Good, now we learn how to clean the Active Directory objects orphans. A common case is when a domain controller fails, or when trying to remove it but it is not possible. So it is in those moments where we remove objects manually. I emphasize that this procedure applies to domain controllers on Windows Server 2003 SP1 onwards. You can perform this procedure on Windows 2000/2003, but I recommend you review the following Microsoft article: http://support.microsoft.com/kb/216498/en-us .
Steps:
- First we must ensure that FSMO roles are hosted on domain controllers working in production. Something very common is that domain controllers have roles suffer from HW or SW failures. We must therefore seize the FSMO roles. Remember that a domain needs to have 3 and a forest FSMO roles have 2 FSMO roles. Eg A single domain has 05 FSMO roles, it is a forest. Ie the parent domain peru.local has 5 FSMO roles but only 03 lima.peru.local child domain roles. You can see the procedure or seize Seize FSMO roles: http://exchangepro.blogspot.com/2007/12/transferencia-y-apoderamiento-de-roles.html . Using
- utility netdom query fsmo can see which domain controller holds the FSMO roles.
- Start, Run, type cmd or command line .
- ntdsutil write.
- ntdsutil: metadata cleanup
- metadata cleanup: connections
- server connections: connect to server xxxxxx (where xx is the domain controller where you'll switch to clean the AD).
- server connections: q
- metadata cleanup: select operation target
- select operation target: list domains (List domains).
- select operation target: select domain% , where% is the number that identifies the domain where the domain controller to be removed.
- select operation target: list sites (List of sites).
- select operation target: select site% where % Is the number that identifies the site where the domain controller to be removed.
- select operation target: list servers in site (List of domain controllers in the site previously selected.)
- select operation target: select server% , where% is the number that identifies the domain controller to remove
- select operation target: q
- metadata cleanup: remove selected server . We must accept the message that informs us that will remove a DC.
- Login to Active Directory Sites and Services and expand servers and remove the domain controller manually. Using the server right click and select Delete .
- We entered the adsiedit.msc (We have installed the Support Tools), and stir the following records:
- * OU = Domain Controllers, DC = exchangePro, DC = local
* CN = Default-First-Site-Name, CN = Sites, CN = Configuration, DC = exchangePro, DC = local
* CN = Domain System Volume (SYSVOL share), CN = File Replication Service, CN = System, DC = exchangePro, DC = local
- We enter the DNS console housing management. Eliminate all records associated with that server, type NS and A (Host). EYE : We consider that within the DNS zones are registered other servers to resolve DNS queries. Otherwise there will be problems with name resolution service.
We access
If we are removing the last domain controller or the last domain controller of a child, we must do the following: We entered the
- Adsiedit.msc and found that there is no record of the domain controller manually removed . Expand
- container: CN Domain, expand DC = yourdomain , DC = local , Expand System , select Domain Trust right click and Delete .
http://support.microsoft.com/kb/555846/en-us http://support.microsoft.com/kb/216498/en-us
Greetings!
Video:
0 comments:
Post a Comment