After Removing DNS ---> It's still in the Event Viewer !

[Marvin Miller]

Hi Folks;

I recently ran dcpromo on this machine and removed AD and DNS. Thing is, I
still have these entries in the event viewer;

DNS Server
Directory Service
File Replication Service

I can't seem to figure out where in the registry a person can get rid of
these things or if there's another trick to it.

Can anyone help with this?

 

[Kevin D. Goodknecht Sr. [MVP]]

Hi Folks;

I recently ran dcpromo on this machine and removed AD and DNS. Thing
is, I still have these entries in the event viewer;

DNS Server
Directory Service
File Replication Service

I can't seem to figure out where in the registry a person can get rid
of these things or if there's another trick to it.

Can anyone help with this?

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
Delete the subkeys for the logs you want to delete.

 

[Marvin Miller]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
Delete the subkeys for the logs you want to delete.

Hi Kevin - thanks for the reply

I tried that but what happens is that when I open up event viewer after
deleting the appropriate subkeys I still get them listed there but now they
have a dred circle with an X through them. So they are not really gone fom
the display.

I wonder what the scoop is?

 

[Ace Fekay [MVP]]

In

Hi Kevin - thanks for the reply

I tried that but what happens is that when I open up event viewer
after deleting the appropriate subkeys I still get them listed there
but now they have a dred circle with an X through them. So they are
not really gone fom the display.

I wonder what the scoop is?

Do you see a dnsevent.evt file in the System32\Config folder?

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.

It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only thing in life is change. Anything more is a blackhole consuming
unnecessary energy. - [Me]

 

[Marvin Miller]

Hi Ace;

I sure do! I also see one for the file replication service that's also still
stuck in the event viewer after removing Active Directory

What's that mean? Do I need to delete them as well as the registry keys?

Thank You!
Marvin

In

Hi Kevin - thanks for the reply

I tried that but what happens is that when I open up event viewer
after deleting the appropriate subkeys I still get them listed there
but now they have a dred circle with an X through them. So they are
not really gone fom the display.

I wonder what the scoop is?

Do you see a dnsevent.evt file in the System32\Config folder?

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.

It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only thing in life is change. Anything more is a blackhole consuming
unnecessary energy. - [Me]

 

[Ace Fekay [MVP]]

In

Hi Ace;

I sure do! I also see one for the file replication service that's
also still stuck in the event viewer after removing Active Directory


What's that mean? Do I need to delete them as well as the registry
keys?

Thank You!
Marvin

You could delete them, but for best practice, rename them something like
..old and see what happens.

Ace

 

[Marvin Miller]

Hi Ace;

Same deal :-(

I started up Event Viewer and right clicked on the DNS category and chose
delete. I then renamed the files in teh registry .old and then deleted off
the registry entries - same thing. They are still listed in the left window
of Event Viewer but with a circle and a red X through them.

This is wierd. The computer was a DC and DCPROMO was run on it and Active
Directory was removed. The procedure worked well except for the Event
Viewer.

Best;
Marvin

 

[Kevin D. Goodknecht Sr. [MVP]]

Hi Ace;

Same deal :-(

I started up Event Viewer and right clicked on the DNS category and
chose delete. I then renamed the files in teh registry .old and then
deleted off the registry entries - same thing. They are still listed
in the left window of Event Viewer but with a circle and a red X
through them.

This is wierd. The computer was a DC and DCPROMO was run on it and
Active Directory was removed. The procedure worked well except for
the Event Viewer.

Did you actually uninstall the DNS service in Add/remove Programs?
If you didn't DNS is still installed and it needs the event log.

 

[Marvin Miller]

Did you actually uninstall the DNS service in Add/remove Programs?
If you didn't DNS is still installed and it needs the event log.

Hi Kevin;

I just checked and DNS is not installed. That gave me an idea though - I
re-installed and then un-installed it - but it's still there in the Event
Viewer along with Directory Service and File Replication Service.

I don't understand - running DCPROMO went well and the machine was demoted
back to a server but I guess it left pieces of itself behind.

Any other ideas on how to remove these puppies?

Thanks!
Marvin

 

[Ace Fekay [MVP]]

In

Hi Kevin;

I just checked and DNS is not installed. That gave me an idea though
- I re-installed and then un-installed it - but it's still there in
the Event Viewer along with Directory Service and File Replication
Service.

I don't understand - running DCPROMO went well and the machine was
demoted back to a server but I guess it left pieces of itself behind.

Any other ideas on how to remove these puppies?

Thanks!
Marvin

Dumb assumption on my part: I'm assuming you are selecting the correct spot
in the reg to do this, (such as CurrentControlSet, and not
CurrentControlSet001), etc ?

Ace

 

[Marvin Miller]

Hi Ace;

There's no dumb questions - At this point I can't understand why this isn't
working. The machine is solid, it's never been butchered or had goofy apps
installed on it etc - it's a quality machine.

I'm deleting the entire DNS Key located here;

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\DNS Server

In addition I tried renaming the dns related files in the config directory
earlier to .old and even re-booted the server after going in to event viewer
and right clicking on the DNS entry in the left pane and selecting delete.

It's worth noting that when I do that it does get deleted but it comes right
back the next time I open Event Viewer.

I'm just guessing - but it must be related to this machine having been a DC.
When I ran DCPROMO it worked properly and another machine became the
controller. The DNS Service is not installed and I've even tried
re-installing DNS and then removing it through Add/Remove Programs thinking
that would get rid of it - no dice.

Is there anything else I can do to get rid of it? I have the same problem
with Directory Service and File Replication Service being in the event
viewer too so it's not just the DNS entry.

