SRV Records listing old DC in ACL

Question

Hello. I finally replaced my 2012 DCs with 2019. One of the 2012 DCs was a VM. I'm seeing this VM's account listed in the ACL of many SRV records. These are the records in DNS-Forward Lookup Zones-[our doman name]... in the _tcp and _udp folders. How do I clean up the ACL on all these records?

Answer 1

Ok, I don't have any machine accounts listed here so they may have been manually added. I'd probably look for and delete from the parent level.

--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer 2

You can follow along here to perform cleanup.
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-manually-removing-a-domain-controller-server/ba-p/280564

--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer 3

Thanks. I saw these methods but they show how to remove the old server if left behind in Active Directory Users & Computers or Sites & Services. Mine is cleared from these locations. The only place I see a reference now is in the ACL of the DNS domain SRV Records. One of the servers has permissions in a bunch of these records. I can see by the timestamp of these records that they are being updated. Whatever is updating them is not removing that server from the ACL.

Answer 4

I'd work through the steps anyway. This tool may also help to locate remnants.
https://learn.microsoft.com/en-us/sysinternals/downloads/adexplorer

--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer 5

Hello @MISAdmin

If you had an old Domain Controller you needed to get rid of, cleaning up all the DNS records of a now dead DC left behind can be tedious. An easy way to delete all DNS records related to a Domain Controller with a single PowerShell command.

First, let’s create an array of all the records in the zone _msdcs.something.com:

$dnsrecords = Get-DnsServerResourceRecord -ZoneName “_msdcs.something.com”  

This outputs everything in you zone.

The data you need to filter on is part of the “RecordData” data column which in and of itself is an array of data. And to isolate the DC you want to clean up, you will need to filter the resulting data. For that, you will filter on some of the attributes available in the RecordData record set, specifically, IPv4Address, NameServer and DomainName.

$deadDC = $dnsrecords | Where-Object {$_.RecordData.IPv4Address -eq “192.168.50.15” -or $_.RecordData.NameServer -eq “DC02.something.com.” -or $_.RecordData.DomainName -eq “DC02.something.com.”}  

Now you have all the DNS records for your dead Domain Controller in one array!

From here, it is super easy to delete them all, simply by calling the Remove-DnsServerResourceRecord cmdlet against the array and the zone! Now run that as a “What if” to confirm:

$deadDC | Remove-DnsServerResourceRecord -ZoneName “_msdcs.something.com” -whatif  

And now simply remove the what if and the records are gone! No manual clean up.

So, if I were to bring all those components into one command, the result is:

Get-DnsServerResourceRecord -ZoneName “_msdcs.something.com” | `  
  
Where-Object {$_.RecordData.IPv4Address -eq “192.168.50.15” `  
  
-or $_.RecordData.NameServer -eq “DC02.something.com.” -or `  
  
$_.RecordData.DomainName -eq “DC02.something.com.”} | Remove-DnsServerResourceRecord -ZoneName “_msdcs.something.com” -force  

Simple really.

Regards,