Active directory 2016 problem with demoted domain controller

Lotfi BOUCHERIT 91 Reputation points
2021-04-02T07:54:18.483+00:00

Hello,
We had a failing domain controller which holding PDC FSMO role, and lots of services (firewall, proxy, application authentication...) depend on its dns name or ip address.
We cleaned up, its metadata from NTDSUTIL, DNS and every possible location. But we were not to promote a newly created vm ad a new domain controller, with same name, and same ip address.
We find too, that in repadmin /replsum, we still find a trace of this failed domain controller, (1722) The RPC server is unavailable.
We tried to promote the new vm with another vm, and same ip adderss, and it didn't work. As if the metadata cleanup is not completely successful.
On internet, i found that there might be some stale objects in ADSI, configuration partition, LostAndFound folder, cleared that folder, but still the same thing.

I'd like if anyone can give me a hint or steps to do that might help to bring things up and running again.

Thank you in advance,

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,364 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,805 questions
Windows DHCP
Windows DHCP
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.DHCP: Dynamic Host Configuration Protocol (DHCP). A communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses in an organization's network.
1,021 questions

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 18,626 Reputation points Microsoft Vendor
    2021-04-02T09:20:34.94+00:00

    Hello @LotfiBOUCHERIT-4930,

    Thank you for posting here.

    As I understand, you have transferred or seized the FRMO roles from the failed domain controller you mentioned.

    And now you want to demote the failed domain controller and perform the metadata cleanup for the failed domain controller completely, but it seems there is still stale objects for this failed DC.

    We can try the following method.

    On one good and running DC, we can run the following command to perform the metadata for this failed DC.

    84021-meta.png

    After that, we can check the following information:

    1.To remove the failed server object from the domain controllers container.
    84005-dc1.png

    2.To remove the failed server object from the sites.
    84006-dc2.png

    3.To remove the failed server object from DNS manager.
    Remove all the DNS records corresponding to this failed DC name.
    84007-dc3.png

    For more information above failed domain controller, we can refer to the link below.

    Delete Failed DCs from Active Directory
    https://petri.com/delete_failed_dcs_from_ad

    Also, consider the following information before deleting one DC in the domain:

    1.If the removed DC was a Flexible Single Master Operation (FSMO) role holder, relocate those roles to a live DC.
    2.If the removed DC was a DNS server, update the DNS client configuration on all member workstations, member servers, and other DCs that might have used this DNS server for name resolution. If it is required, modify the DHCP scope to reflect the removal of the DNS server.
    3.If the removed DC was a DNS server, update the Forwarder settings and the Delegation settings on any other DNS servers that might have pointed to the removed DC for name resolution.

    After we clean up the DC, we can run the following commands on one good and running dc.

    Dcdiag /v /a >c:\dcdiag.txt

    repadmin /replsum >c:\repsum.txt

    repadmin /showrepl * /csv >c:\repsum.csv

    If there is no any entry about the failed DC in the result after running the three commands above, then the failed DC is removed complately.

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments
  2. Lotfi BOUCHERIT 91 Reputation points
    2021-04-02T11:20:56.607+00:00

    Hello @Daisy Zhou
    And thank you for this relevant explanation.. Just want to let you know, that we did cleaning using NTDSUTIL, cleaned ad sites and services, ad users and computers, dns...
    But server still figures in the repadmin /replsum command
    We fail to add a new server using the same name, and we fail to assign its ip address to another domain controller

    For results of the command you requested:
    83949-showrepl.txt83950-replsum.txt83955-dcdiag-v.txt

    Thank you in advance

    0 comments
  3. Lotfi BOUCHERIT 91 Reputation points
    2021-04-02T12:01:27.093+00:00

    even if i run, dsquery computer -name ***, i don't find the domain controller that is failing in repadmin...
    84051-image.png

    0 comments
  4. Daisy Zhou 18,626 Reputation points Microsoft Vendor
    2021-04-06T01:25:00.323+00:00

    Hello @LotfiBOUCHERIT-4930,

    Thank you for your update.

    Anyway, if you can still see the name of the failed domain controller from the command result, it indicates that it has not been deleted from the AD domain environment. You need to carefully find and delete it according to the method I mentioned above.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================
    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments