We have our DC1 in a sorry state, after unsuccessfully rolling back from an
attempt to upgrade it to W2k8 Ent. IT s a Win2k8 Std VM. We need to forcibly
remove it from the domain and seize roles to another DC as it is no longer
able to replicate to our other DCs. It holds all master roles.

My question is whether to seize roles first or forcibly demote first and
remove metadata first..
The http://support.microsoft.com/kb/255504 article denotes that the DC
should not be on the domain after FSMO roles are transferred.
NB. However as I say the DC is no longer replicating so I would imagine
there is no danger of creating security principals that have overlapping RID
pools, and other problems.

Can you confirm that I should seize roles to another DC, and them forcibly
demote and then and remove metadata..

Many Thanks.
JPSR.

Hello jprstokato,

If the machine is "dead", at least disconnect it from the domain, NEVER connect
it back, then seize the 5 FSMO roles to another DC and run metadata cleanup.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


Show quoteHide quote

Thanks Meinholf,

So, to be absolutely clear...(as the DC 'is' still on the network (and
running DHCP) but no longer replicating AD)..so, do I force removal of the DC
from AD 'first'? i.e.

1. force removal of the DC from AD
2. disconnect it from the domain (after moving DHCP of course)
3. seize the 5 FSMO roles to another DC
4. run metadata cleanup.

Does this sound like the exact correct sequence?

Many thanks, JPSR

Show quoteHide quote

Hello jprstokato,

As mentioned before:
1. disconnect it from the domain FIRST (after moving DHCP of course) http://support.microsoft.com/kb/325473
2. seize the 5 FSMO roles to another DC
3. run metadata cleanup and some more http://support.microsoft.com/kb/555846/en-us


Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


Show quoteHide quote

Hello,

     First Forcebily demote the server if possible other wise better
to remove it entirely from the network  and then seize the roles to
some other server.


Thanks

Hi

I would disconnect the server from the network then seize the FMSO roles.
You can then clean up the schema to remove the dead DC. It may not appear to
be replicating but I would not recommend having it connected to the network.

Hope this helps.

Show quoteHide quote

Disconnect from domain and format the drive, unless you have something on
the disk that needs to be saved.  Once this is complete clean up your
metadata.

Show quoteHide quote

Paul Bergson [MVP-DS] wrote:

Here is a nice VBScript I got from Microsoft that will do the metadata
cleanup.  It WON'T do the cleanup in DNS, so you will need to do that
manually, but this can save you from using NTDSUTIL which is rather
daunting.  Sadly Clay left Microsoft before he added that functionality.


[code]

REM    ==========================================================
REM                GUI Metadata Cleanup Utility
REM             Written By Clay Perrine - cl***@microsoft.com
REM                          Version 2.5
REM    ==========================================================
REM     This tool is furnished "AS IS". NO warranty is expressed or
Implied.

on error resume next
dim
objRoot,oDC,sPath,outval,oDCSelect,objConfiguration,objContainer,errval,
ODCPath,ckdcPath,myObj,comparename

rem =======This gets the name of the computer that the script is run on
======

Set sh = CreateObject("WScript.Shell")
key= "HKEY_LOCAL_MACHINE"
computerName = sh.RegRead(key &
"\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName\ComputerNam
e")

rem === Get the default naming context of the domain====

set objRoot=GetObject("LDAP://RootDSE")
sPath = "LDAP://OU=Domain Controllers," &
objRoot.Get("defaultNamingContext")

rem === Get the list of domain controllers====

Set objConfiguration = GetObject(sPath)
For Each objContainer in objConfiguration
outval = outval & vbtab &  objContainer.Name & VBCRLF
Next
outval = Replace(outval, "CN=", "")

rem ==Retrieve the name of the broken DC from the user and verify it's
not this DC.===

oDCSelect= InputBox (outval,"Type the Name of the Problem Domain
Controller","")
comparename = UCase(oDCSelect)



if comparename = computerName then
msgbox "The Domain Controller you entered is the machine that is
running this script." & vbcrlf & "You cannot clean up the metadata for
the machine that is running the script!",,"Metadata Cleanup Utility
Error."
wscript.quit
End If


sPath = "LDAP://OU=Domain Controllers," &
objRoot.Get("defaultNamingContext")
Set objConfiguration = GetObject(sPath)
For Each objContainer in objConfiguration
Err.Clear
ckdcPath = "LDAP://" & "CN=" & oDCSelect & ",OU=Domain Controllers," &
objRoot.Get("defaultNamingContext")
set myObj=GetObject(ckdcPath)
If err.number <>0 Then
errval= 1
End If
Next
If errval = 1 then
msgbox "The Domain Controller you entered was not found in the Active
Directory",,"Metadata Cleanup Utility Error."
wscript.quit
End If
abort = msgbox ("You are about to remove all metadata for the server "
& oDCSelect & "! Are you sure?",4404,"WARNING!!")
if abort <> 6 then
msgbox "Metadata Cleanup Aborted.",,"Metadata Cleanup Utility Error."
wscript.quit
end if
oDCSelect = "CN=" & oDCSelect
ODCPath ="LDAP://" & oDCselect & ",OU=Domain Controllers," &
objRoot.Get("defaultNamingContext")
sSitelist = "LDAP://CN=Sites,CN=Configuration," &
objRoot.Get("defaultNamingContext")
Set objConfiguration = GetObject(sSitelist)
For Each objContainer in objConfiguration
Err.Clear
sitePath = "LDAP://" & oDCSelect & ",CN=Servers," &  objContainer.Name
& ",CN=Sites,CN=Configuration," & objRoot.Get("defaultNamingContext")
set myObj=GetObject(sitePath)
If err.number = 0 Then
siteval = sitePath
End If   
Next
sFRSSysvolList = "LDAP://CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System," & objRoot.Get("defaultNamingContext")
Set objConfiguration = GetObject(sFRSSysvolList)
For Each objContainer in objConfiguration
Err.Clear
SYSVOLPath = "LDAP://" & oDCSelect & ",CN=Domain System Volume (SYSVOL
share),CN=File Replication Service,CN=System," &
objRoot.Get("defaultNamingContext")
set myObj=GetObject(SYSVOLPath)
If err.number = 0 Then
SYSVOLval = SYSVOLPath
End If
Next
SiteList = Replace(sSitelist, "LDAP://", "")
VarSitelist = "LDAP://CN=Sites,CN=Configuration," &
objRoot.Get("defaultNamingContext")
Set SiteConfiguration = GetObject(VarSitelist)

