7,023 questions
The LDAP Browser option in NetTools will decode the dnsrecord attribute, these will be displayed in the same order as adsiedit, then you can use adsiedit to delete the same entry in attribute.
Gary.
Delete SRV DNS Records for Orphaned DC
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 42%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
Broonster
51
Reputation points
Hi There,
I'm having the issue where I can't delete the SRV DNS records for a DC that wasn't properly demoted. Using ADSIedit I have manged to properly delete nearly all of them but I can't work out how to delete the one in _ldap._tcp.dc._msdcs.
When I go into ADSIedit the value I need to delete is one of the 150 hex values stored in the dnsRecord attribute but I haven't a clue which one to delete as I forgot to keep a copy of the hex value before I removed it from the other attributes as part of this cleanup process.
Any idea how I can find the correct value to delete?
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Accepted answer
-
Gary Reynolds 9,621 Reputation points2022-06-19T02:32:01.957+00:00 -
Broonster 51 Reputation points
2022-06-21T02:31:27.747+00:00 I I downloaded the tool but it doesn't display the attribute values in the same order as ADSIedit. However when I look at the values using the tool I don't actually see the problematic DC listed so I'm wondering if I'm looking the wrong place for the to get this record removed.
I also noticed that the name of the DC is in uppercase and there are records for 4 other previously demoted DCs, all also in upper case, still under _ldap._tcp.dc._msdcs. I know there was this issue https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/dns-registers-duplicate-srv-records-for-dc issue with 2016 and 2019 DCs and while I have a mix of 2012 R2 and 2019 DCs in my domain the fix of demoting the DC, renaming it, and then promoting it again doesn't apply since these DCs have all been demoted permanently and won't be coming back with the same name.
How I get rid of these records?
-
Gary Reynolds 9,621 Reputation points
2022-06-21T07:04:05.963+00:00 I can't see the command you ran for the powershell command above but the srv record will be under _msdcs.<domain> with the record called _ldap._tcp.dc and the value stored in the dnsrecord attribute.
You need to check which AD integration you have used for the _msdcs zone to confirm you are looking the correct application/domain partition.
Windows 2000 = domain partition _ system, microsoftDns
All dcs in domain = domainDnsZones app partition
All dcs in forest = forestDnsZones app partitionGary.
-
Broonster 51 Reputation points
2022-06-21T07:36:02.437+00:00 Apologies, i was looking in the wrong place, I was originally looking under _ldap._tcp. but I found the problem attribute value under _ldap._tcp.dc._msdcs where I should have been looking. But the problem still stands that the values returned by the ldap browser are not in the same order as they are returned by ADSIedit.
-
Gary Reynolds 9,621 Reputation points
2022-06-21T07:48:32.22+00:00 Use the hex dump option from the context menu in ldap browser, this will give you both the hex values in order and use this to locate the value that you need to delete in adsiedit.
Gary.
-
Broonster 51 Reputation points
2022-06-21T20:47:22.353+00:00 Ah, that did it, thank you so much for your help.
Sign in to comment -
6 additional answers
Sort by: Most helpful
-
Riaan-VS 386 Reputation points2022-06-17T06:17:04.163+00:00 Is your DC still listed in Sites & Services?
-
Broonster 51 Reputation points
2022-06-17T06:29:46.037+00:00 No, all that metadata has been deleted, it's just these last couple of DNS that are left.
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 96%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Agarwal, Mayank 6 Reputation points2023-01-12T06:31:20.85+00:00 Please check this powershell script to find and delete all dns entries for an orphaned DC
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2022-06-17T12:53:51.83+00:00 Read on here.
https://devblogs.microsoft.com/scripting/clean-up-domain-controller-dns-records-with-powershell/--please don't forget to
upvoteandAccept as answerif the reply is helpful---
Anonymous
2022-06-18T13:01:49.247+00:00 Just checking if there's any progress or updates?
--please don't forget to
upvoteandAccept as answerif the reply is helpful-- -
Broonster 51 Reputation points
2022-06-18T22:20:14.247+00:00 Yeah, i've been through that and it doesn't work, when you delete the records using the Powershell commands they just come back. The only way to get rid of them is to go into ADSIedit and delete them from the application partition but the problem is identifying the correct one delete when you have 150 domain controllers in your forest.
Sign in to comment -
-
Anonymous
2022-06-18T22:34:42.697+00:00 Maybe this tool helps.
https://learn.microsoft.com/en-us/sysinternals/downloads/adexplorer--please don't forget to
upvoteandAccept as answerif the reply is helpful--