RE: [ActiveDir] There must be an easier way...
Thanks, everybody, for your helpful replies. Just to clarify: We have an empty root domain. We have several child domains, one of which is our main domain with most of the objects. That main domain has 5 sites. One of those sites has one DC in it. That physical site also has an administrator who talked me into promoting one of his servers to a dc in the root domain, since only I know the root domain administrator password. The plan was that we would let things replicate, then ghost the two DC's, bring the two DC's over to my location, cut the wire between us, demote the two DC's and remove them from the domain, take them back over to the site that's leaving, re-ghost the machines back so they're DC's again in their copy of our domains, change the root domain administrator password to something those guys know, and let them have at it in their own copy of our domain. Then, their users continue to log on to their copy of our domain in their own forest, while the IT group gets stuff migrated over to what will be their real new forest. Unfortunately, the very evening that I promoted their DC, this guy cut the line. So, now I have to run ntdsutil to clean up. But, fortunately, I just happened to be signed up for an intermediate AD class in which we did that very thing today. So, I think I'm OK, along with the great suggestions here. As I see it, the steps are: 1. Run NTDSUTIL and remove the two DC's. 2. Wait until tomorrow - overnight should be plenty of time for replication. (We only have about 800 users total) 3. Go into Sites and Services and delete the computers from the site, and then the site itself. 4. Probably have to delete the connections to either of the deleted computers from the many other DC's. Thanks again, all. If there's something I've missed, I'm all ears! -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] There must be an easier way...
You will then need to look in DNS and delete every reference to any of the DCs in any zone or sub-zone. You will then go into ADUC, Domain Controller OU, and manually delete the DCs from there. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Larry Wahlers Sent: Tue 3/7/2006 2:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] There must be an easier way... Thanks, everybody, for your helpful replies. Just to clarify: We have an empty root domain. We have several child domains, one of which is our main domain with most of the objects. That main domain has 5 sites. One of those sites has one DC in it. That physical site also has an administrator who talked me into promoting one of his servers to a dc in the root domain, since only I know the root domain administrator password. The plan was that we would let things replicate, then ghost the two DC's, bring the two DC's over to my location, cut the wire between us, demote the two DC's and remove them from the domain, take them back over to the site that's leaving, re-ghost the machines back so they're DC's again in their copy of our domains, change the root domain administrator password to something those guys know, and let them have at it in their own copy of our domain. Then, their users continue to log on to their copy of our domain in their own forest, while the IT group gets stuff migrated over to what will be their real new forest. Unfortunately, the very evening that I promoted their DC, this guy cut the line. So, now I have to run ntdsutil to clean up. But, fortunately, I just happened to be signed up for an intermediate AD class in which we did that very thing today. So, I think I'm OK, along with the great suggestions here. As I see it, the steps are: 1. Run NTDSUTIL and remove the two DC's. 2. Wait until tomorrow - overnight should be plenty of time for replication. (We only have about 800 users total) 3. Go into Sites and Services and delete the computers from the site, and then the site itself. 4. Probably have to delete the connections to either of the deleted computers from the many other DC's. Thanks again, all. If there's something I've missed, I'm all ears! -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] There must be an easier way...
Hello, colleagues, A client that we had set up as a site within our domain with its own pair of DC's has decided to break off from us, get their own ISP, and cut the network cable between us. In fact, they've done that last weekend. Now, the Directory Service event log on one of our DC's is spewing out 21 warning and error messages every 15 minutes, all related to the fact that there are no available DC's in that site. Doing a Google search, I found this article http://support.microsoft.com/?kbid=216498 which describes at least 20 steps that must be taken to remove a DC following an unsuccessful DC demotion. Which, I suppose, is what I would have done had I had the opportunity to demote the DC's before this client cut the line. The article also has this warning: Caution The administrator must also make sure that replication has occurred since the demotion before manually removing the NTDS Settings object for any server. Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality. Being a relative newbie to Active Directory management (but, just emerging from a pair of classes), I have to ask if there is an easier way to do this? We have about 800 users and 4 corporations on this wire, and they might get a bit testy if their computers stopped working all of a sudden! -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] There must be an easier way...