For Each SiteContainer in SiteConfiguration
Sitevar = SiteContainer.Name
VarPath ="LDAP://OU=Domain Controllers," &
objRoot.Get("defaultNamingContext")
Set DCConfiguration = GetObject(VarPath)
    For Each DomContainer in DCConfiguration
    DCVar = DomContainer.Name
    strFromServer = ""
    NTDSPATH =  DCVar & ",CN=Servers," & SiteVar & "," & SiteList
    GuidPath = "LDAP://CN=NTDS Settings,"& NTDSPATH
    Set objCheck = GetObject(NTDSPATH)
        For Each CheckContainer in objCheck

rem ====check for valid site paths =======================
        ldapntdspath = "LDAP://" & NTDSPATH
        Err.Clear
        set exists=GetObject(ldapntdspath)
            If err.number = 0 Then
                Set oGuidGet = GetObject(GuidPath)

                For Each objContainer in oGuidGet
                oGuid = objContainer.Name
                oGuidPath = "LDAP://" & oGuid & ",CN=NTDS Settings," &
NTDSPATH
                Set objSitelink = GetObject(oGuidPath)
                objSiteLink.GetInfo
                strFromServer = objSiteLink.Get("fromServer")
                ispresent = Instr(1,strFromServer,oDCSelect,1)


                    if ispresent <> 0 then

                    Set objReplLinkVal = GetObject(oGuidPath)
                    objReplLinkVal.DeleteObject(0)
                    else
                    end if
                next

                sitedelval = "CN=" & comparename & ",CN=Servers," &
SiteVar & "," & SiteList
                if sitedelval = ntdspath then
                    Set objguidpath = GetObject(guidpath)
                    objguidpath.DeleteObject(0)
                    Set objntdspath = GetObject(ldapntdspath)
                    objntdspath.DeleteObject(0)
                    else
                end if
            End If
        next
    next
next


Set AccountObject = GetObject(ckdcPath)
temp=Accountobject.Get ("userAccountControl")
AccountObject.Put "userAccountControl", "4096"
AccountObject.SetInfo
Set objFRSSysvol = GetObject(SYSVOLval)
objFRSSysvol.DeleteObject(0)
Set objComputer = GetObject(ckdcPath)
objComputer.DeleteObject(0)
Set objConfig = GetObject(siteval)
objConfig.DeleteObject(0)
oDCSelect = Replace(oDCSelect, "CN=", "")
msgval = "Metadata Cleanup Completed for " & oDCSelect
msgbox  msgval,,"Notice."
wscript.quit

[/code]


Hope this helps,

Mark D. MacLachlan

Show quote Hide quote [snipped]

Nice script. However I would rather run it manually, because I like to see what other objects are out there in case there are other things that either may need to be removed or addressed. I guess if the script would show you the DCs/Sites/Domains, etc, and allow you to choose, such as if you were in an ntdsutil prompt, that may be cool.

Ace

Ace Fekay [Microsoft Certified Trainer] wrote:

Show quoteHide quoteThe script will show you all the DCs that are int eh metadata.  It then
lets you remove a DC fromt he metadata just by typing the name.

Oh, I see. I haven't run it yet, but from perusing through it, I thought you had to specifiy the DC you want to remove without it providing a list. Nice to know, and thanks for pointing that out!!

I will definitely share it out to others to make it easier, especially some folks are daunted by the ntdsutil.

Thanks!

Ace

Ace Fekay [Microsoft Certified Trainer] wrote:

Show quoteHide quoteYes, that is one of the features I like best about the script.  You can
run it to just get an enumeration of the DCs that are in the metadata
if need be, or you can remove what you want.  The script takes no
action until you tell it what to delete, so it can be a great way to
just verify if a DC demotion was successful or not.

JPRS,

How did you roll back the upgrade to W2K8?

Did you restore a previous vm image(s)?

Show quoteHide quote

Rolled back to VM snapshot - which didn't work!!
Any way many thanks to all for your help...

Cheers,
JPSR..

Show quoteHide quote

Hello jprstokato,

You should NEVER use snapshots for backup, this is not supported from MS
and will result in USN rollback.
http://support.microsoft.com/kb/875495

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


Show quoteHide quote

Bad idea, as you found out, the snapshot is not AD aware.

Show quoteHide quote

Win 2003 ADS users get locked out
Backup of DC - windows 2003
ERROR event ID 3224 SERVER 2003 X64
Windows Security Log
Rejoining Computers to domain
Error on adding external smtp email to user
Issue with Dual NICS on DC;s
DCPROMO then change IP?
64 Bit
Active directory offline mode.