Deleting a failed Domain Controller object from Active Directory

When you try to remove a domain controller from your Active Directory domain by using Dcpromo.exe and fail, or when you began to promote a member server to be a Domain Controller and failed (the reasons for your failure are not important for the scope of this article), you will be left with remains of the DCs object in the Active Directory. As part of a successful demotion process, the Dcpromo wizard removes the configuration data for the domain controller from Active Directory, but as noted above, a failed Dcpromo attempt might leave these objects in place.

The effects of leaving such remains inside the Active Directory may vary, but one thing is sure: Whenever you'll try to re-install the server with the same computername and try to promote it to become a Domain Controller, you will fail because the Dcpromo process will still find the old object and therefore will refuse to re-create the objects for the new-old server.

In the event that the NTDS Settings object is not removed correctly you can use the Ntdsutil.exe utility to manually remove the NTDS Settings object.

If you give the new domain controller the same name as the failed computer, then you need perform only the first procedure to clean up metadata, which removes the NTDS Settings object of the failed domain controller. If you will give the new domain controller a different name, then you need to perform all three procedures: clean up metadata, remove the failed server object from the site, and remove the computer object from the domain controllers container.

You will need the following tool: Ntdsutil.exe, Active Directory Sites and Services, Active Directory Users and Computers.

Also, make sure that you use an account that is a member of the Enterprise Admins universal group.

Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.

To clean up metadata

1.    At the command line, type Ntdsutil and press ENTER.

C:\WINDOWS>ntdsutil ntdsutil:

2.    At the Ntdsutil: prompt, type metadata cleanup and press Enter.

ntdsutil: metadata cleanup metadata cleanup:

3.    At the metadata cleanup: prompt, type connections and press Enter.

metadata cleanup: connections server connections:

4.    At the server connections: prompt, type connect to server , where is the domain controller (any functional domain controller in the same domain) from which you plan to clean up the metadata of the failed domain controller. Press Enter.

server connections: connect to server server100 Binding to server100 ... Connected to server100 using credentials of locally logged on user. server connections:

Note: Windows Server 2003 Service Pack 1 eliminates the need for the above step.

5.    Type quit and press Enter to return you to the metadata cleanup: prompt.

server connections: q metadata cleanup:

6.    Type select operation target and press Enter.

metadata cleanup: Select operation target select operation target:

7.    Type list domains and press Enter. This lists all domains in the forest with a number associated with each.

select operation target: list domains Found 1 domain(s) 0 - DC=dpetri,DC=net select operation target:

8.    Type select domain , where is the number corresponding to the domain in which the failed server was located. Press Enter.

select operation target: Select domain 0 No current site Domain - DC=dpetri,DC=net No current server No current Naming Context select operation target:

9.    Type list sites and press Enter.

select operation target: List sites Found 1 site(s) 0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net select operation target:

10. Type select site , where refers to the number of the site in which the domain controller was a member. Press Enter.

select operation target: Select site 0 Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net Domain - DC=dpetri,DC=net No current server No current Naming Context select operation target:

11. Type list servers in site and press Enter. This will list all servers in that site with a corresponding number.

select operation target: List servers in site Found 2 server(s) 0 - CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net 1 - CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net select operation target:

12. Type select server and press Enter, where refers to the domain controller to be removed.

select operation target: Select server 0 Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net Domain - DC=dpetri,DC=net Server - CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net DSA object - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net DNS host name - server200.dpetri.net Computer object - CN=SERVER200,OU=Domain Controllers,DC=dpetri,DC=net No current Naming Context select operation target:

13. Type quit and press Enter. The Metadata cleanup menu is displayed.

select operation target: q metadata cleanup:

14. Type remove selected server and press Enter.

You will receive a warning message. Read it, and if you agree, press Yes.

metadata cleanup: Remove selected server "CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net" removed from server "server100" metadata cleanup:

At this point, Active Directory confirms that the domain controller was removed successfully. If you receive an error that the object could not be found, Active Directory might have already removed from the domain controller.