That is interesting Who established the forest? Cause if it was them, they have issues. If it was you all, then just do a AD Clean-up operation and remove the domain and domain controllers from your directory. Also be prepared to hear from them soon... :) Todd Myrick From: Larry Wahlers [mailto:[EMAIL PROTECTED] Sent: Mon 3/6/2006 7:17 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] There must be an easier way... Hello, colleagues, A client that we had set up as a site within our domain with its own pair of DC's has decided to break off from us, get their own ISP, and cut the network cable between us. In fact, they've done that last weekend. Now, the Directory Service event log on one of our DC's is spewing out 21 warning and error messages every 15 minutes, all related to the fact that there are no available DC's in that site. Doing a Google search, I found this article http://support.microsoft.com/?kbid=216498 which describes at least 20 steps that must be taken to remove a DC following an unsuccessful DC demotion. Which, I suppose, is what I would have done had I had the opportunity to demote the DC's before this client cut the line. The article also has this warning: Caution The administrator must also make sure that replication has occurred since the demotion before manually removing the NTDS Settings object for any server. Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality. Being a relative newbie to Active Directory management (but, just emerging from a pair of classes), I have to ask if there is an easier way to do this? We have about 800 users and 4 corporations on this wire, and they might get a bit testy if their computers stopped working all of a sudden! -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] There must be an easier way...
Larry- Just follow the steps and remove the two DCs that were offsite. Wait for replication internally and delete the site/subnet. All done. I suggest you reset all passwords for sensitive accounts or even better expire every password in the domain. Your client can obtain these if they're industrious and it sounds like you left on a bad note. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Monday, March 06, 2006 7:17 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] There must be an easier way... Hello, colleagues, A client that we had set up as a site within our domain with its own pair of DC's has decided to break off from us, get their own ISP, and cut the network cable between us. In fact, they've done that last weekend. Now, the Directory Service event log on one of our DC's is spewing out 21 warning and error messages every 15 minutes, all related to the fact that there are no available DC's in that site. Doing a Google search, I found this article http://support.microsoft.com/?kbid=216498 which describes at least 20 steps that must be taken to remove a DC following an unsuccessful DC demotion. Which, I suppose, is what I would have done had I had the opportunity to demote the DC's before this client cut the line. The article also has this warning: Caution The administrator must also make sure that replication has occurred since the demotion before manually removing the NTDS Settings object for any server. Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality. Being a relative newbie to Active Directory management (but, just emerging from a pair of classes), I have to ask if there is an easier way to do this? We have about 800 users and 4 corporations on this wire, and they might get a bit testy if their computers stopped working all of a sudden! -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] There must be an easier way...
Brian, I never did this, but I guess I should try it if one domain tree established the forest, another domain tree is added, but then the initial tree is removed won't that cause problems for the other domain tree, even if they clean up the forest and seize the FSMO roles. The schema and configuration containers will reflect the naming context of the root forest. Also that is where the enterprise roles will exist. I think the only thing the non-root can do is reinstall the Forest, while the forest root can just do the clean-up. Todd Myrick From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Mon 3/6/2006 7:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] There must be an easier way... Larry- Just follow the steps and remove the two DCs that were offsite. Wait for replication internally and delete the site/subnet. All done. I suggest you reset all passwords for sensitive accounts or even better expire every password in the domain. Your client can obtain these if they're industrious and it sounds like you left on a bad note. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Monday, March 06, 2006 7:17 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] There must be an easier way... Hello, colleagues, A client that we had set up as a site within our domain with its own pair of DC's has decided to break off from us, get their own ISP, and cut the network cable between us. In fact, they've done that last weekend. Now, the Directory Service event log on one of our DC's is spewing out 21 warning and error messages every 15 minutes, all related to the fact that there are no available DC's in that site. Doing a Google search, I found this article http://support.microsoft.com/?kbid=216498 which describes at least 20 steps that must be taken to remove a DC following an unsuccessful DC demotion. Which, I suppose, is what I would have done had I had the opportunity to demote the DC's before this client cut the line. The article also has this warning: Caution The administrator must also make sure that replication has occurred since the demotion before manually removing the NTDS Settings object for any server. Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality. Being a relative newbie to Active Directory management (but, just emerging from a pair of classes), I have to ask if there is an easier way to do this? We have about 800 users and 4 corporations on this wire, and they might get a bit testy if their computers stopped working all of a sudden! -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] There must be an easier way...
