Caro said:
Desmond,
Thanks for your prompt and accurate reply. I have reviewed these and related
articles and they seem to address the situation we are currently
experiencing. One remaining question: does the offending server need to be
connected to the domain in order to force removal from AD?
No, that is what "forceremoval" is about.
In other words,
can I simply have it not connected to the network and still force a
removal?
Yes, but it is better to do it online IF that
is practical.
Usually failure to demote is a DNS issue,
just like other authentication and replication
issues.
Now it may not matter but if you have other
DNS problems then fixing them now can put
you ahead so....
DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)
netdiag /fix
....or maybe:
dcdiag /fix
(Win2003 can do this from Support tools):
nltest /dsregdns /server
C-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/
Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.
Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.
Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]
--
Herb Martin
Thanks,
Brad
Desmond Lee said:
Try
http://support.microsoft.com/default.aspx?scid=KB;EN-US;332199
http://support.microsoft.com/default.aspx?scid=KB;[LN];216498
and let us know if they help. Thanks!
Caro said:
Herb,
Good threads but I have one question for you. We are having a problem
demoting a W2K3 DC to member for ultimate removal from the domain. Although
all FSMO roles have been transferred in addition to the GC, it still will not
go through the DCPromo process, failing because replication of the FSMO roles
had failed. Yet it has had three weeks to complete the replication, no Evt
Vwr messages relate any replication problems, and both DCs list the new DC
with all the FSMO roles and GC as well. We may have to simply yank the
offending DC off the domain and rebuild it. If this is the case, I need to
know what needs to be done to "tidy up" the domain.
Thanks,
Brad
:
I have two servers that I would like to remove from our network. We are
running Windows 2003 Active Directory in a mix environemnt. Windows 2000
and
Windows 2003 servers.
1 - Windows 2000 and a Windows 2003 servers. They both are member servers
in our network. They both run applications that not needed anymore. Can I
just delete the servers from AD?
If they are not DCs, you can do that.
(DCs really need to be removed by DCPromo
while the DCs are still online with the remaining
DCs -- or else there is a tedious process to clean
up the left over mess.)
Also note, this just covers AD -- if those servers
are hard coded on any clients or other locations
those need cleaning up too: file server, profile
server (AD user properties), home directory
server, DNS/WINS (by IP), etc.
--
Herb Martin
TIA
Michael
