How to remove orphaned Domain Controller's DNS records?
Solution 1
There is no reason why you shouldn't do it, and I was going to recommend it as the answer. Running the metadata cleanup will do the same thing as cleaning ADUC and Sites & Services, but since you're getting an error it's not worth troubleshooting in my opinion, but rather just get down and dirty and do it manually. You will want to drill down to more than just the _msdcs.domain.com container though. Go through all folders for all zones to make sure there isn't any record hanging around pointing to the old servers. Since you've already checked ADUC and AD Sites and Services then you are good, but double check that one of these old DCs really isn't listed in Sites and Services. Since it's a small network it's probably just my paranoia kicking in, but I like to double check after I remove all DNS entries for old/decommissioned DCs that I didn't accidentally skip over it in Sites and Services.
Solution 2
It will be fine if you go through DNS Manager and just manually delete the records that correspond to the now defunct DC.
Scavenging should take care of this for you, but if you've turned scavenging off for this zone, feel free to delete the records by hand.
Related videos on Youtube
Admin
Updated on September 18, 2022Comments
-
Admin almost 2 years
It looks like in the past there were some two improperly decommissioned Domain Controllers (DC1 and DC2) that belonged to this domain. I am concluding this based on some remaining records in the domain's
_msdcs.contoso.com
DNS zone, mostly NS records and an A records under thegc
subdomain.There are no Active Directory objects for the old domain controllers that I can see, either in
OU=Domain Controllers,DC=contoso,DC=com
in Active Directory Users and Computers or NTDS settings in Active Directory Sites and Services that I can delete as suggested in Clean Up Server Metadata.If I try to use ntdsutil to remove the orphaned domain controller's metadata I get the following error:
metadata cleanup: remove selected server dc1 Binding to localhost ... Connected to localhost using credentials of locally logged on user. LDAP error 0x22(34 (Invalid DN Syntax). Ldap extended error message is 0000208F: NameErr: DSID-031001D1, problem 2006 (B AD_NAME), data 8350, best match of: 'CN=Ntds Settings,dc1' Win32 error returned is 0x208f(The object name has bad syntax.) ) Unable to determine the domain hosted by the Active Directory Domain Controller (5). Please use the connection menu to specify it.
If I try and manually select the server so I can remove it I find that it is not listed:
select operation target: list servers in site No active site list select operation target: list domains Found 1 domain(s) 0 - DC=contoso,DC=com select operation target: 0 select operation target: select domain 0 No current site Domain - DC=contoso,DC=com No current server No current Naming Context select operation target: list sites Found 2 site(s) 0 - CN=CONTOSO-JNU-HQ,CN=Sites,CN=Configuration,DC=contoso,DC=com 1 - CN=CONTOSO-JNU-DEPO,CN=Sites,CN=Configuration,DC=contoso,DC=com select operation target: select site 0 Site - CN=CONTOSO-JNU-HQ,CN=Sites,CN=Configuration,DC=contoso,DC=com Domain - DC=contoso,DC=com No current server No current Naming Context select operation target: list servers in site Found 2 server(s) 0 - CN=DC3,CN=Servers,CN=CONTOSO-JNU-HQ,CN=Sites,CN=Configuration,DC=contoso,DC=com 1 - CN=DC4,CN=Servers,CN=CONTOSO-JNU-HQ,CN=Sites,CN=Configuration,DC=contoso,DC=com
It is a pretty small domain - I can go through the_msdcs.contoso.com
zone and manually identify the old DNS records and delete them.Is there any reason why I shouldn't do this?
-
HopelessN00b about 10 years
Is there any reason why I shouldn't do this?
Because it's more of a job for the intern? But other then being a task that wastes your talents when anyone with a keyboard and a pulse would do, there's no reason not to. -
Admin about 10 years@HopelessN00bGeniusofnetwork - SME. Reset career to help desk. Gain different work environment. Question life decisions.
-
-
Brad Bouchard about 10 yearsScavenging alone won't remove all related entries for the old DCs, but it will take care of some of them.
-
joeqwerty about 10 yearsI'm not aware that NTDSUTIL will cleanup DNS and I can't find any documentation that states that it does. Are you sure that it does?
-
Brad Bouchard about 10 years@joeqwerty see my edited answer... I didn't make it clear that I was talking about the metadata cleanup handling Sites and Services and ADUC and I can see how it would have looked like I was saying that NTDSUTIL would clean up DNS; it does not do that. Thank you for bringing my lack of clarity to attention.
-
joeqwerty about 10 yearsGotcha. I wanted to make sure I didn't have a misunderstanding of NTDSUTIL.
-
Admin about 10 yearsIsn't having scavenging enabled on the
msdcs.contoso.com
a bit aggressive? I would have to have a SRV record get eaten... -
Ryan Ries about 10 years@kce No, it isn't "a bit aggressive." It is the out-of-the-box default. Allowing DNS to continue to hand out SRV records for a malfunctioning domain controller that is unable to refresh its own records is undesirable behavior and that's why scavenging should be on. As Brad pointed out, there are some static records in there that wouldn't get scavenged anyway.