 0x208f(The object name has bad syntax.) ) Unable to determine the domain hosted by the Active Directory Domain Controller (5). select operation target: list servers in site No active site list select operation target: list domains Found 1 domain(s) 0 - DC=contoso, DC=com select operation target: 0 select operation target: select domain 0 No current site Domain - DC=contoso, DC=com No current server No current Naming Context select operation target: list sites Found 2 site(s) 0 - CN=CONTOSO-JNU-HQ, CN=Sites, CN=Configuration, DC=contoso, DC=com 1 - CN=CONTOSO-JNU-DEPO, CN=Sites, CN=Configuration, DC=contoso, DC=com select operation target: select site 0 Site - CN=CONTOSO-JNU-HQ, CN=Sites, CN=Configuration, DC=contoso, DC=com Domain - DC=contoso, DC=com No current server No current Naming Context select operation target: list servers in site Found 2 server(s) 0 - CN=DC3, CN=Servers, CN=CONTOSO-JNU-HQ, CN=Sites, CN=Configuration, DC=contoso, DC=com 1 - CN=DC4, CN=Servers, CN=CONTOSO-JNU-HQ, CN=Sites, CN=Configuration, DC=contoso, DC=com There is no reason why you shouldn't do it, and I was going to recommend it as the answer.

My answer to the person who asked the question at Briforum was that if everything works as it should, when a DC is demoted any FSMO roles it held should be transferred to another DC. Solutions Architect for Choice Solutions, LLC and specializes in Citrix, Active Directory and Technical Documentation.

Webster has been working with Citrix products for many years starting with Multi-User OS/2 in 1990.

Gerald Steere (@Darkpawh) and I spoke about cloud …