As I read it, he added a new machine to the domain with the same name as an existing (and presumably running) DC. This should have been denied from the start. Did I misunderstand?
On Tue, Feb 23, 2010 at 1:08 PM, Sherry Abercrombie <[email protected]>wrote: > No, it was an admin (new guy) that caused the initial problem. > > > On Tue, Feb 23, 2010 at 12:05 PM, Jeff Bunting <[email protected]>wrote: > >> Good to hear it is fixed but, unless I misunderstood the problem, isn't >> the fact that this was able to happen in the first place indicative of >> something else being wrong? (AD replication?) >> >> Jeff >> >> >> On Tue, Feb 23, 2010 at 12:39 PM, Michael Leone <[email protected]>wrote: >> >>> On Tue, Feb 23, 2010 at 11:07 AM, Michael Leone <[email protected]> >>> wrote: >>> > On Tue, Feb 23, 2010 at 11:00 AM, Michael B. Smith >>> > <[email protected]> wrote: >>> >> Then your plan seems reasonable, as I don't believe dcpromo in Windows >>> 2000 supported the "forceremoval" flag. >>> > >>> > Great! I was worried about the order of steps. I guess we'll get >>> > started now .... >>> > >>> > Thanks. I'll report back, when it's done. >>> >>> This all worked. I follwed the steps below, which worked as >>> advertised. Had only 2 small issues - when removing the server from >>> Sites and Services, I had to delete all the connections first (pretty >>> obvious ...), but then I had to delete the "NTDS Settings" entry - I >>> couldn't delete the server name itself. Then, when cleaning up DNS, I >>> had to remove the server name as "Name Server" on the properties of >>> every Reverse Lookup Zone .. and I have like 90 of those, one for >>> every subnet ... :-) >>> >>> But it all seemed to go OK. No sign of the server in AD anywhere, and >>> I ran "repadmin" to force the other DC in this domain to pull the >>> changes from the DC I performed the cleanup on. >>> >>> (just some notes, in case anyone searches for a similar issue) >>> >>> Thanks >>> >>> > >>> >> >>> >> Regards, >>> >> >>> >> Michael B. Smith >>> >> Consultant and Exchange MVP >>> >> http://TheEssentialExchange.com >>> >> >>> >> >>> >> -----Original Message----- >>> >> From: Michael Leone [mailto:[email protected]] >>> >> Sent: Tuesday, February 23, 2010 10:59 AM >>> >> To: NT System Admin Issues >>> >> Subject: Re: Win2000 - DC seems to have been renamed >>> >> >>> >> On Tue, Feb 23, 2010 at 10:51 AM, Michael B. Smith < >>> [email protected]> wrote: >>> >>> Just to make sure - you DO have ANOTHER DC/GC, right? >>> >> >>> >> I have 2 others, yes. >>> >> >>> >> The renamed DC is in a child domain. The parent domain has 4 DCs; the >>> child has 3. Of those 3, only this one is fubarred, from what I can see. >>> >> >>> >>> >>> >>> Regards, >>> >>> >>> >>> Michael B. Smith >>> >>> Consultant and Exchange MVP >>> >>> http://TheEssentialExchange.com >>> >>> >>> >>> -----Original Message----- >>> >>> From: Michael Leone [mailto:[email protected]] >>> >>> Sent: Tuesday, February 23, 2010 10:37 AM >>> >>> To: NT System Admin Issues >>> >>> Subject: Win2000 - DC seems to have been renamed >>> >>> >>> >>> Got a bit of an emergency. We run a Win2000 domain (yes, we realize >>> >>> it's not supported any longer; that's why we were planing on >>> upgrading >>> >>> it to Win2003 this weekend ...) >>> >>> >>> >>> Anyway, this morning, we saw something strange. One of my DCs - >>> >>> ADMNWDC003 - seems to have been renamed in AD to ADMNWDC003TEMP. >>> Turns out, the new guy was making a new DC for one of our other sites, and >>> inadvertently called this new DC he was building the existing name of >>> ADMNWDC003. He tried to rename the computer account, but the damage was >>> done. >>> >>> >>> >>> It shows up in AD U&C, Domain Controllers as "ADMNWDC003TEMP". The >>> actual computer, however, still has the name of ADMNWDC003. Sites and >>> Services still lists it as ADMNWDC003. So what I've got are entries for a DC >>> that now longer has a valid computer account ... >>> >>> >>> >>> So now we're more than slightly stuck in it. :-( >>> >>> >>> >>> I can't DCPROMO the physical computer back down from not being a DC, >>> since there's no corresponding computer account. Luckily, it holds no FSMO >>> roles. >>> >>> >>> >>> Here's what we think we should do - >>> >>> >>> >>> Power down ADMNWDC003. >>> >>> Delete the ADMNWDC003TEMP computer account in AD U&C. >>> >>> Use ADSIEDIT to remove the ADMNWDC003 entries, *and* ADMNWDC003TEMP >>> entries, as per KB 555846 ("How to remove completely orphaned Domain >>> Controller"). >>> >>> Then clean up AD , by using KB 216498 ("How to remove data in AD >>> after an unsuccessful domain controller demotion"). >>> >>> >>> >>> Any and every help greatly appreciated. Will this work? I want to fix >>> my AD, so we can upgrade to a supported version ASAP. >>> >>> >>> >>> Thanks >>> >>> >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >>> >>> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >>> >>> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> >>> >>> >>> >> >>> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < >>> http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >> >>> >> >>> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >> >>> >> >>> > >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> >> >> >> >> >> > > > -- > Sherry Abercrombie > > "Any sufficiently advanced technology is indistinguishable from magic." > Arthur C. Clarke > Sent from Keller, TX, United States > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
