dimanche 23 mars 2014

Windows Server 2012: Remove a corrupt/failed domain controller from Active Directory + FSMO seizing


My test lab consists of 3 Domain Controller (DC): DC01, DC02, and DC03.

The scenario is as follows:

DC01 host the 5 Flexible Single Master Operations (FSMO) roles.

The DNS zone is integrated to Active Directory and is therefore stored in the application partition of our Active Directory database.

DC02 and DC03 are two Read and Write Domain Controller (RWDC).

DC01 failed and we can’t recovered it. No backup exists (:-/).

We will have to:

1) Perform the seizing of 5 FSMO roles.
2) Remove the DC from our Active Directory database.

1) Seizing FSMO roles

We connect to DC02 (this DC works properly, and we’ll seize the FSMO roles on it).

Once connected to DC02, launch a command prompt and enter the "ntdsutil" command.

Now, enter the "roles" command. The prompt now display "fsmo maintenance:".  At this point, you can query the system by typing the symbol "?" and enter to see all options available.

Firstly, you got all the seizing operations and secondly, the transfer operations. There is also the command "Connections" which helping us to connect to the DC02.

Let’s go, enter the "Connections" command.

The prompt waiting that whe indicate to which DC to connect. It says "server connections: _". We have to enter "connect to server DC02".

Ntdsutil is now connected to DC02. Enter "q" to quit the connection utility.

At this point, we can begin the seizing of the FSMO roles. Here are the commands to enter:

seize naming master
seize PDC
seize RID master
seize schema master
seize infrastructure master

Let’s begin by seizing the domain naming master role: "seize naming master". A message box dialog open to confirm the command you entered. Click on "Yes".

Here's what you will see at the prompt. Ntdsutil first attempts to transfer the role. It encounters an error (DC01 doesn’t exists anymore) and then began seizing the role. Nice.

You have to repeat this step with the other 4 FSMO roles to finally get all your roles seized.

For the more paranoid of us, you can still check DC02 holds the roles you just seized by entering the following command:

netdom query /domain:labo fsmo

You have to replace labo by your domain name.

Ok, that’s good. We can go further.

2) Remove the DC from our Active Directory database

According to Technet, there is no need to perform a metadata cleanup after the forced removal of a DC.
When you use Remote Server Administration Tools (RSAT) or the Active Directory Users and Computers console (Dsa.msc) that is included with Windows Server 2008 or Windows Server 2008 R2 to delete a domain controller computer account from the Domain Controllers organizational unit (OU), the cleanup of server metadata is performed automatically. Previously, you had to perform a separate metadata cleanup procedure.

We will check this to see if the DNS records are purged.

Before deleting our DC01, we can take the water a bit by checking some DNS records (SRV resources). We can see the records for our DC01.

I do not have a snapshot of all the records, but we have grasped the idea ;-)

DNS A et NS records, are also present.

According to Technet, we can use RSAT, ADUC, ADSS and ntdsutil to delete the failed DC. We chose ADUC. Find your failed DC, then right click > "Delete".

A first warning pop out. We can click on "Yes" button. We came specifically for that ;-)

A second warning pop out. It warn us about the fact we have to use dcpromo to remove a DC. Tick the checkbox "This Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation Wizard (DCPROMO)".

Click on button "Delete".

In addition, it’s a global catalog DC. A new request for confirmation appears, click on "Yes".

Let's check the DNS again. Good news! Everything seems to be purged.

Here we have a NS record not removed, but let’s scavenging do its job.

The same here.

A check in ADSS console reveals the presence of DC01. I chose to remove it by clicking on "Delete" option. A dialog box appears. 

Answer by clicking "Yes".

Now, we have to check the replication (do it on DC03 too).

repadmin /showrepl

dcdiag /test:replications

dcdiag /test:netlogons

To complete audits I created an Organisational Unit (OU), on the DC02 and after replication, the OU is appeared on the DC03.

2 commentaires:

  1. Thanks! I was very nervous about deleting my dead domain controller with all the warnings it was very comforting to see you show all the possible messages and outcomes. Thanks for sharing in such detail.