nltest /dclist and nltest /dnsgetdc showing different results

Question

Different results showing when one queries for the list of domain controllers.

These commands do not return the ghost DCs(Recently demoted DC):

1. nltest /dclist:DomainFQDNHere
2. Get-ADDomainController -Filter * | select name,operatingsystem,HostName,site,IsGlobalCatalog,IsReadOnly,IPv4Address
3. netdom query dc

The commands below do return the ghost DCs(Recently demoted DC):

nltest /dnsgetdc:DomainFQDNHere

Answer 1

Hello @RawatP ,

Thank you for your update.

According to our experience, we encountered such a situation (can not delete SRV records or delete SRV records, then will appear again) on the domain controller of 2012 R2.

1.What is the version of the operating system of your DC that we perform the deletion operation? Is it a 2012 R2 DC?
2.How many DCs in your domain?
3.What are the version of the operating system of all DCs in your domain?

If you have multiple DCs with different OS versions in this domain (such as 2012, 2012 R2 and 2016 or 2019), we can try to delete these SRV records for this demoted server on other DCs except 2012 R2 DC, if we can delete these SRV records for this demoted server on other DCs and AD replication works fine, the deletion changes will be updated on all DCs in the domain.

Hope the information above is helpful. If anything is unclear, please feel free to let us know.

Best Regards,
Daisy Zhou

Answer 2

The second one queries DNS so there may be some lingering stale records.

--please don't forget to Accept as answer if the reply is helpful--

Answer 3

Hi,

It seems that there is some incorrect DNS records for domain controlers . you should perform a cleanup of incorrects DNS records and run the following commands on each DC to generate the right DNS records:

ipconfig /registerdns

nltest /dsregdns

Sometime when we promote or demote a domain controller the DNS record may not be updated automatically.

Please don't forget to mark this reply as answer if it help you to fix your issue

Answer 4

Hello @RawatP ，

Thank you for posting here.

Based on the description above, I understand the recently demoted DC should be a DNS server, and we have demoted it, but it seems the metadata of this demoted DC is not removed completely (it seems the DNS record of this demoted DC is not removed completely).

We can try to clean up all the metadata for this demoted DC as below:
1.On one good and running DC in the same domain, run the following commands.

2.After the commands in the step1, to remove the failed server object from the sites in Active Directory Sites and Services, expand the appropriate site and delete the server object associated with the failed domain controller.

3.To remove the failed server object from the domain controllers container in Active Directory Users and Computers, expand the domain controllers container and delete the computer object associated with the failed domain controller.

4.If the removed DC was a DNS server, to remove the failed server object from DNS:

4-1 In the DNS snap-in, expand the zone that is related to the domain from where the server has been removed.Remove the CNAME record in the _msdcs.root domain of forest zone in DNS.

4-2 You should also delete the HOSTNAME and other DNS records.

4-3 If you have reverse lookup zones, also remove the server from these zones.

4-4 Update the DNS client configuration on all member workstations, member servers, and other DCs that might have used this DNS server for name resolution. If it is required, modify the DHCP scope to reflect the removal of the DNS server.

4-5 Update the Forwarder settings and the Delegation settings on any other DNS servers that might have pointed to the removed DC for name resolution.

After complete all the above, we can check if it still reture the demoted DC by running nltest /dnsgetdc:DomainFQDNHere or the following commands.

Dcdiag /V

repadmin /replsum

Repadmin /showrepl * /csv >showrepl.csv

For more information, we can refer to the link below.

Delete Failed DCs from Active Directory
https://petri.com/delete_failed_dcs_from_ad

Hope the information above is helpful. If anything is unclear, please feel free to let us know.

Best Regards,
Daisy Zhou

Answer 5

Hello @RawatP ,

So based on my understanding, the removed DC used to be one DC ( also one DNS server), however now we removed the AD DS and DNS server role and demoted it as a member server, then we use this member server with the same host name and IP address as your terminal licensing server, is that right?

If this demoted DC is not a DC, but still it is one DNS server:

we should do as below:

1.We need to keep the computer object (only domain computer instead of domain controller) in ADUC.
2.Remove all the SRV records (Kerberos, ldap and gc) and CNAME record for this server, only DC has SRV records, member server has no SRV records.
3.Keep A record and NS record for this server on DNS server.

For example:

Or if this demoted DC is not a DC and it is not a DNS server:

we should do as below:

1.We need to keep the computer object (only domain computer instead of domain controller) in ADUC.
2.Remove all the SRV records (Kerberos, ldap and gc) and CNAME record, NS record (if you have all these records) for this server, only DC has SRV records, member server has no SRV records.
3.Keep only A record for this server on DNS server.

For example:

Hope the information above is helpful. If anything is unclear, please feel free to let us know.

Best Regards,
Daisy Zhou