Clean up Domain Controller DNS Records with Powershell

Nabeel 26 Reputation points
2020-12-14T10:32:15.53+00:00

Hello,

I was going through this page:

https://devblogs.microsoft.com/scripting/clean-up-domain-controller-dns-records-with-powershell/

However, it only mentions the zone _msdcs.contoso.com. What about the zone contoso.com and reverse lookup zones? Don't we have to delete that too after a DC is forcefully removed? It is not in the script.

Windows DHCP
Windows DHCP
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.DHCP: Dynamic Host Configuration Protocol (DHCP). A communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses in an organization's network.
1,021 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,344 questions
0 comments No comments
{count} vote

7 answers

Sort by: Most helpful
  1. Rich Matheisen 44,541 Reputation points
    2020-12-14T15:38:39.55+00:00

    Treat them the same way you'd treat any A, AAAA, CNAME, etc. DNS records for any machine you remove from your organization.

    0 comments No comments

  2. Gloria Gu 3,891 Reputation points
    2020-12-15T08:36:18.48+00:00

    @Nabeel Hi,

    Thank you for posting in Q&A!

    Do you want to perform metadata cleanup on a domain controller? If you want to achieve this, I would suggest you to use the GUI tools. Procedures should be done in Active Directory Users and Computers, Active Directory Sites and Services& DNS Entries.
    Using this method, it wold be a thoroughly clean up of the remain metadata of the old DC including DNS record.

    For more details, please refer to:
    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup

    Hope you have a nice day : )
    Gloria

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
    https://learn.microsoft.com/en-us/answers/articles/67444/email-notifications.html

    0 comments No comments

  3. Nabeel 26 Reputation points
    2020-12-16T07:11:33.38+00:00

    @Rich Matheisen So it means yes we have to delete dns records from both zones: _msdcs.contoso.com & contoso.com.

    In this case, how can we modify the powershell command to run for zone contoso.com after running for zone _msdcs.contoso.com.


  4. Nabeel 26 Reputation points
    2020-12-16T10:20:09.44+00:00

    @Gloria Gu Hi,

    So it means if I use Active Directory Users and Computers to delete the DC as per https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup, then all DNS records of the DC will be automatically removed also? No need to manually clean/remove DNS records of this DC?


  5. Nabeel 26 Reputation points
    2020-12-17T13:10:07.387+00:00

    @Gloria Gu

    The microsoft link https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup mentions:

    When you use Remote Server Administration Tools (RSAT) or the Active Directory Users and Computers console (Dsa.msc) that is included with Windows Server to delete a domain controller computer account from the Domain Controllers organizational unit (OU), the cleanup of server metadata is performed automatically. Before Windows Server 2008, you had to perform a separate metadata cleanup procedure.

    You can also use the Active Directory Sites and Services console (Dssite.msc) to delete a domain controller's computer account, which also completes metadata cleanup automatically. However, Active Directory Sites and Services removes the metadata automatically only when you first delete the NTDS Settings object below the computer account in Dssite.msc.

    So it means we can EITHER use Active Directory Sites and Services or Active Directory Sites and Services to delete metadata of dead DC? We don't have to use BOTH?