Why? Because a DC won't become a DC if it cannot replicate with other DCs. In our disaster recovery testing, we only recover one DC from each domain. I have to remove the other DCs from AD, or the one DC will not start acting as a DC.
As a side note, I found a fairly easy solution to my problem. I remembered that NTDSUtil prompts before actually removing the DC from AD. I simply wrote a text file with all the required incantations for deleting server number 1 from site number 1, and duplicated for the other 20 sites. I just answered "no" to the prompt for the one DC I wanted to keep. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Saturday, April 30, 2005 3:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Scripting DC cleanup? Thoughts on metadata cleanup, from many points on this thread, in importance order ... from Ken Cornenet: > recover one of those during the test. This means I have to perform the > ntdsutil dance outlined in KB216498 23 times to remove the phantom Why?!? This made me suspicious ... BTW ... and this is probably the most important thing I'll say all day ... so I'll indent it: I hope it is clear you should NOT NOT NOT be cleaning up metadata of DCs for live DCs. Demote the DC. Try not to use force removal ... you'll just get it wrong. When you delete meta-data for a live DC (obviously on some 2nd DC, b/c a DC will not voluntarily commit sebuku), the live DC actually decides you didn't really know what you're doing, and when it replicates in the delete of it's own DSA object, it resurrects it. I wonder if this is what you're experiencing? This was a dubious design choice back pre-Win2k RTM, when some beta customer hosed thier environment by cleaning up meta-data for DCs. I hope we retract this behavior at some future point, myself. from Marcus: > Hmm... 2003 dsa seems to remove the metadata when you delete the > domain controller reference from the domain controller container. > Anyone else notice this? Not sure what you mean by this ... what _exactly_ are you doing? "2003 dsa" isn't an action. Also are you talking 2k3 or 2k3 SP1? from joe: > I would recommend watching your AD to see exactly what NTDSUTIL is > doing, you can actually just get away from using it and deleting the > appropriate objects directly (hint look at the objects under the > server containers of sites...) . In fact you can make a solution that I wouldn't do this, this is bad layering, the logic here is complicated, and the checks that we're making may not be obvious, this kind of logic should be pushed into one logical mechanism, and that mechanism should be usable (it wasn't usable in Win2k/Win2k3-RTM, but we tried to make it usable in SP1) ... further I wouldn't do this, b/c IIRC, we actually changed ntdsutil in SP1 to do more ... > is better than ntdsutil because last I looked, it didn't get rid of > FRS references, etc. I recall a tool written by a friend of mine at > the widget factory I used to work at that would do this quite well and > quite fast and was called Whack-A-DC. It was used to clean up the test > environment sucked off of the real environment after it was isolated > from the "real" network. ... in fact I think we fixed it to do something very like that. In addition to several other things. from Dean Wells: > ... and yet no new (even very small) features will be added within a > Service Pack :) Please stop talking. (see MG again, it's when they goto Regina's house) Cheers, BrettSh [msft] Posting "as is", confers no rights. On Sat, 30 Apr 2005 [EMAIL PROTECTED] wrote: > Hmm... 2003 dsa seems to remove the metadata when you delete the > domain controller reference from the domain controller container. > Anyone else notice this? > > > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido > Sent: Wednesday, April 27, 2005 5:01 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Scripting DC cleanup? > > > > yeah right ;-) however, I'm quite happy about the additions in SP1 - > even though this should have been called R2 and the planned R2 would > then be R3... ;-) > > > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells > Sent: Dienstag, 22. März 2005 02:55 > To: Send - AD mailing list > Subject: RE: [ActiveDir] Scripting DC cleanup? > > ... and yet no new (even very small) features will be added within a > Service Pack :) > > -- > Dean Wells > MSEtechnology > * Email: [EMAIL PROTECTED] > http://msetechnology.com <http://msetechnology.com/> > > > > > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto > Sent: Monday, March 21, 2005 7:46 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Scripting DC cleanup? > > If you're taling about W2K3 then after installing SP1 you don't need > to select the site, domain, etc. Just select the server and kill it! > > QUOTE > > The Ntdsutil.exe command-line tool for managing the Active Directory > database has new commands that make it easier to remove domain > controller metadata. Preliminary steps, such as connecting to a > server, domain, and site, are no longer required. You simply specify > the server to remove. You can also specify the server on which to make > the deletion. > > > > Cheers > > Jorge > > > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Friday, March 18, 2005 18:00 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Scripting DC cleanup? > > I would recommend watching your AD to see exactly what NTDSUTIL is > doing, you can actually just get away from using it and deleting the > appropriate objects directly (hint look at the objects under the > server containers of sites...) . In fact you can make a solution that > is better than ntdsutil because last I looked, it didn't get rid of > FRS references, etc. I recall a tool written by a friend of mine at > the widget factory I used to work at that would do this quite well and > quite fast and was called Whack-A-DC. It was used to clean up the test > environment sucked off of the real environment after it was isolated > from the "real" network. > > > > I have been slow to duplicate anything like this as a joeware tool > because quite frankly, it is pretty dangerous stuff and would prefer > to not have my tools used in script kiddies attack tool boxes. oldcmp > specifically and very purposely avoids DCs. > > > > joe > > > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet > Sent: Friday, March 18, 2005 10:32 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Scripting DC cleanup? > > I guess I should have elaborated. NTDSUtil references domains, sites, > and servers by sequential numbers. In order to write a simple command > file for DC cleanup, I'd have to know what these numbers would be > beforehand, and I'm not at all sure they won't change. > > > > What I'd like to do is write a perl script that will figure out what > these numbers will be and write a script that I can feed into ntdsutil > to do the dirty work. > > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian > Desmond > Sent: Friday, March 18, 2005 9:40 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Scripting DC cleanup? > > You can make ntdsutil work in a script. Just make a batch file. The > syntax is to put a sapce between each command and put them in > quotes: > > > > ntdsutil "connect to domain 1" "do something cool" "build an arc" > > ntdsutil "connect to domain 2" "do something cool" "build an arc" > > > > etc etc > > > > --Brian Desmond > [EMAIL PROTECTED] > Payton on the web! www.wpcp.org > > v - 773.534.0034 x135 > f - 773.534.8101 > > c - 312.731.3132 > > > > > ________________________________ > > > From: [EMAIL PROTECTED] on behalf of Ken Cornetet > Sent: Fri 3/18/2005 7:33 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Scripting DC cleanup? > > It's getting close to time for our annual off-site disaster recovery > test, and I'd like to automate a dreaded chore that this testing > entails. Our main domain has about two dozen DCs. We only recover one > of those during the test. This means I have to perform the ntdsutil > dance outlined in KB216498 23 times to remove the phantom DCs. > > > > Is there any way I can script this, or at least script creation of a > text file that would be piped into ntdsutil? > > > > I stumbled across a script called "metacleaner.vbs" written by a > gentleman at microsoft, but it did not appear to work. > > > This e-mail and any attachment is for authorised use by the intended > recipient(s) only. It may contain proprietary material, confidential > information and/or be subject to legal privilege. It should not be > copied, disclosed to, retained or used by, any other party. If you are > not an intended recipient then please promptly delete this e-mail and > any attachment and all copies and inform the sender. Thank you. > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
