Join Log in
Score:0
TSG avatar Server

Can't remove old DC from Sites and Services

cn flag
TSG

I have introduced 2 new Win2019 DC's into my domain, and removed the old ones properly (demoted then removed from domain). I confirmed from the Users and Computers app that my old DC's are no longer present. For some reason one of my old DC still shows under Sites and Services. I tried to delete it but Windows says I don't have the necessary privileges or the object is protected. I am logged in as domain admin.

I assumed I need to cleanup the metadata per these instructions: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc736378(v=ws.10)?redirectedfrom=MSDN

However - the instructions are vague at steps J and L. In particular:

  • Step J - am I supposed to pick the server I wish to remove? Because it is not in the list (only the new DC is in the list).
  • Step L - am I supposed to append the name of the server to delete to this command? This is dangerous because I don't want to delete my new DC, and the instructions suggest I will be deleting the server selected in step J (and my old DC is not in the list)

Am I approaching this the wrong way? Should I use ADSI edit to get rid of it? I found the old DC in:

Configuration > CN=Configuration... > CN=Sites > CN=Site1 > CN=OLDDC

I could change permissions to allow delete. But I hate messing with ADSI edit since it's easy to destroy a domain

In case the link dies some day, the steps from the above link are:

1. Open a command prompt.

2. Type the following command, and then press ENTER:

ntdsutil

3. At the ntdsutil: prompt, type:

metadata cleanup

4. Perform metadata cleanup as follows:

If you are performing metadata cleanup by using the version of Ntdsutil.exe that is included with Windows Server 2003 SP1, at the metadata cleanup: prompt, type:

remove selected server ServerName

Or

remove selected server ServerName1 on ServerName2

TABLE 1
Value   Definition
ServerName, ServerName1

The distinguished name of the domain controller whose metadata you want to remove, in the form cn=ServerName,cn=Servers,cn=SiteName, cn=Sites,cn=Configuration,dc=ForestRootDomain

ServerName2

The DNS name of the domain controller to which you want to connect and from which you want to remove server metadata

If you are performing metadata cleanup by using the version of Ntdsutil.exe that is included with Windows Server 2003 with no service pack, perform metadata cleanup as follows:

A. At the metadata cleanup: prompt, type:

connection

B. At the server connections: prompt, type:

connect to server Server

C. At the server connections: prompt, type:

quit

D. At the metadata cleanup: prompt, type:

select operation target

E. At the select operation target: prompt, type:

list sites

A numbered list of sites appears.

F. At the select operation target: prompt, type:

select site SiteNumber

G. At the select operation target: prompt, type:

list domains in site

A numbered list of domains in the selected site appears.

H. At the select operation target: prompt, type:

select domain DomainNumber

I. At the select operation target: prompt, type:

list servers in site

A numbered list of servers in a domain and site appears.

J. At the select operation target: prompt, type:

select server ServerNumber

K. At the select operation target: prompt, type:

quit

L. At the metadata cleanup: prompt, type:

remove selected server

TABLE 2
Value   Description
Server

The DNS name of a domain controller that you want to connect to

SiteNumber

The number associated with the site of the server that you want to clean up that appears in the list

DomainNumber

The number associated with the domain of the server that you want to clean up that appears in the list

ServerNumber

The number associated with the server that you want to clean up that appears in the list

At this point, Active Directory confirms that the domain controller was removed successfully. If you receive an error message that indicates that the object cannot be found, Active Directory might have already removed the domain controller.

5. To verify that the server was removed, type list servers in site, and then press ENTER. Ensure that the domain controller that you wanted to be removed is no longer displayed in the command output.

6. At the metadata cleanup: and ntdsutil: prompts, type quit.
27
0 + 0
cn flag
Greg Askew
Metadata cleanup hasn't been needed for 12 years. And yes, the permissions would need to be changed to allow it to be deleted in AD Sites and Services.
0
Reply
joeqwerty avatar
cv flag
joeqwerty
Right click the server in Sites and Services, open the properties pages, switch to the Object properties tab, and check to see if "Protect object from accidental deletion" is checked. If it is, uncheck it and delete the server.
0
Reply
TSG avatar
cn flag
TSG
joeqwerty - that was it, and it allowed proper deletion from Sites and Services without using ADSIedit. (If you post as answer I'll accept that one)
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.