Removing Stale Domain Controller

Nash joined his new job as Active Directory specialist and as a part of his job he has to manage active directory infrastructure for his company. At first Nash performed the following tasks

  • Operating system versions
  • Subnet Information
  • Understood the Active Directory Namespace assignment
  • DNS Infrastructure
  • Understood the DNS namespace assignment
  • Understood the Active Directory sites
  • Understood the Group Policies assignment

Operating System Versions: This is the primary task one has to perform by noting down the server versions along with their service pack levels. ( is running windows 2003 sp2 Enterprise edition and have plans to migrate to windows server 2008 )

Subnet Information : This is the important aspect of any organization, Nash wrote down all the necessary information about the network and placement of the servers.

Active Directory Namespace: This is always the first step as an active directory engineer , one has to analyze the existing active directory namespace . The active directory engineer should understand

a)      Forest root domain

b)      Number of domains

c)       Number of child domains under each domain

d)      Number of Global catalogue servers

e)      FSMO role assignment

f)       AD replication configuration

Forest Root Domain: The forest root domain is

Number Of Domains : Telexx has configured single forest with the following domain structure. ( Forest root domain )  : This domain has only Schema and Enterprise admins

Tip: It is always advisable to have dedicated forest root domain and isolate the environment. Configure all the users , groups and delegations under child domains  ( Primary child domain ) and ( Additional child domain ) : The administrator has configured 2 domains with several OU’s for delegation.

Number of child domains under each domain : Nil

Number of Global catalogue servers : 3

FSMO role assignment : All the FSMO roles are hosted on primary child domain controller.

Monitoring Active Directory :

Nash had performed a major task of monitoring the active directory after analyzing the network infrastructure. He wanted to have a clean and error free active directory infrastructure for which he performed the following

  • Understood the Groups created under the active directory
  • Monitored the Security , Directory services, DNS services and Application event viewer logs ( ideal monitoring should be 2 month old log )
  • Ran scripts to flush stale computer accounts, invalid user accounts and groups < administrators can use inbuilt adquery option under ADUC or powershell script or custom LDAP query to perform the same.
  • Ran netdiag and dcdiag to check for any ongoing errors and resolve the same
  • Ran replmon and repadmin utilities to identify replication errors.
  • Followed Microsoft Operations Framework manual for managing active directory

Nash identified replication errors from dcdiag output , later he ran repadmin and found the existing domain controllers are having replication issues . He quickly found out from active directory users and computers à domain controllers , there were 3 domain controllers which were stale , one of the close reason would be that previous administrator has not performed successful removal of domain controllers.

Nash has remove the objects, computer object and clean up the ndts object, to perform these Nash followed the below procedure.

Step 1 : perform the meta data clean up  , follow the Microsoft article

Step 2 : Delete the server object by going to AD sites and services à sites à default-first site à serversà <dc >

Step 3 : Delete the computer object from à domain controllers à <computer object > , during the course of deletion , you will see prompt where you have to select “The domain controller is permanently offline …. “ and click Delete

Step4 : Delete DNS A record and _Msdcs.root record  from DNS servers , perform ipconfig /flushdns and ipconfig /registerdns on the server hosting dns server

In our scenario Nash had working active directory environment which tells us, the stale domain controllers were not hosting either DNS server or were configured as global catalogue server.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s