15. Type quit, and press Enter until you return to the command prompt.

To remove the failed server object from the sites

1.    In Active Directory Sites and Services, expand the appropriate site.

2.    Delete the server object associated with the failed domain controller.

To remove the failed server object from the domain controllers container

1.    In Active Directory Users and Computers, expand the domain controllers container.

2.    Delete the computer object associated with the failed domain controller.

3.    Windows Server 2003 AD might display a new type of question window, asking you if you want to delete the server object without performing a DCPROMO operation (which, of course, you cannot perform, otherwise you wouldn't be reading this article, would you...) Select "This DC is permanently offline..." and click on the Delete button.

4.    AD will display another confirmation window. If you're sure that you want to delete the failed object, click Yes.

To remove the failed server object from DNS

1.    In the DNS snap-in, expand the zone that is related to the domain from where the server has been removed.

2.    Remove the CNAME record in the _msdcs.root domain of forest zone in DNS. You should also delete the HOSTNAME and other DNS records.

3.    If you have reverse lookup zones, also remove the server from these zones.

Other considerations

Also, consider the following:

·         If the removed domain controller was a global catalog server, evaluate whether application servers that pointed to the offline global catalog server must be pointed to a live global catalog server.

·         If the removed DC was a global catalog server, evaluate whether an additional global catalog must be promoted to the address site, the domain, or the forest global catalog load.

·         If the removed DC was a Flexible Single Master Operation (FSMO) role holder, relocate those roles to a live DC.

·         If the removed DC was a DNS server, update the DNS client configuration on all member workstations, member servers, and other DCs that might have used this DNS server for name resolution. If it is required, modify the DHCP scope to reflect the removal of the DNS server.

If the removed DC was a DNS server, update the Forwarder settings and the Delegation settings on any other DNS servers that might have pointed to the removed DC for name resolution.

Configure a Windows 2000 or 2003 Server as a Global Catalog

The Global Catalog (GC) contains an entry for every object in an enterprise forest but only a few properties for each object. An entire forest shares a GC, with multiple servers holding copies. You can perform an enterprise wide forest search only on the properties in the GC, whereas you can search for any property in a user’s domain tree. Only Directory Services (DS) or Domain Controller (DC) can hold a copy of the GC.

Configuring an excessive number of GCs in a domain wastes network bandwidth during replication. One GC server per domain in each physical location is sufficient. Windows NT sets servers as GCs as necessary, so you don’t need to configure additional GCs unless you notice slow query response times.

Because full searches involve querying the whole domain tree rather than the GC, grouping the enterprise into one tree will improve your searches. Thus, you can search for items not in the GC.

By default, the first DC in the First Domain in the First Tree in the AD Forest (the root domain) will be configured as the GC.

You can configure another DC to become the GC, or even add it as another GC while keeping the first default one.

Reasons for such an action might be the need to place a GC in each AD Site.

To configure a Windows 2000/2003 Domain Controller as a GC server, perform the following steps:

1.    Start the Microsoft Management Console (MMC) Active Directory Sites and Services Manager. (From the Start menu, select Programs, Administrative Tools, Active Directory Sites and Services Manager).

2.    Select the Sites branch.

3.    Select the site that owns the server, and expand the Servers branch.

4.    Select the server you want to configure.

5.    Right-click NTDS Settings, and select Properties.

6.    Select or clear the Global Catalog Server checkbox, which the Screen shows.

7.    Click Apply, OK.

You must allow for the GC to replicate itself throughout the forest. This process might take anywhere between 10-15 minutes to even several days, all depending on your AD infrastructure.

Fix an Unsuccessful Domain Controller Demotion

How can I manually delete a server object from the Active Directory database in case of a bad DCPROMO procedure?

