+ Reply to Thread
Results 1 to 20 of 20
  1. Member
    Join Date
    Apr 2005
    Posts
    49

    Certifications
    MCP 70-270,70-290,70-291
    #1

    Default Remove a Read only Domain Controller

    Hi All,

    I had a Windows server 2008 server go down that is not recoverable due to hard drives. I need to redo it all, my question is:

    The server has Active Directory, DNS and is a Global Catelog. I have read that i can delete the computer account and all will be good and it will do all the metadata cleanup in active directory. I have also read that i have to do metadata cleanup also?

    Could anyone confirm this for me. It would be great if i can delete the computer account and thats it. I will be naming the computer the same name again, but will wait till all replication is completed first. There was 3 account in the PRP dso thats not a issue. I just want to do it right and not have issues.

    Many thanks

    Flames
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Nov 2005
    Location
    Birmingham, AL
    Posts
    1,088
    #2
    You need to do the metadata cleanup manually.
    Reply With Quote Quote  

  4. Member
    Join Date
    Apr 2005
    Posts
    49

    Certifications
    MCP 70-270,70-290,70-291
    #3
    Thanks!

    Here is the portion of the tech article that says you dont have to?

    To remove an RODC computer account with Active Directory Users and Computers
    Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

    Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct domain. To connect to the appropriate domain or domain controller, in the details pane, right-click the Active Directory Users and Computers object, and then click Change Domain or Change Domain Controller, respectively.

    In the console tree, expand the domain object, and then select the Domain Controllers organizational unit (OU).

    In the details pane, right-click the RODC computer account, and then click Delete.

    When you are prompted, click Yes to continue with the removal of the RODC account. At this point, the Deleting Domain Controller dialog box appears. If the RODC was not compromised or stolen, you can clear all the check boxes in this dialog box and then click Delete. If the RODC was compromised or stolen, see Securing Accounts After an RODC Is Stolen.

    Next, another Delete Domain Controller dialog box appears, asking you to confirm metadata deletion. Click OK to continue with the RODC computer account removal.

    If the domain controller was also a global catalog server, you are asked again to confirm that you want to continue the deletion. Click Yes to continue.

    Note
    Unlike previous versions of Active Directory, Windows Server 2008 AD DS also removes metadata when a domain controller’s computer account is removed.


    RODC Removal and Reinstallation

    Gotta love it!


    Flames
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Nov 2008
    Location
    Australia
    Posts
    160

    Certifications
    Navini Cert II, III, MCTS, MCITP:SA
    #4
    Quote Originally Posted by flames1000 View Post
    Hi All,

    I had a Windows server 2008 server go down that is not recoverable due to hard drives.
    Well there is your first problem! Where were your backups?

    RODC or full controller, you should have not got yourself into this situation in the first place.

    If you have any other like this in your organisation I suggest getting a backup strategy in place ASAP, cause as Murphy dictates, if one fails, the probability is that another will do it at the same time, just to really p*T()* you off.

    :P
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #5
    Give it a shot and then go in with NTDSUTIL and see if there are any remains of it. I was under the impression that you had to do it manually as well, but I actually haven't had to do this with Win2k8 yet.

    In all honesty, while a backup image would allow the server to get back up and running quickly, an RODC isn't that critical since it can just replicate the data back over. Obviously, this would be inconvenient if you only had one across a slow WAN link, but it wouldn't be like losing an Exchange or SQL server with no backup.
    Last edited by dynamik; 08-14-2009 at 10:33 PM.
    Reply With Quote Quote  

  7. Virtual Member undomiel's Avatar
    Join Date
    Sep 2007
    Location
    Bellevue, WA
    Posts
    2,813

    Certifications
    MCSA:2008, VCP4/5, CCA (XS), MCITP: EA/VA, MCSE, MCSA, Linux+, Security+, Server+, A+
    #6
    Somehow in all my Server 2008 studies I missed this. Just tested it out and verified with repadmin and ntdsutil, yes you can delete a DC from AD and it will automatically take out the metadata if you let it.
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    Nov 2008
    Location
    Australia
    Posts
    160

    Certifications
    Navini Cert II, III, MCTS, MCITP:SA
    #7
    While that is true, a state backup does get around the fact that he lost the drives regardless if it is an RODC or not and having to go through the process of working out how to remove a dead DC.

