|
|
Question : Why do I need to remove metadata from domain controller?
|
|
There were only two Windows 2003 server domain controllers (dc1 and dc3). AD works fine. dc1 has RID master role. dc3 has PDC and Infrastructure master roles. dc3 unexpectedly shut down due to power supply issue. I thought dc1 also has master roles of PDC and Infrastructure (unfortunately wrong in this case), so totally ignored dc3 (because its hardware is old) and installed dc2, making dc2 as second dc with DNS of the network, from dc1. Problem: Unable to open security group policy. So turn on dc3 (hardware issue resolved), connect it to network, dc1 took over PDC master role successfully, dc2 failed to take over Infrastructure master role from dc3, so dc2 forced the role and it shows successful. dc3 is disconnected from the network now. Able to open group security object. dc1 and dc2 now can see each other's role correctly. now Forward Lookup Zones\_msdcs\dc\_tcp shows SRV dc1, dc2, dc3 Forward Lookup Zones\_msdcs.myCorp.com\domains\xxx\_tcp shows SRV dc1, dc2, dc3 Forward Lookup Zones\_msdcs.myCorp.com\gc\_sites\Default-First-Site-Name\_tcp shows SRV dc1, dc3 Forward Lookup Zones\_msdcs.myCorp.com\PDC\_tcp shows SRV dc1 Forward Lookup Zones\myCorp.com\_msdcs shows NS dc1 Forward Lookup Zones\myCorp.com\_sites\Default-First-Site-Name\_tcp shows _gc dc1, dc3 Forward Lookup Zones\myCorp.com\_tcp shows _gc dc1, dc3
Q#1 Is such inconsistency an issue? Q#2 how to remove dc3 nicely? Q#3 how to replace dc3 with dc2? Q#4. can retiring dc3 make the above information consistent? Q#5. How to verify if any other roles left in dc3 and need to transfer to dc1/dc2?
Thanks.
|
Answer : Why do I need to remove metadata from domain controller?
|
|
Your siezed the infrastructure role? Keep DC03 off the network and remove the metadata, siezing the role should be reason enough not to bring the old DC back on line.
Q#1 Is such inconsistency an issue? Initially the replication ring may still contain this server, eventually this will right itself.
Q#2 how to remove dc3 nicely? Run the metadata cleanup, it is not clean, but you will remove the replication objects and the item from AD.
Q#3 how to replace dc3 with dc2? Run the metadata cleaning, and sieze the roles (if not already located somewhere) or transfer the roles to the new server if they are located on a machine at the moment.
Q#4. can retiring dc3 make the above information consistent? Well you have some manual work to carry out, but eventually the object will be removed. Manually remove the DNS entries as per the petri article.
Q#5. How to verify if any other roles left in dc3 and need to transfer to dc1/dc2? You can determine if the FSMOs are located on operation servers by issuing the following command sequence:
NTDSUTIL à roles à connections à connect to server LIVESERVER à Quit à select operation target à list roles for connected server
|
|
|
|
|