MS KB 216498 has more info:
The DCPROMO (Dcpromo.exe) utility is used for promoting a server to a domain controller and demoting a domain controller to a member server (or to a standalone server in a workgroup if the domain controller is the last in the domain). As part of the demotion process, the DCPROMO utility removes the configuration data for the domain controller from the Active Directory. This data takes the form of an "NTDS Settings" object, which exists as a child to the server object in the Active Directory Sites and Services Manager.
The information is in the following location in the Active Directory:CN=NTDS Settings,CN=, CN=Servers,CN=,CN=Sites, CN=Configuration,DC=...
The attributes of the NTDS Settings object include data representing how the domain controller is identified in respect to its replication partners, the naming contexts that are maintained on the machine, whether or not the domain controller is a Global Catalog server, and the default query policy. The NTDS Settings object is also a container that may have child objects that represent the domain controller's direct replication partners. This data is required for the domain controller to operate within the environment, but is retired upon demotion.In the event that the NTDS Settings object is not removed properly (for example, the NTDS Settings object is not properly removed from a demotion attempt), the administrator can use the Ntdsutil.exe utility to manually remove the NTDS Settings object. The following steps list the procedure for removing the NTDS Settings object in the Active Directory for a given domain controller. At each NTDSUTIL menu, the administrator can type help for more information about the available options.
Caution: The administrator should also check that replication has occurred since the demotion before manually removing the NTDS Settings object for any server. Using the NTDSUTIL utility improperly can result in partial or complete loss of Active Directory functionality.

Procedure

1.      Click Start, point to Programs, point to Accessories, and then click Command Prompt. At the command prompt, type

ntdsutil

and then press ENTER.

2.      Type

metadata cleanup

and then press ENTER. Based on the options given, the administrator can perform the removal, but additional configuration parameters need to be specified before the removal can occur.

3.      Type

connections

and press ENTER. This menu is used to connect to the specific server on which the changes occur. If the currently logged on user does not have administrative permissions, alternate credentials can be supplied by specifying the credentials to use before making the connection.

To do so, type

set creds domain nameusernamepassword

and press ENTER. For a null password, type null for the password parameter.

4.      Type

connect to server servername

and then press ENTER. You should receive confirmation that the connection is successfully established. If an error occurs, verify that the domain controller being used in the connection is available and the credentials you supplied have administrative permissions on the server.

Note: If you try to connect to the same server that you want to delete, when you try to delete the server that step 15 refers to, you may receive the following error message:

Error 2094. The DSA Object cannot be deleted0x2094

Note: Windows Server 2003 Service Pack 1 eliminates the need for steps 3 and 4.

5.      Type

quit

and then press ENTER. The Metadata Cleanup menu appears.

6.      Type

select operation target

and press ENTER.

7.      Type

list domains

and press ENTER. A list of domains in the forest is displayed, each with an associated number.

8.      Type

select domain number

and press ENTER, where number is the number associated with the domain to which the server you are removing is a member. The domain you select is used to determine if the server being removed is the last domain controller of that domain.

9.      Type

list sites

and press ENTER. A list of sites, each with an associated number, is displayed.

10.  Type

select site number

and press ENTER, where number is the number associated with the site to which the server you are removing is a member. You should receive a confirmation listing the site and domain you chose.

11.  Type

list servers in site

and press ENTER. A list of servers in the site, each with an associated number, is displayed.

12.  Type

select server number

where number is the number associated with the server you want to remove. You receive a confirmation listing the selected server, its Domain Name Server (DNS) host name, and the location of the server's computer account you want to remove.

13.  Type

quit

and press ENTER. The Metadata Cleanup menu appears.

14.  Type

remove selected server

and press ENTER. You should receive confirmation that the removal completed successfully. If you receive the following error message:

Error 8419 (0x20E3) The DSA object could not be found

the NTDS Settings object may already be removed from the Active Directory as the result of another administrator removing the NTDS Settings object, or replication of the successful removal of the object after running the DCPROMO utility.

Note: You may also see this error when you attempt to bind to the domain controller that is going to be removed. Ntdsutil needs to bind to a domain controller other than the one that is going to be removed with metadata cleanup.

15.  Type

quit

at each menu to quit the NTDSUTIL utility. You should receive confirmation that the connection disconnected successfully.