    When I was studying for the 640 I crapped out one of my DC to see what happens when this occurs. NTDSUTIL command to remove the metadata from the system for that server and that seemed to work.

    That's the only way I knew how to get around it.
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    Nov 2005
    Location
    Birmingham, AL
    Posts
    1,088
    #8
    Quote Originally Posted by undomiel View Post
    Somehow in all my Server 2008 studies I missed this. Just tested it out and verified with repadmin and ntdsutil, yes you can delete a DC from AD and it will automatically take out the metadata if you let it.
    Interesting. Was it a 2008 native domain?
    Reply With Quote Quote  

  10. Virtual Member undomiel's Avatar
    Join Date
    Sep 2007
    Location
    Bellevue, WA
    Posts
    2,813

    Certifications
    MCSA:2008, VCP4/5, CCA (XS), MCITP: EA/VA, MCSE, MCSA, Linux+, Security+, Server+, A+
    #9
    Nope, I set it to 2003 just because I was curious if that would make the difference or not.
    Reply With Quote Quote  

  11. Member
    Join Date
    Apr 2005
    Posts
    49

    Certifications
    MCP 70-270,70-290,70-291
    #10
    Hi,

    I agree with the backups that should have been done. There was nothing major that could be lost. It was more for a disater recovery test. The problem was dead drives. A backup or not, would not bring them back. The server was a few days old, so, i dont have control if the drives were to fail.

    Thanks for the feed back

    Flames
    Reply With Quote Quote  

  12. Senior Member
    Join Date
    Nov 2008
    Location
    Australia
    Posts
    160

    Certifications
    Navini Cert II, III, MCTS, MCITP:SA
    #11
    I hope they were old Hard Drives mate as if they were new it would have been a right shame to get all that work done only for it to fail!
    Reply With Quote Quote  

  13. Junior Member
    Join Date
    Dec 2009
    Posts
    2
    #12

    Default Remove RODC completely

    This article does not fully cover the steps to fully removed an RODC. In my expereince the claim that the RODC is removed from AD Metadata is not entirely accurate. I have written a blog post which coveres the additional steps required here:
    Branch Office: Removing an RODC from AD - Available Technology - For Professionals
    Reply With Quote Quote  

  14. Senior Member
    Join Date
    Jul 2009
    Posts
    2,056

    Certifications
    Beer+
    #13
    Quote Originally Posted by JWRLMVP View Post
    This article does not fully cover the steps to fully removed an RODC. In my expereince the claim that the RODC is removed from AD Metadata is not entirely accurate. I have written a blog post which coveres the additional steps required here:
    Branch Office: Removing an RODC from AD - Available Technology - For Professionals
    Why would the DNS records be of any consequence if you are going to bring up a new RODC with the same name? They might be a nuisance until its back up but thats likely not a long time period.

    DHCP seems also to be a moot point, especially since you shouldnt have a DC using DHCP to begin with.
    Reply With Quote Quote  

  15. Junior Member
    Join Date
    Dec 2009
    Posts
    2
    #14
    Hyper-Me

    You ask why it is important to have a clean DNS. I suppose if you like having token records causing mysterious behavior at some point in the future that is not a problem. However the goal is to maintain a clean environment IMHO. That was the motivation for my article.
    Secondly, you raise quesitons about DHCP and DNS on the same server. I never specified where these roles were delegated. However their is no rule about having DHCP and DNS on the same server. It is quite common, especially in a Branch Office with an RODC.
    Third you mention why would the DNS records be of any consequence. This is a question one might ask but since they will be recreated with any new information that is appropriate at the time it would seem better not to leave them in.
    I think the best thing is to have a clean environment from which to expect normal behavior.

