Cleaning up AD

  • Thread starter Thread starter vickyg
  • Start date Start date
V

vickyg

I had built a windows 2000 server as a test box and installed Active
Directory on it to make it its own domain, inadvertantly making it a
part of an already existing Forest. Realizing this is not what I
wanted to do as I wanted to create a test environment in its own Forest
and not part of the existing Forest or Primary Domain, I just went
ahead and rebuilt the server, and reinstalled AD and made it a part of
its own Forest. After finishing with the test environment, I demoted
the server to uninstall AD and made it a stand alone server- no AD,
nothing, which has been almost a month now.

Well, in the main server, which is the primary Domain, in the event
viewer there are references to the old test domain. Also, under AD
Domains and Trusts of the primary Domain, there is a reference to the
old domain. What's the best way to clean up references to the non
existant domain?
 
vickyg said:
I had built a windows 2000 server as a test box and installed Active
Directory on it to make it its own domain, inadvertantly making it a
part of an already existing Forest. Realizing this is not what I
wanted to do as I wanted to create a test environment in its own Forest
and not part of the existing Forest or Primary Domain, I just went
ahead and rebuilt the server, and reinstalled AD and made it a part of
its own Forest. After finishing with the test environment, I demoted
the server to uninstall AD and made it a stand alone server- no AD,
nothing, which has been almost a month now.

Well, in the main server, which is the primary Domain, in the event
viewer there are references to the old test domain. Also, under AD
Domains and Trusts of the primary Domain, there is a reference to the
old domain. What's the best way to clean up references to the non
existant domain?
Click to expand...

You have already discovered the BEST way is (was) to do the
DCPromo's of the departing the forest while it is still online but
it is not a tragedy if you omitted that. (Just tedious and irritating.)

The key is "NTDSutil metadata cleanup":

Search Google for:

[ NTDSutil "metadata cleanup" remove DC Domain ]

No need to add either site:microsoft.com OR microsoft:
since the NTDSutil and other terms make it Microsoft specific
by itself.

Unless you WISH to restrict answers to the site:microsoft.com
for some reason.

[ NTDSutil "metadata cleanup" remove DC Domain site:microsoft.com ]

Key points to NOTE when doing the metadata cleanup:

You CONNECT to a WORKING DC.
You SELECT the missing/dead DC or DOMAIN

'Connect' and 'Select' are technical terms in this context.

216498 - HOW TO Remove Data in Active Directory After an
Unsuccessful Domain Controller Demotion (2000 & 2003):
http://support.microsoft.com/?id=216498
 
Will the removed DC eventually get cleared or "go away" given enough
time?
My main concern is that I don't want to mess up the primary DC by
running a utility that I'm not familiar with....
 
vickyg said:
Will the removed DC eventually get cleared or "go away" given enough
time?
Click to expand...

No, never. Neither will the removed domain even if you
delete the last DC object from that domain.

You must (eventually*) perform the (tedious but not difficult)
NTDS metadata cleanup procedure.
My main concern is that I don't want to mess up the primary DC by
running a utility that I'm not familiar with....
Click to expand...

Reasonable attitude, but you must eventually* learn this and it might
as well be now to stop the replication error messages and increase
efficiency.

It is NOT particularly dangerous due the extreme TEDIOUSNESS
of the procedure -- it's bunch of step you must get right before
anything will go away and you are going to need to be CONNECTED
to the existing DC which will somewhat protect IT.

The final step is that you must explicitly issue the delete command.

When you do, it will pop up and ask if you are sure -- one last
chance to confirm.

Do each "missing" DC from the missing domain; then do the domain
itself to "cleanup" your existing forest.

*Eventually actually means before you can install anything that
changes the schema (e.g., Win2003 upgrade of the domain, Exchange,
Enterprise level ISA-Proxy server.)

But you really ought to do it now. I have never heard of anyone
screwing up their existing domain by following the procedures --
the only way would be to SELECT the WRONG DCs for deletion.

Remember, you CONNECT to the RUNNING DC, and
you SELECT the lost DCs and then the lost Domain.

If you just keep those two words straight, the instructions in the
included article are perfectly clear.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Herb said:
You have already discovered the BEST way is (was) to do the
DCPromo's of the departing the forest while it is still online but
it is not a tragedy if you omitted that. (Just tedious and irritating.)

The key is "NTDSutil metadata cleanup":

Search Google for:

[ NTDSutil "metadata cleanup" remove DC Domain ]

No need to add either site:microsoft.com OR microsoft:
since the NTDSutil and other terms make it Microsoft specific
by itself.

Unless you WISH to restrict answers to the site:microsoft.com
for some reason.

[ NTDSutil "metadata cleanup" remove DC Domain site:microsoft.com ]

Key points to NOTE when doing the metadata cleanup:

You CONNECT to a WORKING DC.
You SELECT the missing/dead DC or DOMAIN

'Connect' and 'Select' are technical terms in this context.

216498 - HOW TO Remove Data in Active Directory After an
Unsuccessful Domain Controller Demotion (2000 & 2003):
http://support.microsoft.com/?id=216498



--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Click to expand...
Click to expand...
 
Back
Top