Announcement

Collapse
No announcement yet.

Domain Issues/Metadata Cleanup

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Domain Issues/Metadata Cleanup

    Hi,

    I don't know if this is what is causing recent issues with my network, but about a month ago, an admin (without my consent) took down a hand ful of DC's from the domain without properly demoting them. Recently we've had a number of member servers and PC's being distrusted on the domain and you couldn't log onto the domain from that server/PC until I unjoined and rejoined those machines to the domain.

    Now after running;

    dcdiag /a /q /v /c

    I've found the DC's he had taken off as still showing up in the results of this test with one of them giving DNS Broken delegation error.

    Can all this be fixed with the ntdsutil.exe utility and metadata cleanup?

  • #2
    Re: Domain Issues/Metadata Cleanup

    Yups, you have to cleanup the metadata if the other DC's aren't coming online again.
    Also you might check the FMSO roles and seize them if needed.

    For cleaning up, please review: http://www.petri.com/delete_failed_dcs_from_ad.htm
    For FMSO roles, please review: http://www.petri.com/seizing_fsmo_roles.htm
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Domain Issues/Metadata Cleanup

      Ok thanks,

      Now that you mentioned roles, I know an admin gave all the roles to one DC. Is this good practice? I heard it was not but not totally sure.

      Thanks again Dumber.

      Comment


      • #4
        Re: Domain Issues/Metadata Cleanup

        Well what's a good practice.
        It depends a bit on how many DC's you have, how many domains you have etc.
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: Domain Issues/Metadata Cleanup

          Hmmm,

          As I stated in my original post, I received errors for other DC's that are no longer available, but when I run the ntdsutil for clean up those objects, it only finds the DC's I currently have running. I don't want to remove those DC's for sure.

          What is going on with this or am I doing something wrong Dumber?

          Comment


          • #6
            Re: Domain Issues/Metadata Cleanup

            Originally posted by Dumber View Post
            Well what's a good practice.
            It depends a bit on how many DC's you have, how many domains you have etc.
            At the time the roles were place on one DC, we had about 6 DC's for our domain (1 only). I just thought I read some where that one DC should never hold all the roles. Currently we have only 2 DC's. I guess if a company had one DC then they would have no other choice but to give the DC's all the roles so I guess that answers that question.

            Comment


            • #7
              Re: Domain Issues/Metadata Cleanup

              Can you post the output of the DCdiag?
              Marcel
              Technical Consultant
              Netherlands
              http://www.phetios.com
              http://blog.nessus.nl

              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
              "No matter how secure, there is always the human factor."

              "Enjoy life today, tomorrow may never come."
              "If you're going through hell, keep going. ~Winston Churchill"

              Comment


              • #8
                Re: Domain Issues/Metadata Cleanup

                Originally posted by Dumber View Post
                Can you post the output of the DCdiag?
                Too damn huge!

                Any other way to do this?

                Comment


                • #9
                  Re: Domain Issues/Metadata Cleanup

                  paste it into a text file and attach it?
                  Marcel
                  Technical Consultant
                  Netherlands
                  http://www.phetios.com
                  http://blog.nessus.nl

                  MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                  "No matter how secure, there is always the human factor."

                  "Enjoy life today, tomorrow may never come."
                  "If you're going through hell, keep going. ~Winston Churchill"

                  Comment


                  • #10
                    Re: Domain Issues/Metadata Cleanup

                    Here you go:

                    Only valid DC's are 1controller and 2controller.
                    Attached Files
                    Last edited by Mudd; 4th May 2009, 22:58.

                    Comment


                    • #11
                      Re: Domain Issues/Metadata Cleanup

                      couple of things to check.
                      Clean out DNS.
                      clean out sites and services

                      and follow this: http://support.microsoft.com/default.aspx/kb/312862
                      because of this:
                      [8] Problem: Missing Expected Value
                      Base Object:
                      CN=CONTROLLER5,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=01,DC=add,DC=com
                      Base Object Description: "SYSVOL FRS Member Object"
                      Value Object Attribute Name: serverReference
                      Value Object Description: "DSA Object"
                      Recommended Action: Check if this server is deleted, and if so
                      clean up this DCs SYSVOL FRS Member Object. Also see Knowledge
                      Base Article Q312862
                      Marcel
                      Technical Consultant
                      Netherlands
                      http://www.phetios.com
                      http://blog.nessus.nl

                      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                      "No matter how secure, there is always the human factor."

                      "Enjoy life today, tomorrow may never come."
                      "If you're going through hell, keep going. ~Winston Churchill"

                      Comment


                      • #12
                        Re: Domain Issues/Metadata Cleanup

                        Originally posted by Dumber View Post
                        couple of things to check.
                        Clean out DNS.
                        clean out sites and services

                        and follow this: http://support.microsoft.com/default.aspx/kb/312862
                        because of this:
                        I hope I'm not sounding like a complete idiot, but how do you clean out DNS and Sites and Services?

                        I don't see any other DC's in Sites and Services other than the two valid existing ones I should have. I also don't see any others after having deleted them with ADSIedit.

                        Tried using ADSIedit to delete the other invalid servers and ntdsutil but can't see any other server. After following the directions from the link you provided I also didn't see any of these containers:

                        CN=NTDS Settings, CN=Computer name,CN=Site name, CN=Sites, CN=Configuration, DC=Root domain of forest,DC=COM

                        I can't demote any of the other server because they were decomishioned awhile back and I don't have access to them anymore. I've tried using ntdsutil but couldn't find any other servers threw there as well.

                        Comment


                        • #13
                          Re: Domain Issues/Metadata Cleanup

                          well alrighty then...!

                          Comment


                          • #14
                            Re: Domain Issues/Metadata Cleanup

                            If they aren't showing in ntdsutil then have a look in there and see if there are any incorrect entries really. Demoting a DC can leave an entry for the name within the site. If you open it, then there won't be any NTDS Settings etc.

                            Also have a read through the DNS to see if any are still listed for LDAP etc
                            cheers
                            Andy

                            Please read this before you post:


                            Quis custodiet ipsos custodes?

                            Comment


                            • #15
                              Re: Domain Issues/Metadata Cleanup

                              The only DC's I've seen in ntds are the ones currently in use. In ADSIedit, I did find some in there and have deleted those, but I know there are old DC's that didn't show up in that as well. I also deleted a lot fo entries in DNS as well and probably the ldap entries as well along with other entries. After running dcdiag, I do see a lot of old DC's in the results from dcdiag along with the ones I deleted in DNS, but I just don' t know what else I can do to try and clean them out of AD for good.

                              Comment

                              Working...
                              X