question

LotfiBOUCHERIT avatar image
0 Votes"
LotfiBOUCHERIT asked DaisyZhou-MSFT commented

Active directory 2016 problem with demoted domain controller

Hello,
We had a failing domain controller which holding PDC FSMO role, and lots of services (firewall, proxy, application authentication...) depend on its dns name or ip address.
We cleaned up, its metadata from NTDSUTIL, DNS and every possible location. But we were not to promote a newly created vm ad a new domain controller, with same name, and same ip address.
We find too, that in repadmin /replsum, we still find a trace of this failed domain controller, (1722) The RPC server is unavailable.
We tried to promote the new vm with another vm, and same ip adderss, and it didn't work. As if the metadata cleanup is not completely successful.
On internet, i found that there might be some stale objects in ADSI, configuration partition, LostAndFound folder, cleared that folder, but still the same thing.

I'd like if anyone can give me a hint or steps to do that might help to bring things up and running again.

Thank you in advance,

windows-active-directorywindows-server-2016windows-dhcp-dns
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @LotfiBOUCHERIT-4930,
Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know.
Thanks for your time and have a nice day!

Best Regards,
Daisy Zhou

0 Votes 0 ·

Hello @LotfiBOUCHERIT-4930,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello @LotfiBOUCHERIT-4930,

Thank you for posting here.

As I understand, you have transferred or seized the FRMO roles from the failed domain controller you mentioned.

And now you want to demote the failed domain controller and perform the metadata cleanup for the failed domain controller completely, but it seems there is still stale objects for this failed DC.

We can try the following method.

On one good and running DC, we can run the following command to perform the metadata for this failed DC.

84021-meta.png

After that, we can check the following information:

1.To remove the failed server object from the domain controllers container.
84005-dc1.png

2.To remove the failed server object from the sites.
84006-dc2.png

3.To remove the failed server object from DNS manager.
Remove all the DNS records corresponding to this failed DC name.
84007-dc3.png

For more information above failed domain controller, we can refer to the link below.

Delete Failed DCs from Active Directory
https://petri.com/delete_failed_dcs_from_ad


Also, consider the following information before deleting one DC in the domain:

1.If the removed DC was a Flexible Single Master Operation (FSMO) role holder, relocate those roles to a live DC.
2.If the removed DC was a DNS server, update the DNS client configuration on all member workstations, member servers, and other DCs that might have used this DNS server for name resolution. If it is required, modify the DHCP scope to reflect the removal of the DNS server.
3.If the removed DC was a DNS server, update the Forwarder settings and the Delegation settings on any other DNS servers that might have pointed to the removed DC for name resolution.


After we clean up the DC, we can run the following commands on one good and running dc.

Dcdiag /v /a >c:\dcdiag.txt

repadmin /replsum >c:\repsum.txt


repadmin /showrepl * /csv >c:\repsum.csv

If there is no any entry about the failed DC in the result after running the three commands above, then the failed DC is removed complately.


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou




============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.




meta.png (372.2 KiB)
dc1.png (20.8 KiB)
dc2.png (22.0 KiB)
dc3.png (34.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LotfiBOUCHERIT avatar image
0 Votes"
LotfiBOUCHERIT answered

Hello @DaisyZhou-MSFT
And thank you for this relevant explanation.. Just want to let you know, that we did cleaning using NTDSUTIL, cleaned ad sites and services, ad users and computers, dns...
But server still figures in the repadmin /replsum command
We fail to add a new server using the same name, and we fail to assign its ip address to another domain controller

For results of the command you requested:
83949-showrepl.txt83950-replsum.txt83955-dcdiag-v.txt



Thank you in advance


showrepl.txt (11.5 KiB)
replsum.txt (930 B)
dcdiag-v.txt (108.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LotfiBOUCHERIT avatar image
0 Votes"
LotfiBOUCHERIT answered

even if i run, dsquery computer -name ***, i don't find the domain controller that is failing in repadmin...
84051-image.png



image.png (2.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @LotfiBOUCHERIT-4930,

Thank you for your update.

Anyway, if you can still see the name of the failed domain controller from the command result, it indicates that it has not been deleted from the AD domain environment. You need to carefully find and delete it according to the method I mentioned above.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.