16.  Remove the cname record in the _msdcs.root domain of forest zone in DNS. Assuming that DC is going to be reinstalled and re-promoted, a new NTDS settings object is created with a new globally unique identifier (GUID) and a matching cname record in DNS. You do not want the DC's that exist to use the old cname record.

As best practice you should delete the hostname and other DNS records. If the lease time that remains on Dynamic Host Configuration Protocol (DHCP) address assigned to offline server is exceeded then another client can obtain the IP address of the problem DC.

Now that the NTDS setting object has been deleted we can now delete the following objects:

1.      Use ADSIEdit to delete the computer account in the OU=Domain Controllers,DC=domain...

Note: The FRS subscriber object is deleted when the computer object is deleted, since it is a child of the computer account.

2.      Use ADSIEdit to delete the FRS member object in CN=Domain System Volume (SYSVOL share),CN=file replication service,CN=system....

3.      In the DNS console, use the DNS MMC to delete the cname (also known as the Alias) record in the _msdcs container.

4.      In the DNS console, use the DNS MMC to delete the A (also known as the Host) record in DNS.

5.      If the deleted computer was the last domain controller in a child domain and the child domain was also deleted, use ADSIEdit to delete the trustDomain object for the child in CN=System, DC=domain, DC=domain, Domain NC.

Add custom field to ADUC- Employee ID

How to add Employee ID to Active Directory Users and Computers

1. Open ADSI Edit
2. Expand the CN=Configuration node and go to CN=DisplaySpecifiers, CN=409. Select the 409 node in the left hand pane.
3. In the right-hand pane, select the CN=user-Display object. Right click and select Properties.
4. Select the adminContextMenu attribute and click Edit.
5. We now need to add the value that will be used to create the additional menu item and direct it to the employeeID.vbs script. The syntax is very important. Be sure to include the comma at the beginning and after the menu name (Employee-ID). Add the following syntax to the Value to Add: line:
   ,&Employee-ID,\\servername\sharename\employeeID.vbs
   (your VBS file must be stored on shared location in order to allow all domain controllers to access it)
6. Change the servername and sharename items to reflect your current environment and then click Add.
7. Click OK to accept the changes and close ADSI Edit.
8. Allow some time for replication to populate the changes throughout the directory.
9. Open ADUC and select a user. Right click on the user and notice the new menu item now available.
10. Select Employee-ID to launch the script from within the ADUC. From here we can either enter a new value for the employeeID attribute for the user or hit Cancel to leave the current value intact.
    (Note: If no value is present in the field, then the attribute value is empty for that user.)
    VBSscript – just copy and paste in notepad, than save as employeeID.vbs and copy to shared folder.

Dim objEmployeeID
Dim objSelectedUser
Dim strNewEmployeeID
Set objEmployeeID = Wscript.Arguments
Set objSelectedUser = GetObject(objEmployeeID(0))
strNewEmployeeID = InputBox(”Employee ID: ” & objSelectedUser.employeeID & vbCRLF _
& vbCRLF _
& “To enter a new Employee ID number,” _
& ” type it into the text box” _
& ” below and click OK.”)
if strNewEmployeeID <> “” Then
objSelectedUser.Put “employeeID”,strNewEmployeeID
end if
objSelectedUser.SetInfo
WScript.Quit

When you right click on user in ADUC you will see new field (EmployeeID)

forcibly transfer (seize) FSMO Roles

Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory.

The five FSMO roles are:

· Schema master - Forest-wide and one per forest.

· Domain naming master - Forest-wide and one per forest.

· RID master - Domain-specific and one for each domain.

· PDC - PDC Emulator is domain-specific and one for each domain.

· Infrastructure master - Domain-specific and one for each domain.

In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC.

Moving the FSMO roles while both the original FSMO role holder and the future FSMO role holder are online and operational is called Transferring, and is described in the Transferring FSMO Roles article.

However, when the original FSMO role holder went offline or became non operational for a long period of time, the administrator might consider moving the FSMO role from the original, non-operational holder, to a different DC. The process of moving the FSMO role from a non-operational role holder to a different DC is called Seizing, and is described in this article.

