2

It looks like in the past there were some two improperly decommissioned Domain Controllers (DC1 and DC2) that belonged to this domain. I am concluding this based on some remaining records in the domain's _msdcs.contoso.com DNS zone, mostly NS records and an A records under the gc subdomain.

There are no Active Directory objects for the old domain controllers that I can see, either in OU=Domain Controllers,DC=contoso,DC=com in Active Directory Users and Computers or NTDS settings in Active Directory Sites and Services that I can delete as suggested in Clean Up Server Metadata.

If I try to use ntdsutil to remove the orphaned domain controller's metadata I get the following error:

metadata cleanup: remove selected server dc1
Binding to localhost ...
Connected to localhost using credentials of locally logged on user.
LDAP error 0x22(34 (Invalid DN Syntax).
Ldap extended error message is 0000208F: NameErr: DSID-031001D1, problem 2006 (B
AD_NAME), data 8350, best match of:
        'CN=Ntds Settings,dc1'

Win32 error returned is 0x208f(The object name has bad syntax.)
)
Unable to determine the domain hosted by the Active Directory Domain Controller
(5). Please use the connection menu to specify it.


If I try and manually select the server so I can remove it I find that it is not listed:

select operation target: list servers in site
No active site list
select operation target: list domains
Found 1 domain(s)
0 - DC=contoso,DC=com
select operation target: 0
select operation target: select domain 0
No current site
Domain - DC=contoso,DC=com
No current server
No current Naming Context
select operation target: list sites
Found 2 site(s)
0 - CN=CONTOSO-JNU-HQ,CN=Sites,CN=Configuration,DC=contoso,DC=com
1 - CN=CONTOSO-JNU-DEPO,CN=Sites,CN=Configuration,DC=contoso,DC=com
select operation target: select site 0
Site - CN=CONTOSO-JNU-HQ,CN=Sites,CN=Configuration,DC=contoso,DC=com
Domain - DC=contoso,DC=com
No current server
No current Naming Context
select operation target: list servers in site
Found 2 server(s)
0 - CN=DC3,CN=Servers,CN=CONTOSO-JNU-HQ,CN=Sites,CN=Configuration,DC=contoso,DC=com
1 - CN=DC4,CN=Servers,CN=CONTOSO-JNU-HQ,CN=Sites,CN=Configuration,DC=contoso,DC=com


It is a pretty small domain - I can go through the _msdcs.contoso.com zone and manually identify the old DNS records and delete them.

Is there any reason why I shouldn't do this?

  • `Is there any reason why I shouldn't do this?` Because it's more of a job for the intern? But other then being a task that wastes your talents when anyone with a keyboard and a pulse would do, there's no reason not to. – HopelessN00b May 16 '14 at 13:44
  • @HopelessN00bGeniusofnetwork - SME. Reset career to help desk. Gain different work environment. Question life decisions. –  May 16 '14 at 18:34

2 Answers2

1

There is no reason why you shouldn't do it, and I was going to recommend it as the answer. Running the metadata cleanup will do the same thing as cleaning ADUC and Sites & Services, but since you're getting an error it's not worth troubleshooting in my opinion, but rather just get down and dirty and do it manually. You will want to drill down to more than just the _msdcs.domain.com container though. Go through all folders for all zones to make sure there isn't any record hanging around pointing to the old servers. Since you've already checked ADUC and AD Sites and Services then you are good, but double check that one of these old DCs really isn't listed in Sites and Services. Since it's a small network it's probably just my paranoia kicking in, but I like to double check after I remove all DNS entries for old/decommissioned DCs that I didn't accidentally skip over it in Sites and Services.

Brad Bouchard
  • 2,507
  • 2
  • 12
  • 22
  • I'm not aware that NTDSUTIL will cleanup DNS and I can't find any documentation that states that it does. Are you sure that it does? – joeqwerty May 15 '14 at 22:02
  • @joeqwerty see my edited answer... I didn't make it clear that I was talking about the metadata cleanup handling Sites and Services and ADUC and I can see how it would have looked like I was saying that NTDSUTIL would clean up DNS; it does not do that. Thank you for bringing my lack of clarity to attention. – Brad Bouchard May 15 '14 at 22:06
  • Gotcha. I wanted to make sure I didn't have a misunderstanding of NTDSUTIL. – joeqwerty May 15 '14 at 22:20
1

It will be fine if you go through DNS Manager and just manually delete the records that correspond to the now defunct DC.

Scavenging should take care of this for you, but if you've turned scavenging off for this zone, feel free to delete the records by hand.

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
  • 2
    Scavenging alone won't remove all related entries for the old DCs, but it will take care of some of them. – Brad Bouchard May 15 '14 at 21:56
  • Isn't having scavenging enabled on the `msdcs.contoso.com` a bit aggressive? I would have to have a SRV record get eaten... –  May 16 '14 at 18:47
  • @kce No, it isn't "a bit aggressive." It is the out-of-the-box default. Allowing DNS to continue to hand out SRV records for a malfunctioning domain controller that is unable to refresh its own records is undesirable behavior and that's why scavenging should be on. As Brad pointed out, there are some static records in there that wouldn't get scavenged anyway. – Ryan Ries May 16 '14 at 19:16