question

MISAdmin-6413 avatar image
0 Votes"
MISAdmin-6413 asked DSPatrick commented

SRV Records listing old DC in ACL

Hello. I finally replaced my 2012 DCs with 2019. One of the 2012 DCs was a VM. I'm seeing this VM's account listed in the ACL of many SRV records. These are the records in DNS-Forward Lookup Zones-[our doman name]... in the _tcp and _udp folders. How do I clean up the ACL on all these records?

windows-active-directorywindows-server-2019windows-dhcp-dns
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered DSPatrick commented

Ok, I don't have any machine accounts listed here so they may have been manually added. I'd probably look for and delete from the parent level.

--please don't forget to upvote and Accept as answer if the reply is helpful--


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--



1 Vote 1 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MISAdmin-6413 avatar image
0 Votes"
MISAdmin-6413 answered

Thanks. I saw these methods but they show how to remove the old server if left behind in Active Directory Users & Computers or Sites & Services. Mine is cleared from these locations. The only place I see a reference now is in the ACL of the DNS domain SRV Records. One of the servers has permissions in a bunch of these records. I can see by the timestamp of these records that they are being updated. Whatever is updating them is not removing that server from the ACL.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

I'd work through the steps anyway. This tool may also help to locate remnants.
https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer

--please don't forget to upvote and Accept as answer if the reply is helpful--



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered LimitlessTechnology-2700 published

Hello @MISAdmin-6413

If you had an old Domain Controller you needed to get rid of, cleaning up all the DNS records of a now dead DC left behind can be tedious. An easy way to delete all DNS records related to a Domain Controller with a single PowerShell command.

First, let’s create an array of all the records in the zone _msdcs.something.com:

 $dnsrecords = Get-DnsServerResourceRecord -ZoneName “_msdcs.something.com”

This outputs everything in you zone.

The data you need to filter on is part of the “RecordData” data column which in and of itself is an array of data. And to isolate the DC you want to clean up, you will need to filter the resulting data. For that, you will filter on some of the attributes available in the RecordData record set, specifically, IPv4Address, NameServer and DomainName.

 $deadDC = $dnsrecords | Where-Object {$_.RecordData.IPv4Address -eq “192.168.50.15” -or $_.RecordData.NameServer -eq “DC02.something.com.” -or $_.RecordData.DomainName -eq “DC02.something.com.”}

Now you have all the DNS records for your dead Domain Controller in one array!

From here, it is super easy to delete them all, simply by calling the Remove-DnsServerResourceRecord cmdlet against the array and the zone! Now run that as a “What if” to confirm:

 $deadDC | Remove-DnsServerResourceRecord -ZoneName “_msdcs.something.com” -whatif

And now simply remove the what if and the records are gone! No manual clean up.

So, if I were to bring all those components into one command, the result is:

 Get-DnsServerResourceRecord -ZoneName “_msdcs.something.com” | `
    
 Where-Object {$_.RecordData.IPv4Address -eq “192.168.50.15” `
    
 -or $_.RecordData.NameServer -eq “DC02.something.com.” -or `
    
 $_.RecordData.DomainName -eq “DC02.something.com.”} | Remove-DnsServerResourceRecord -ZoneName “_msdcs.something.com” -force

Simple really.

Regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MISAdmin-6413 avatar image
0 Votes"
MISAdmin-6413 answered

Hello LimitlessTechnology. Thanks for this powershell method. These commands do not find anything because I don't have any records of the old dns server. What I have is records of the new dns servers but within those records in the ACL is the machine account of one of the retired DCs. It is listed (under the Security tab) as RetiredDCName$ with Write and Special permissions ticked.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

Do you have a screenshot?


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MISAdmin-6413 avatar image
0 Votes"
MISAdmin-6413 answered

Here is an example. This is the just the _ldap properties but this DC is in the ACL of all the SRV records under the domain. The Machine account crossed off in red is one of the old DCs. A DC that was removed successfully with the Remove Roles & Features.

127183-capture.jpg



capture.jpg (38.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MISAdmin-6413 avatar image
0 Votes"
MISAdmin-6413 answered

Do you mean just highlight the machine account in the ACL and click on the remove button?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.