Thanks!
Marvin

 

[Ace Fekay [MVP]]

In

Hi Ace;

There's no dumb questions - At this point I can't understand why this
isn't working. The machine is solid, it's never been butchered or had
goofy apps installed on it etc - it's a quality machine.

I'm deleting the entire DNS Key located here;

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\DNS
Server

In addition I tried renaming the dns related files in the config
directory earlier to .old and even re-booted the server after going
in to event viewer and right clicking on the DNS entry in the left
pane and selecting delete.

It's worth noting that when I do that it does get deleted but it
comes right back the next time I open Event Viewer.

I'm just guessing - but it must be related to this machine having
been a DC. When I ran DCPROMO it worked properly and another machine
became the controller. The DNS Service is not installed and I've even
tried re-installing DNS and then removing it through Add/Remove
Programs thinking that would get rid of it - no dice.

Is there anything else I can do to get rid of it? I have the same
problem with Directory Service and File Replication Service being in
the event viewer too so it's not just the DNS entry.

Thanks!
Marvin

Those steps usually take care of it. I haven't come across any problems such
as this as of yet.

I posted to our private MVP group to see if anyone has any suggestions. I'll
post back either way.

Ace

 

[Marvin Miller]

Thanks Ace - I appreciate that as I'd love to keep these servers spotless

It may be worth noting that the event viewer entries (in the left pane) show
a red X through them when I manually delete the registry keys ~ but I'm just
guessing

 

[Ace Fekay [MVP]]

In

Thanks Ace - I appreciate that as I'd love to keep these servers
spotless
It may be worth noting that the event viewer entries (in the left
pane) show a red X through them when I manually delete the registry
keys ~ but I'm just guessing

Normally I would suggest a fresh install (format/install) whenever we make a
major role change. It cleans out all the old, and allows room for the new!


Anyway, here was the response. Part of it was the reg key, and belkeive
we've already discussed the .evt files, etc, but also check the article out
and follow the steps closely to make sure nothing was missed:

http://support.microsoft.com/?id=172156
In addition, delete:
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\DNS Server

Ace

 

[Herb Martin]

Anyway, here was the response. Part of it was the reg key, and belkeive

we've already discussed the .evt files, etc, but also check the article
out and follow the steps closely to make sure nothing was missed:

http://support.microsoft.com/?id=172156
In addition, delete:
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\DNS Server

(I practically never suggest "fresh installs" so how
about a different approach?)

Install a copy of Windows Server in a test environment.

While watching (or checkpointing) both the file system
and the registry make it a DNS server, and then a DC.

Remove these, and determine the difference.

There is a programmers API for adding event logs; and
although I do not remember specifically (from the time
I wrote some test code to exercise this feature) my
belief is there must be a "remove an event log" API
call.

It might be trivial to write a program to do just that --
but one would THINK that either a file system or
registry change would contain the difference that
causes this.

[Actually, an empty event log is no big deal for
that matter.]

 

[Marvin Miller]

Hi Ace;

Doing a fresh install on this solid server is not really a solution I like

I did try the KB article but it's no dice. There must be another place in
the O/S that is storing the
DNS Server entry, the File Replication Service Entry and the Directory
Service Entry.

There has to be another place where that information is being stored because
it will still display the entry
just with a red stop sign through it.

Anyway, I guess there's not much I can do at this point. I do appreciate
everyone's help on this one - we tried!

Best & Thanks;
marvin

 

[Ace Fekay [MVP]]

In

Hi Ace;

Doing a fresh install on this solid server is not really a solution I
like
I did try the KB article but it's no dice. There must be another
place in the O/S that is storing the
DNS Server entry, the File Replication Service Entry and the Directory
Service Entry.

There has to be another place where that information is being stored
because it will still display the entry
just with a red stop sign through it.

Anyway, I guess there's not much I can do at this point. I do
appreciate everyone's help on this one - we tried!

Best & Thanks;
marvin

Well, sometimes I like to do a fresh install to remove all the old crap and
start fresh, but I know it is not always possible in many cases.

I posted back that it didn't help. Let's see if something else comes up.

In the meantime, if you would like to try something different, rename the
eventvw.msc and the *evt file (following the proc in that article), and copy
over one from another server that never had AD or DNS installed on it.

Ace

 

[Guest]

Hey Marvin,

might be a bit bone(!) but have you tried logged on as a different user? I
know the user profile will store settings related to mmc. I'm not sure if
this will help as you are using eventvwr.msc that I guess always just opens a
default view.

If I were you, I would delete the userprofile from the local machine and
also the roaming profile (if set).

Might be just worth a try?
Tom

 

[Ace Fekay [MVP]]

In

Hey Marvin,

might be a bit bone(!) but have you tried logged on as a different
user? I know the user profile will store settings related to mmc. I'm
not sure if this will help as you are using eventvwr.msc that I guess
always just opens a default view.

If I were you, I would delete the userprofile from the local machine
and also the roaming profile (if set).

Might be just worth a try?
Tom

That's a good idea. Hope it works because my thread in the private groups
about this just went silent. Not a good sign...

Ace

 

[Marvin Miller]

In

That's a good idea. Hope it works because my thread in the private groups
about this just went silent. Not a good sign...

Ace

Hi guys;

I did try that recently (because I changed the machine name) and it gave me
a new profile. The first thing I did was check the event viewer - and same
thing.

The only conclusion I can come down to is that that information is also
stored somewhere else on the system and that it probably has something to do
with this machine previsouly being an active directory domain controller.

The more I go along the more I think that Ace is right, a format is probably
going to be the only way to resolve this issue. I'm going to consider that
in the future but the server is solid - always has been and had never had
any junk installed on it.

Anyway - thanks guys. I appreciate the length of time you all spent on this
issue and your efforts to help with a solution.

Best;
Marvin