    Thanks for your questions. I like to see that you thought through the article!
    Reply With Quote Quote  

  16. Senior Member
    Join Date
    Jul 2009
    Posts
    2,056

    Certifications
    Beer+
    #15
    The article was correct except that its only if you want to make sure you spend 2-3 minutes deleting DNS records that will just come right back when you promote the RODC. (assuming you use the same name again, which is likely)

    I never said there was an issue with DNS and DHCP on the same server, I said that a DOMAIN CONTROLLER should never use DHCP to get its addresses. Even a DHCP reservation is a bad idea.

    While i agree that its probably best not to have old junk laying around in DNS, your article covers stuff that is more "optional" rather than mandatory to ensure the RODC is properly removed from AD.
    Reply With Quote Quote  

  17. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #16
    Why are you ragging on a new member when nothing he wrote was incorrect?

    That looks like a great blog, Jeff. Thanks for sharing and welcome to TE
    Reply With Quote Quote  

  18. Senior Member
    Join Date
    Jul 2009
    Posts
    2,056

    Certifications
    Beer+
    #17
    Im not ragging on him, just clarifying that what he adds in his blog is relevant but not necessarily required, therefore the MS documentation isnt incorrect.

    There is nothing wrong with adding additional helpful information, and I applaud him for that contribution.
    Reply With Quote Quote  

  19. Senior Member
    Join Date
    Jan 2008
    Posts
    1,941

    Certifications
    MCITP: EA, EMA; MCSE 2000/2003: M; MCSE 2000: S; MCSA 2000/2003: S; MCTS: ISA 2006; VCP3/4
    #18
    Hyper-Me,

    His suggestion for the KB article is completely valid, and it does point to something that probably should be included in it. After all, the article title is:

    How to remove data in Active Directory after an unsuccessful domain controller demotion


    NOT:
    How to remove data in Active Directory after an unsuccessful domain controller demotion when you're just gonna add it again with the same name, which we assume everyone will always do when forcefully demoting a domain controller because no one would demote one and not promote it again with the same name

    (This incidentally will also be the title for the sequel to Fiona Apple's second album.)

    Thanks JWRLMVP for the contribution!
    Reply With Quote Quote  

  20. Senior Member
    Join Date
    Jan 2008
    Posts
    1,941

    Certifications
    MCITP: EA, EMA; MCSE 2000/2003: M; MCSE 2000: S; MCSA 2000/2003: S; MCTS: ISA 2006; VCP3/4
    #19
    Quote Originally Posted by Hyper-Me View Post
    Oh and for the record, DNS isnt exactly data in active directory, so yet again it would be beyond the scope of the article.
    Well, if we're gonna split hairs...

    "DNS servers running on domain controllers can store their zones in Active Directory."

    Active Directory-Integrated Zones: Domain Name System (DNS); Active Directory

    So, wrong again. Technically speaking, DNS data in an integrated zone is data in Active Directory.

    But in all honesty the point of the KB article and this article that was posted was to help remove a DC the cleanest way possible. Cleaning up DNS records would also help avoid future problems, too, just like metadata. That was in fact the entire point of this discussion.
    Reply With Quote Quote  

  21. Senior Member SysAdmin4066's Avatar
    Join Date
    Feb 2009
    Location
    California
    Posts
    443

    Certifications
    CCNP, CCNA, MCITP EA, MCSE, MCSA, multiple MCTS, MCP, CISSP, CTP
    #20
    I concur, deleting the AD Object as microsoft says will remove metadata automatically.

    With scavenging set, you shouldnt have to "clean up" DNS, that is if you arent going to just be rebuilding/repromoting the DC. I have only done these where there was a problem with the DC, so it needed to be rebuilt. Leaving the DNS records were of no consequence.
    Last edited by SysAdmin4066; 12-15-2009 at 06:45 PM.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks