No announcement yet.

Cleaning up DFS after forcibly removing DC

  • Filter
  • Time
  • Show
Clear All
new posts

  • Cleaning up DFS after forcibly removing DC

    I have been working for the last week or so cleaning up our Active Directory after the FSMO server corrupted itself and we lost our two remote sites. I have also been upgrading our DFS namespaces from 2000 Domain to 2008 Domain. Unfortunately, the servers that fell off our network had to be forcibly removed from AD, so I have been cleaning up broken links for DFS. I wanted to share what I had found that worked so far.

    First, I had deleted a couple of namespaces after the FSMO LDAP had corrupted itself. References to these were still in AD after the rebuild, so I had to remove the objects from AD manually. To do this, I loaded up AD Users and Computers MMC and Click on View->Advanced Features. Next, Find the System OU (Which appears after you activate the advanced features), open Dfs-Configuration, and look for fTDfs objects (2000 Domain DFS objects) or msDFS-NamespaceAnchor folders (2008 Domain DFS objects). Delete only what is not working, and AT YOUR OWN PERIL!

    Next, I was trying to recreate one of these deleted shares, but on the domain controllers I had to forcibly remove and rebuild, they still thought they had that namespace. On each host, under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DFS\Roots\Do main in the registry, there was entries for the namespaces that they were no longer a part of. Again, delete only what is not working, and AT YOUR OWN PERIL!

    After this, I needed to delete the shares using the registry. I looked inside HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\lanmanserver\Shares and found the outdated shares there. I deleted the entries for the ones that were not *actively* hosted on the servers, and then deleted the corresponding entries under the Security key. After restarting the Server service, the shares were gone. Again, delete only what is not working, and AT YOUR OWN PERIL! Don't accidentally delete the NETLOGON share off your DC like I did.

    Finally, I was able to add these servers as namespace servers for the DFS Namespaces I had been working on. Since they physically had folders present where the DFS share was going to be, I received a warning when re-adding the servers. You may want to delete the old folder first to ensure a clean addition.

    I hope this helps out someone else, as I spent about 3 days of time trying to cope with getting DFS fixed and I couldn't find any resources to help with this one. The only other solution I had was to completely wipe and rebuild my DCs, which was not an option for me.