How to remove orphaned Domain Controller's DNS records?

windows windows-server-2008 active-directory domain-controller
55,040

Solution 1

There is no reason why you shouldn't do it, and I was going to recommend it as the answer. Running the metadata cleanup will do the same thing as cleaning ADUC and Sites & Services, but since you're getting an error it's not worth troubleshooting in my opinion, but rather just get down and dirty and do it manually. You will want to drill down to more than just the _msdcs.domain.com container though. Go through all folders for all zones to make sure there isn't any record hanging around pointing to the old servers. Since you've already checked ADUC and AD Sites and Services then you are good, but double check that one of these old DCs really isn't listed in Sites and Services. Since it's a small network it's probably just my paranoia kicking in, but I like to double check after I remove all DNS entries for old/decommissioned DCs that I didn't accidentally skip over it in Sites and Services.

Solution 2

It will be fine if you go through DNS Manager and just manually delete the records that correspond to the now defunct DC.

Scavenging should take care of this for you, but if you've turned scavenging off for this zone, feel free to delete the records by hand.

Share:
55,040

Related videos on Youtube

Admin
Author by

Admin

Updated on September 18, 2022

Comments

  • Admin
    Admin almost 2 years

    It looks like in the past there were some two improperly decommissioned Domain Controllers (DC1 and DC2) that belonged to this domain. I am concluding this based on some remaining records in the domain's _msdcs.contoso.com DNS zone, mostly NS records and an A records under the gc subdomain.

    There are no Active Directory objects for the old domain controllers that I can see, either in OU=Domain Controllers,DC=contoso,DC=com in Active Directory Users and Computers or NTDS settings in Active Directory Sites and Services that I can delete as suggested in Clean Up Server Metadata.

    If I try to use ntdsutil to remove the orphaned domain controller's metadata I get the following error:

    metadata cleanup: remove selected server dc1
Binding to localhost ...
Connected to localhost using credentials of locally logged on user.
LDAP error 0x22(34 (Invalid DN Syntax).
Ldap extended error message is 0000208F: NameErr: DSID-031001D1, problem 2006 (B
AD_NAME), data 8350, best match of:
        'CN=Ntds Settings,dc1'

Win32 error returned is 0x208f(The object name has bad syntax.)
)
Unable to determine the domain hosted by the Active Directory Domain Controller
(5). Please use the connection menu to specify it.


    If I try and manually select the server so I can remove it I find that it is not listed:

    select operation target: list servers in site
No active site list
select operation target: list domains
Found 1 domain(s)
0 - DC=contoso,DC=com
select operation target: 0
select operation target: select domain 0
No current site
Domain - DC=contoso,DC=com
No current server
No current Naming Context
select operation target: list sites
Found 2 site(s)
0 - CN=CONTOSO-JNU-HQ,CN=Sites,CN=Configuration,DC=contoso,DC=com
1 - CN=CONTOSO-JNU-DEPO,CN=Sites,CN=Configuration,DC=contoso,DC=com
select operation target: select site 0
Site - CN=CONTOSO-JNU-HQ,CN=Sites,CN=Configuration,DC=contoso,DC=com
Domain - DC=contoso,DC=com
No current server
No current Naming Context
select operation target: list servers in site
Found 2 server(s)
0 - CN=DC3,CN=Servers,CN=CONTOSO-JNU-HQ,CN=Sites,CN=Configuration,DC=contoso,DC=com
1 - CN=DC4,CN=Servers,CN=CONTOSO-JNU-HQ,CN=Sites,CN=Configuration,DC=contoso,DC=com


    It is a pretty small domain - I can go through the _msdcs.contoso.com zone and manually identify the old DNS records and delete them.

    Is there any reason why I shouldn't do this?

    • HopelessN00b
      HopelessN00b about 10 years
      Is there any reason why I shouldn't do this? Because it's more of a job for the intern? But other then being a task that wastes your talents when anyone with a keyboard and a pulse would do, there's no reason not to.
    • Admin
      Admin about 10 years
      @HopelessN00bGeniusofnetwork - SME. Reset career to help desk. Gain different work environment. Question life decisions.
  • Brad Bouchard
    Brad Bouchard about 10 years
    Scavenging alone won't remove all related entries for the old DCs, but it will take care of some of them.
  • joeqwerty
    joeqwerty about 10 years
    I'm not aware that NTDSUTIL will cleanup DNS and I can't find any documentation that states that it does. Are you sure that it does?
  • Brad Bouchard
    Brad Bouchard about 10 years
    @joeqwerty see my edited answer... I didn't make it clear that I was talking about the metadata cleanup handling Sites and Services and ADUC and I can see how it would have looked like I was saying that NTDSUTIL would clean up DNS; it does not do that. Thank you for bringing my lack of clarity to attention.
  • joeqwerty
    joeqwerty about 10 years
    Gotcha. I wanted to make sure I didn't have a misunderstanding of NTDSUTIL.
  • Admin
    Admin about 10 years
    Isn't having scavenging enabled on the msdcs.contoso.com a bit aggressive? I would have to have a SRV record get eaten...
  • Ryan Ries
    Ryan Ries about 10 years
    @kce No, it isn't "a bit aggressive." It is the out-of-the-box default. Allowing DNS to continue to hand out SRV records for a malfunctioning domain controller that is unable to refresh its own records is undesirable behavior and that's why scavenging should be on. As Brad pointed out, there are some static records in there that wouldn't get scavenged anyway.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Adding another domain controller to a small 2008R2 network: steps I am missing(?)
Audit policy being overwritten by "something"
Why add computers to Active directory domain?
How can I see all users of domain in this PC?
How to Get user info from different domain
Cannot open any applications on windows server 2008 R2 Standard edition
No longer able to edit scripts in SYSVOL/domain/scripts on Server 2008
How can I change dns name on domain controller?
Windows Server 2008 Domain alias for users to log on to?
Join Windows 2003 R2 guest to Windows 2012 R2 domain controller