Hello everyone, I would appreciate your advice on how to remove traces of a recently demoted 2012 Std server.
Although the demotion appeared to go fine, there are still traces that are preventing the demotion of our last 2008 server.
-------------------------------------------------------------------------------
The Forest and Domain DNS infrastructure values are pointing to the retired server DC02, via ADSIEdit, DSQuery and LDP:
Value of: ForestDNS\DC=ForestDNSZone,DC=Mydomain,DC=com \ CN-Infrastructure:
CN=NTDS Settings\0ADEL:9677ee9c-e0e5-4682-9774-b25a26956851,CN=DC02\0ADEL:b306569a-59c2-4f6e-9153-3a2dbfb2875f,CN=Servers,CN=Site1,CN=Sites,CN=Configuration,DC=Mydomain,DC=com
Value of : Domain DNS\DC=DomainDNSZne, DC=Mydomain, DC=com \ CN=Infrastruture:
CN=NTDS Settings\0ADEL:9677ee9c-e0e5-4682-9774-b25a26956851,CN=DC02\0ADEL:b306569a-59c2-4f6e-9153-3a2dbfb2875f,CN=Servers,CN=Site1,CN=Sites,CN=Configuration,DC=Mydomain,DC=com
-------------------------------------------------------------------------------
Attempts to update the value manually error out and the vbs script in the below article fails on line 11 char 5 when run in an elevated cmd prompt:
ForestDNSZones or DomainDNSZones FSMO says “The role owner attribute could not be read”
https://blogs.technet.microsoft.com/the_9z_by_chris_davis/2011/12/20/forestdnszones-or-domaindnszones-fsmo-says-the-role-owner-attribute-could-not-be-read/
What has happened is the DC who held the FSMO Role Holder for your DomainDNSZones or your ForestDNSZones (or both) application partition isn’t there anymore.
Someone deleted it, decommissioned it, basically it failed somewhere along the line but the DC owned one or more of your AD Integrated DNS Zones.
The deleted DC can be seen in the mess above after cn=___ and in most cases this means someone had to do metadata cleanup and forcibly removed the server from AD.
-------------------------------------------------------------------------------
The standard FSMO roles are fine:
C:\Windows\system32>netdom /query fsmo
Schema master GLDC01.Mydomain.com
Domain naming master GLDC01.Mydomain.com
PDC GLDC01.Mydomain.com
RID pool manager GLDC01.Mydomain.com
Infrastructure master GLDC01.Mydomain.com
The command completed successfully.
-------------------------------------------------------------------------------
The server is not seen in ADSIEdit to delete when searching by site:
How to remove data in Active Directory after an unsuccessful domain controller demotion
https://support.microsoft.com/en-us/help/216498/how-to-remove-data-in-active-directory-after-an-unsuccessful-domain-co
Example:
select operation target: list sites
...returns 7 sites correctly
select operation target: select site 0
select operation target: list servers in site
Found 2 server(s) - DC01 not there
select operation target: select site 1
select operation target: list servers in site
Found 1 server(s) - DC01 not there..just the 2008 R2 server I wish to demote
-------------------------------------------------------------------------------
Dssite.msc
The retired 2012 server was seen with no NTDS settings attached.
Manually deleted and confirmed the replication to other DCs...it is removed.
Clean Up Server Metadata
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816907(v=ws.10)
-------------------------------------------------------------------------------
ADSIEdit and LDP confirm the incorrect value is still seen for the Forest and Domain DNZ application roles:
-------------------------------------------------------------------------------
FixFsmo.vbs script again fails at line 11 char 5
-------------------------------------------------------------------------------
Suggestions on how to clean up the metadata is greatly appreciated.
Goal: retire the 2008 R2 DC
Thank you!
Andy
Andy