Hello,
Background:
We had previously a 2012 dc server1 which had FSMO -> PDC, RID and infrastructure roles.
Those roles were transferred successfully with active directory users and computers and operation masters from server1 to server2 and then checked with netdom query fsmo that they were on server2 and left it to replicate.
After that and checked diagnostics
dcdiag /test:dns /e /v
replications
repadmin /replsummary
repadmin /showrepl
repadmin /showrepl /errorsonly
repadmin /istg * /verbose
none of them had errors and after everything was pass the server1 was demoted it was successfull.
Then checked sites and service and server was still to be found as it should be after demote but to our amazement it was not clean from container DNS-Settings.
The container has attribute distinguishedName CN=DNS Settings,CN=server1,CN=Servers,CN=Site1,CN=Sites,CN=Configuration,DC=domain,DC=com
After that cleaned up the zones from that demoted server I ran diagnostics
dcdiag /test:dns /e /v
replications
repadmin /replsummary
repadmin /showrepl
repadmin /showrepl /errorsonly
repadmin /istg * /verbose
none of them had also errors
After googling around found out that this server was infact still KeyMasterServer and queried it with this command.
Get-DnsServerDnsSecZoneSetting -ZoneName my.domain.com
ZoneName : my.domain.com
IsKeyMasterServer : False
KeyMasterServer : server1.my.domain.com
KeyMasterStatus : Offline
DenialOfExistence : NSec3
NSec3HashAlgorithm : RsaSha1
NSec3Iterations : 50
NSec3OptOut : False
IsNSec3SaltConfigured : True
NSec3RandomSaltLength : 8
NSec3UserSalt : -
DnsKeyRecordSetTTL : 00:00:00
DSRecordSetTTL : 00:00:00
DSRecordGenerationAlgorithm : {Sha1, Sha256}
DistributeTrustAnchor : {None}
EnableRfc5011KeyRollover : True
ParentHasSecureDelegation : False
SecureDelegationPollingPeriod : 12:00:00
PropagationTime : 2.00:00:00
SignatureInceptionOffset : 01:00:00
Cause the server was allready demoted i decided to seize the role to another server which was also now the holder of fsmo roles.
Reset-DnsServerZoneKeyMasterRole -ZoneName my.domain.com -KeyMasterServer server2.my.domain.com –SeizeRole -Force
after that the role was found to be
Get-DnsServerDnsSecZoneSetting -ZoneName my.domain.com
ZoneName : my.domain.com
IsKeyMasterServer : True
KeyMasterServer : server2.my.domain.com
KeyMasterStatus : Online
DenialOfExistence : NSec3
NSec3HashAlgorithm : RsaSha1
NSec3Iterations : 50
NSec3OptOut : False
IsNSec3SaltConfigured : True
NSec3RandomSaltLength : 8
NSec3UserSalt : -
DnsKeyRecordSetTTL : 00:00:00
DSRecordSetTTL : 00:00:00
DSRecordGenerationAlgorithm : {Sha1, Sha256}
DistributeTrustAnchor : {None}
EnableRfc5011KeyRollover : True
ParentHasSecureDelegation : False
SecureDelegationPollingPeriod : 12:00:00
PropagationTime : 2.00:00:00
SignatureInceptionOffset : 01:00:00
The question now is, how can this container be removed from sites and services && ad cleanly. We have no DNSSEC in use.
I allready checked with ntdsutil that this dc is not found from any sites or domains with list servers in site commande anymore.
Can i just delete it under server1 in sites and services since the similar DNS-Settings is now found from the server2 in sites and services. Before the seize it was not there. Or should i do some trickery with ldifde perhaps?