If a DC holding a FSMO role fails, the best thing to do is to try and get the server online again. Since none of the FSMO roles are immediately critical (well, almost none, the loss of the PDC Emulator FSMO role might become a problem unless you fix it in a reasonable amount of time), so it is not a problem to them to be unavailable for hours or even days.

If a DC becomes unreliable, try to get it back on line, and transfer the FSMO roles to a reliable computer. Administrators should use extreme caution in seizing FSMO roles. This operation, in most cases, should be performed only if the original FSMO role owner will not be brought back into the environment. Only seize a FSMO role if absolutely necessary when the original role holder is not connected to the network.

What will happen if you do not perform the seize in time? This table has the info:

FSMO Role	Loss implications
Schema	The schema cannot be extended. However, in the short term no one will notice a missing Schema Master unless you plan a schema upgrade during that time.
Domain Naming	Unless you are going to run DCPROMO, then you will not miss this FSMO role.
RID	Chances are good that the existing DCs will have enough unused RIDs to last some time, unless you're building hundreds of users or computer object per week.
PDC Emulator	Will be missed soon. NT 4.0 BDCs will not be able to replicate, there will be no time synchronization in the domain, you will probably not be able to change or troubleshoot group policies and password changes will become a problem.
Infrastructure	Group memberships may be incomplete. If you only have one domain, then there will be no impact.

Important: If the RID, Schema, or Domain Naming FSMOs are seized, then the original domain controller must not be activated in the forest again. It is necessary to reinstall Windows if these servers are to be used again.

The following table summarizes the FSMO seizing restrictions:

FSMO Role	Restrictions
Schema	Original must be reinstalled
Domain Naming
RID
PDC Emulator	Can transfer back to original
Infrastructure

Another consideration before performing the seize operation is the administrator's group membership, as this table lists:

FSMO Role	Administrator must be a member of
Schema	Schema Admins
Domain Naming	Enterprise Admins
RID	Domain Admins
PDC Emulator
Infrastructure

To seize the FSMO roles by using Ntdsutil, follow these steps:

Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.

1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.

Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\WINDOWS>ntdsutil ntdsutil:

2. Type roles, and then press ENTER.

ntdsutil: roles fsmo maintenance:

Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER.

3. Type connections, and then press ENTER.

fsmo maintenance: connections server connections:

4. Type connect to server , where is the name of the server you want to use, and then press ENTER.

server connections: connect to server server100 Binding to server100 ... Connected to server100 using credentials of locally logged on user. server connections:

5. At the server connections: prompt, type q, and then press ENTER again.

server connections: q fsmo maintenance:

6. Type seize , where is the role you want to seize. For example, to seize the RID Master role, you would type seize rid master:

Options are:

Seize domain naming master Seize infrastructure master Seize PDC Seize RID master Seize schema master

7. You will receive a warning window asking if you want to perform the seize. Click on Yes.

fsmo maintenance: Seize infrastructure master Attempting safe transfer of infrastructure FSMO before seizure. ldap_modify_sW error 0x34(52 (Unavailable). Ldap extended error message is 000020AF: SvcErr: DSID-03210300, problem 5002 (UNAVAILABLE) , data 1722 Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holde r could not be contacted.) ) Depending on the error code this may indicate a connection, ldap, or role transfer error. Transfer of infrastructure FSMO failed, proceeding with seizure ... Server "server100" knows about 5 roles Schema - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net Domain - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net RID - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net Infrastructure - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net fsmo maintenance:

Note: All five roles need to be in the forest. If the first domain controller is out of the forest then seize all roles. Determine which roles are to be on which remaining domain controllers so that all five roles are not on only one server.

8. Repeat steps 6 and 7 until you've seized all the required FSMO roles.
9. After you seize or transfer the roles, type q, and then press ENTER until you quit the Ntdsutil tool.

Note: Do not put the Infrastructure Master (IM) role on the same domain controller as the Global Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest.