Remove a Read only Domain Controller

flames1000

Hi All,

I had a Windows server 2008 server go down that is not recoverable due to hard drives. I need to redo it all, my question is:

The server has Active Directory, DNS and is a Global Catelog. I have read that i can delete the computer account and all will be good and it will do all the metadata cleanup in active directory. I have also read that i have to do metadata cleanup also?

Could anyone confirm this for me. It would be great if i can delete the computer account and thats it. I will be naming the computer the same name again, but will wait till all replication is completed first. There was 3 account in the PRP dso thats not a issue. I just want to do it right and not have issues.

Many thanks

Flames

RTmarc

You need to do the metadata cleanup manually.

flames1000

Thanks!

Here is the portion of the tech article that says you dont have to?

To remove an RODC computer account with Active Directory Users and Computers
Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct domain. To connect to the appropriate domain or domain controller, in the details pane, right-click the Active Directory Users and Computers object, and then click Change Domain or Change Domain Controller, respectively.

In the console tree, expand the domain object, and then select the Domain Controllers organizational unit (OU).

In the details pane, right-click the RODC computer account, and then click Delete.

When you are prompted, click Yes to continue with the removal of the RODC account. At this point, the Deleting Domain Controller dialog box appears. If the RODC was not compromised or stolen, you can clear all the check boxes in this dialog box and then click Delete. If the RODC was compromised or stolen, see Securing Accounts After an RODC Is Stolen.

Next, another Delete Domain Controller dialog box appears, asking you to confirm metadata deletion. Click OK to continue with the RODC computer account removal.

If the domain controller was also a global catalog server, you are asked again to confirm that you want to continue the deletion. Click Yes to continue.

Note
Unlike previous versions of Active Directory, Windows Server 2008 AD DS also removes metadata when a domain controller’s computer account is removed.


RODC Removal and Reinstallation

Gotta love it!


Flames

BradH

flames1000 wrote: »

Hi All,

I had a Windows server 2008 server go down that is not recoverable due to hard drives.

Well there is your first problem! Where were your backups?

RODC or full controller, you should have not got yourself into this situation in the first place.

If you have any other like this in your organisation I suggest getting a backup strategy in place ASAP, cause as Murphy dictates, if one fails, the probability is that another will do it at the same time, just to really p*T()* you off.

:P

dynamik

Give it a shot and then go in with NTDSUTIL and see if there are any remains of it. I was under the impression that you had to do it manually as well, but I actually haven't had to do this with Win2k8 yet.

In all honesty, while a backup image would allow the server to get back up and running quickly, an RODC isn't that critical since it can just replicate the data back over. Obviously, this would be inconvenient if you only had one across a slow WAN link, but it wouldn't be like losing an Exchange or SQL server with no backup.

undomiel

Somehow in all my Server 2008 studies I missed this. Just tested it out and verified with repadmin and ntdsutil, yes you can delete a DC from AD and it will automatically take out the metadata if you let it.

BradH

While that is true, a state backup does get around the fact that he lost the drives regardless if it is an RODC or not and having to go through the process of working out how to remove a dead DC.

When I was studying for the 640 I crapped out one of my DC to see what happens when this occurs. NTDSUTIL command to remove the metadata from the system for that server and that seemed to work.

That's the only way I knew how to get around it.

RTmarc

undomiel wrote: »

Somehow in all my Server 2008 studies I missed this. Just tested it out and verified with repadmin and ntdsutil, yes you can delete a DC from AD and it will automatically take out the metadata if you let it.

Interesting. Was it a 2008 native domain?

undomiel

Nope, I set it to 2003 just because I was curious if that would make the difference or not.

flames1000

Hi,

I agree with the backups that should have been done. There was nothing major that could be lost. It was more for a disater recovery test. The problem was dead drives. A backup or not, would not bring them back. The server was a few days old, so, i dont have control if the drives were to fail.

Thanks for the feed back

Flames

BradH

I hope they were old Hard Drives mate as if they were new it would have been a right shame to get all that work done only for it to fail!

JWRLMVP

This article does not fully cover the steps to fully removed an RODC. In my expereince the claim that the RODC is removed from AD Metadata is not entirely accurate. I have written a blog post which coveres the additional steps required here:
Branch Office: Removing an RODC from AD - Available Technology - For Professionals

Hyper-Me

JWRLMVP wrote: »

This article does not fully cover the steps to fully removed an RODC. In my expereince the claim that the RODC is removed from AD Metadata is not entirely accurate. I have written a blog post which coveres the additional steps required here:
Branch Office: Removing an RODC from AD - Available Technology - For Professionals

Why would the DNS records be of any consequence if you are going to bring up a new RODC with the same name? They might be a nuisance until its back up but thats likely not a long time period.

DHCP seems also to be a moot point, especially since you shouldnt have a DC using DHCP to begin with.

JWRLMVP

Hyper-Me

You ask why it is important to have a clean DNS. I suppose if you like having token records causing mysterious behavior at some point in the future that is not a problem. However the goal is to maintain a clean environment IMHO. That was the motivation for my article.
Secondly, you raise quesitons about DHCP and DNS on the same server. I never specified where these roles were delegated. However their is no rule about having DHCP and DNS on the same server. It is quite common, especially in a Branch Office with an RODC.
Third you mention why would the DNS records be of any consequence. This is a question one might ask but since they will be recreated with any new information that is appropriate at the time it would seem better not to leave them in.
I think the best thing is to have a clean environment from which to expect normal behavior.

Thanks for your questions. I like to see that you thought through the article!

Hyper-Me

The article was correct except that its only if you want to make sure you spend 2-3 minutes deleting DNS records that will just come right back when you promote the RODC. (assuming you use the same name again, which is likely)

I never said there was an issue with DNS and DHCP on the same server, I said that a DOMAIN CONTROLLER should never use DHCP to get its addresses. Even a DHCP reservation is a bad idea.

While i agree that its probably best not to have old junk laying around in DNS, your article covers stuff that is more "optional" rather than mandatory to ensure the RODC is properly removed from AD.

dynamik

Why are you ragging on a new member when nothing he wrote was incorrect?

That looks like a great blog, Jeff. Thanks for sharing and welcome to TE

Hyper-Me

Im not ragging on him, just clarifying that what he adds in his blog is relevant but not necessarily required, therefore the MS documentation isnt incorrect.

There is nothing wrong with adding additional helpful information, and I applaud him for that contribution.

HeroPsycho

Hyper-Me,

His suggestion for the KB article is completely valid, and it does point to something that probably should be included in it. After all, the article title is:

How to remove data in Active Directory after an unsuccessful domain controller demotion


NOT:
How to remove data in Active Directory after an unsuccessful domain controller demotion when you're just gonna add it again with the same name, which we assume everyone will always do when forcefully demoting a domain controller because no one would demote one and not promote it again with the same name

(This incidentally will also be the title for the sequel to Fiona Apple's second album.)

Thanks JWRLMVP for the contribution!

HeroPsycho

Hyper-Me wrote: »

Oh and for the record, DNS isnt exactly data in active directory, so yet again it would be beyond the scope of the article.

Well, if we're gonna split hairs...

"DNS servers running on domain controllers can store their zones in Active Directory."

Active Directory-Integrated Zones: Domain Name System (DNS); Active Directory

So, wrong again. Technically speaking, DNS data in an integrated zone is data in Active Directory.

But in all honesty the point of the KB article and this article that was posted was to help remove a DC the cleanest way possible. Cleaning up DNS records would also help avoid future problems, too, just like metadata. That was in fact the entire point of this discussion.

SysAdmin4066

I concur, deleting the AD Object as microsoft says will remove metadata automatically.

With scavenging set, you shouldnt have to "clean up" DNS, that is if you arent going to just be rebuilding/repromoting the DC. I have only done these where there was a problem with the DC, so it needed to be rebuilt. Leaving the DNS records were of no consequence.