Hello Larry, Unfortunately there is no way around doing a metadata cleanup against those 2 DCs that have been removed from your domain and are not going to come back. You would want to figure out the machines in that particular subnet where the 2 DCs were, have connectivity to an existing and functional DC to be able to logon to the domain. Also, from your description, it seems that atleast 1 DC which is giving the error, is part of that domain from which the 2 DCs were yanked off. If there are more DCs, and are set to replicate with either of the 2, they will also give replication errors unless a metadata has been performed. On 3/6/06, Larry Wahlers [EMAIL PROTECTED] wrote: Hello, colleagues, A client that we had set up as a site within our domain with its own pair of DC's has decided to break off from us, get their own ISP, and cut the network cable between us. In fact, they've done that last weekend. Now, the Directory Service event log on one of our DC's is spewing out 21 warning and error messages every 15 minutes, all related to the fact that there are no available DC's in that site. Doing a Google search, I found this article http://support.microsoft.com/?kbid=216498 which describes at least 20 steps that must be taken to remove a DC following an unsuccessful DC demotion. Which, I suppose, is what I would have done had I had the opportunity to demote the DC's before this client cut the line. The article also has this warning: Caution The administrator must also make sure that replication has occurred since the demotion before manually removing the NTDS Settings object for any server. Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality. Being a relative newbie to Active Directory management (but, just emerging from a pair of classes), I have to ask if there is an easier way to do this? We have about 800 users and 4 corporations on this wire, and they might get a bit testy if their computers stopped working all of a sudden! -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Ambition is a dream with a V8 engine. ~ Elvis Presley List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] There must be an easier way...
I didn't get the drift he had a multidomain forest. If he does, and he doesn't have a forest root DC then he's SOL and will have to ADMT to a new domain/forest. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) [E] Sent: Monday, March 06, 2006 8:37 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] There must be an easier way... Brian, I never did this, but I guess I should try it if one domain tree established the forest, another domain tree is added, but then the initial tree is removed won't that cause problems for the other domain tree, even if they clean up the forest and seize the FSMO roles. The schema and configuration containers will reflect the naming context of the root forest. Also that is where the enterprise roles will exist. I think the only thing the non-root can do is reinstall the Forest, while the forest root can just do the clean-up. Todd Myrick From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Mon 3/6/2006 7:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] There must be an easier way... Larry- Just follow the steps and remove the two DCs that were offsite. Wait for replication internally and delete the site/subnet. All done. I suggest you reset all passwords for sensitive accounts or even better expire every password in the domain. Your client can obtain these if they're industrious and it sounds like you left on a bad note. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Monday, March 06, 2006 7:17 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] There must be an easier way... Hello, colleagues, A client that we had set up as a site within our domain with its own pair of DC's has decided to break off from us, get their own ISP, and cut the network cable between us. In fact, they've done that last weekend. Now, the Directory Service event log on one of our DC's is spewing out 21 warning and error messages every 15 minutes, all related to the fact that there are no available DC's in that site. Doing a Google search, I found this article http://support.microsoft.com/?kbid=216498 which describes at least 20 steps that must be taken to remove a DC following an unsuccessful DC demotion. Which, I suppose, is what I would have done had I had the opportunity to demote the DC's before this client cut the line. The article also has this warning: Caution The administrator must also make sure that replication has occurred since the demotion before manually removing the NTDS Settings object for any server. Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality. Being a relative newbie to Active Directory management (but, just emerging from a pair of classes), I have to ask if there is an easier way to do this? We have about 800 users and 4 corporations on this wire, and they might get a bit testy if their computers stopped working all of a sudden! -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
