Treat them the same way you'd treat any A, AAAA, CNAME, etc. DNS records for any machine you remove from your organization.
Clean up Domain Controller DNS Records with Powershell
Hello,
I was going through this page:
https://devblogs.microsoft.com/scripting/clean-up-domain-controller-dns-records-with-powershell/
However, it only mentions the zone _msdcs.contoso.com. What about the zone contoso.com and reverse lookup zones? Don't we have to delete that too after a DC is forcefully removed? It is not in the script.
7 answers
Sort by: Most helpful
-
-
Gloria Gu 3,901 Reputation points
2020-12-15T08:36:18.48+00:00 @Nabeel Hi,
Thank you for posting in Q&A!
Do you want to perform metadata cleanup on a domain controller? If you want to achieve this, I would suggest you to use the GUI tools. Procedures should be done in Active Directory Users and Computers, Active Directory Sites and Services& DNS Entries.
Using this method, it wold be a thoroughly clean up of the remain metadata of the old DC including DNS record.For more details, please refer to:
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanupHope you have a nice day : )
Gloria============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
https://learn.microsoft.com/en-us/answers/articles/67444/email-notifications.html -
Nabeel 26 Reputation points
2020-12-16T07:11:33.38+00:00 @Rich Matheisen So it means yes we have to delete dns records from both zones: _msdcs.contoso.com & contoso.com.
In this case, how can we modify the powershell command to run for zone contoso.com after running for zone _msdcs.contoso.com.
-
Nabeel 26 Reputation points
2020-12-16T10:20:09.44+00:00 @Gloria Gu Hi,
So it means if I use Active Directory Users and Computers to delete the DC as per https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup, then all DNS records of the DC will be automatically removed also? No need to manually clean/remove DNS records of this DC?
-
Nabeel 26 Reputation points
2020-12-17T13:10:07.387+00:00 The microsoft link https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup mentions:
When you use Remote Server Administration Tools (RSAT) or the Active Directory Users and Computers console (Dsa.msc) that is included with Windows Server to delete a domain controller computer account from the Domain Controllers organizational unit (OU), the cleanup of server metadata is performed automatically. Before Windows Server 2008, you had to perform a separate metadata cleanup procedure.
You can also use the Active Directory Sites and Services console (Dssite.msc) to delete a domain controller's computer account, which also completes metadata cleanup automatically. However, Active Directory Sites and Services removes the metadata automatically only when you first delete the NTDS Settings object below the computer account in Dssite.msc.
So it means we can EITHER use Active Directory Sites and Services or Active Directory Sites and Services to delete metadata of dead DC? We don't have to use BOTH?