Removing old records

  • Thread starter Thread starter Ron
  • Start date Start date
R

Ron

About 3 weeks ago I replaced a Win2003 DC with a newer/faster machine.
The old/slow one was shutdown after transferring FSMO roles, DNS etc.
The new server runs fine for about 3 weeks without the old one being
online so I thought it is time to get rid of ALL entries in the DNS that
points to the old/slow server.

What exactly does _msdcs folder do? I am NOT talking about the following
folder:

Forward Lookup Zones
_msdcs.my-domain.com


.... but I'm talking about this one:

Forward Lookup Zones
my-domain.com
_msdcs

When I look at the properties, there was an entry
"WS2003TEMP.my-domain.com with IP address 192.168.1.236

I deleted that entry and manually added New2003SRVR.my-domain.com at IP
192.168.1.20

Now I can't see the Security tab entries. It shows "Unable to display
security information." Why is that? Is it normal?
 
Ron said:
About 3 weeks ago I replaced a Win2003 DC with a newer/faster machine.
The old/slow one was shutdown after transferring FSMO roles, DNS etc.
The new server runs fine for about 3 weeks without the old one being
online so I thought it is time to get rid of ALL entries in the DNS
that points to the old/slow server.

What exactly does _msdcs folder do? I am NOT talking about the
following folder:

Forward Lookup Zones
_msdcs.my-domain.com


... but I'm talking about this one:

Forward Lookup Zones
my-domain.com
_msdcs

When I look at the properties, there was an entry
"WS2003TEMP.my-domain.com with IP address 192.168.1.236

I deleted that entry and manually added New2003SRVR.my-domain.com at
IP 192.168.1.20

Now I can't see the Security tab entries. It shows "Unable to display
security information." Why is that? Is it normal?
Click to expand...

I take it that you just transferred the Roles, and turned the old DC off?

Did you run Dcpromo on it to demote it out of the domain as a Domain
Controller?
If not reconnect it, turn it on and run DCpromo, that will remove it from
Active Directory and it should de-register its records.

As far the _msdcs sub domain, that is a delegation that has NS records for
all DNS servers that have the full _msdcs.my-domain.com zone, again, once
you demote it out of AD as a DC it should remove its NS record from the
delegation, too.

Also, did you make the new server a Global Catalog in AD Sites & Services?

All of these things must be done or the old DC will haunt you from now on
until it is removed from Active Directory because the new DC will try to
replicate to it.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
 
Kevin said:
I take it that you just transferred the Roles, and turned the old DC off?
Click to expand...

No. I transferred FSMO roles and demoted the old DC. Then turned it off.
Did you run Dcpromo on it to demote it out of the domain as a Domain
Controller?
Click to expand...

Yes I did run dcpromo on the old server after transferring FSMO roles to
the new server and making the new server a GC server.
If not reconnect it, turn it on and run DCpromo, that will remove it from
Active Directory and it should de-register its records.
Click to expand...

That's the problem. After demoting the old server, the old server
records are still intact in the DNS. That is why I manually deleted the
records.
As far the _msdcs sub domain, that is a delegation that has NS records for
all DNS servers that have the full _msdcs.my-domain.com zone, again, once
you demote it out of AD as a DC it should remove its NS record from the
delegation, too.
Click to expand...

I would think so too but the old server record is intact in that folder.
It shows:

Name: (same as parent folder)
Type: Name Server (NS)
Data: WS2003TEMP.my-domain.com

WS2003TEMP is the old server. I manually removed WS2003TEMP and added
the new server into the list of Name Servers.
Also, did you make the new server a Global Catalog in AD Sites & Services?
Click to expand...

Yes I did make it a GC when the old DC was still online.
All of these things must be done or the old DC will haunt you from now on
until it is removed from Active Directory because the new DC will try to
replicate to it.
Click to expand...

I don't see any errors or warnings in the event logs. I'm just curious
why I can't see the security information under Security tab as I
mentioned earlier.
 
Ron said:
I don't see any errors or warnings in the event logs. I'm just curious
why I can't see the security information under Security tab as I
mentioned earlier.
Click to expand...

It is typically a DNS issue like incorrectly using an external DNS in TCP/IP
properties.
Do the dcdiag a netdiag tests all pass.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
 
Kevin said:
Ron wrote:




It is typically a DNS issue like incorrectly using an external DNS in TCP/IP
properties.
Do the dcdiag a netdiag tests all pass.
Click to expand...

2 external DNS IP addresses (our ISP's DNS) are set in the Win2003 DNS
Forwarders tab.

I did a dcdiag /v and dcdiag /test:dns, both passed.
Netdiag /v also passed. No indication or errors, warnings, failures etc.

I haven't restarted the server since I removed old DNS records. If
things work normally after rebooting the server, I guess I'll just
ignore it.
 
Back
Top