How to get the domain to forget an old domain controller.

Question

When I run dcdiag I am still seeing the Windows Server 2008 that was replaced. Dcdiag recognizes the Windows Server 2008 as a DC. Dcdiag is also listing the Windows Server 2008 as a DNS that is not working and Ldap search capability attribute search failed .

What I did is reuse the ip address that was used on the Windows Server 2008 on the Windows Server 2019.

If power the Windows Server 2008 instead of the Windows Server 2019, then use dcpromo /forceremoval command, Windows Server 2008 wants to install a domain controller so Windows Server 2008 thinks there is no DC. I could not install the DC anyway because the level is Windows Server 2016.

Answer 1

Found "this behavior is identical to what you'd experience if you had an incorrect name server entry for the _msdcs delegation. In the DNS Manager, are you actually looking at the delegation node (i.e. the grayed-out node labeled _msdcs under mbc.ca.gov)?
Note that this is different than the content of _msdcs.mbc.ca.gov - which would contain only the "valid" records
hth
Marcin"

https://social.technet.microsoft.com/Forums/windows/en-US/6232ce48-1566-476d-8f9f-4c5d2c417eb0/missing-glue-a-record-error-details-9714-type-win32-description-dns-name-does-not-exist

Found _VLMCS and _ldap records in DC1.
Found _ldap record in DC2.

That fixed finding the old Windows Server 2008.

In Summary had to do metadata clean.
DSPatrick had a link for the procedure but I missed where the deletion was done. I found graphic images easier to follow and did the deletion following
https://www.dtonias.com/forced-removal-domain-controller/#:~:text=Open%20the%20Active%20Directory%20Sites%20and%20Services%20console%2C,accepting%20the%20warnings%20by%20clicking%20the%20Delete%20button.

Daisy Zhou gave the same procedure as above with the order switched. Do not know if the order matters.

Had reboot to remove the "The program lsass.exe, with the assigned process ID 864, could not authenticate locally by using the target name ldap/DC"

To remove the "TEST: Delegations (Del)
Delegation information for the zone: domain.
Delegated domain name: _msdcs.domain.
Error: DNS server: DC.domain.
IP:<Unavailable> [Missing glue A record]
[Error details: 9714 (Type: Win32 - Description: DNS name does not exist.)]"
Used https://social.technet.microsoft.com/Forums/windows/en-US/6232ce48-1566-476d-8f9f-4c5d2c417eb0/missing-glue-a-record-error-details-9714-type-win32-description-dns-name-does-not-exist as reference.

I had to go through every entry in Foward Lookup Zones, _msdcs.domain and delete all entries for the Windows Server 2008.

Answer 2

You can perform cleanup to remove the failed / non-existent domain controller.
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-manually-removing-a-domain-controller-server/ba-p/280564

--please don't forget to Accept as answer if the reply is helpful--

Answer 3

Hello @techcoor ,

Thank you for posting here.

Based on the description "What I did is reuse the ip address that was used on the Windows Server 2008 on the Windows Server 2019.", I am not sure how you reuse the ip address that was used on the Windows Server 2008 on the Windows Server 2019.

In my opinion, it may be incorrectly reuse the ip address that was used on the Windows Server 2008 on the Windows Server 2019, or the information about old Windows Server 2008 DC is not removed from the domain completely.

How many DCs are there in your domain now? Please run nltest /dclist:domain.com on one DC to check.

If you have multiple DCs (also as GCs and DNS servers) except the Windows Server 2008 DC and the Windows Server 2019 DC.
You can transfer FSMO roles to one DC except the Windows Server 2008 DC and the Windows Server 2019 DC.

Then demote Windows Server 2008 DC.

1.Logon the Windows Server 2008 DC with domain Administrator.
2.Remove a domain controller from your Active Directory domain by using Dcpromo.exe.

If you you try to remove a domain controller from your Active Directory domain by using Dcpromo.exe and fail. Please perform the metadata cleanup for the Windows Server 2008 DC as below.

1.Logon one good DC with domain Administrator.
2.Open CMD (run as Administrator).
3.Run the following commands one by one.

After that, we can check the following information (all information about old Windows Server 2008 DC should be removed):

1.To remove the failed server object from the domain controllers container.

2.To remove the failed server object from the sites.

3.To remove the failed server object from DNS manager.
Remove all the DNS records corresponding to this failed DC name.

For more information above failed domain controller, we can refer to the link below.

Delete Failed DCs from Active Directory
https://petri.com/delete_failed_dcs_from_ad

After we clean up the DC, we can run the following commands on one good and running dc.

Dcdiag /v /a >c:\dcdiag.txt

repadmin /replsum >c:\repsum.txt

repadmin /showrepl * /csv >c:\repsum.csv

If there is no any entry about the failed DC in the result after running the three commands above, then the failed DC is removed completely.

Note:
Based on my knowledge, if you want to reuse one IP (I assume IP is IP1) of the DC on another new DC, we can try the steps below:
1.Demote the DC with IP address IP1.
2.After demoting, disjoin the member server with IP address IP1.
3.Set the IP of this old machine with IP1 using another idle IP address （such as IP2）.
4.Set the IP of new machine using IP1.
5.Join the new machine to domain.
6.Promote the new machine as DC.

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 4

Just checking if there's any progress or updates?

--please don't forget to Accept as answer if the reply is helpful--

Answer 5

Walked through the Using the NTDSUtil and could not find the problem server. Quit NTDSUtil.
Decided to try a reboot. That cleared the ldap error.
Down to
TEST: Delegations (Del)
Delegation information for the zone: domain.
Delegated domain name: _msdcs.domain.
Error: DNS server: DC.domain.
IP:<Unavailable> [Missing glue A record]
[Error details: 9714 (Type: Win32 - Description: DNS name does not exist.)]

I do not see the second link giving anything new.
DaisyZhou-MSFT
All I am saying is the Windows Server 2008 had a specific NIC IP address and I reused that ip address on the new server NIC. I do not have both servers on the same network at the same time.
There are three DCs. I was not able to run the command you gave. Used Get-ADDomainController -Filter *
Not working on FSMO yet
Windows Server 2008 is already demoted but still seeing references to it.
I used the Dtonias steps to remove the Windows Server 2008 from Users and Computers and Site and Services.
Now the Windows Server 2008 does show in the reverse lookup zones, 1.168.192.in-addr.arp. Deleted the record.
The reverse lookup zone still looks difference compared to the other DCs. There is 0.in-addr.arpa, 127.in-addr.arpr and 255.in-addr-addr.arpa. The other DCs do not have such entries.