Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How do I seize FSMO roles or forcefully remove a DC?

Active Directory: DC and FSMO

How do I seize FSMO roles or forcefully remove a DC?

by  markdmac  Posted    (Edited  )
This document details steps to be taken to correct replication problems between Domain Controllers and also serves as a point of reference for forcefully removing a DC from the domain.


It is important to identify which DC holds the most recent updates of AD. Check for recently created objects such as users or groups or machine accounts. When removing the DC from the domain, any objects that only exist on this server will be lost.

As a naming convention this document will refer to ServerGood and ServerBad where ServerGood is the DC that will remain in the domain and ServerBad is the DC to be removed.

1. Identify the bad server (ServerBad)
2. On ServerBad stop the NTFRS service and KDC Service.
3. On ServerBad run KerbTray resource kit utility and delete the Kerberos Certificates.
4. On ServerGood, run Netdom Query FSMO and check for FSMO ownership. Attempt to transfer all roles to ServerGood using AD Users and Computers
5. If you are unable to transfer roles, seize all 5 FSMO roles.
Note Only seize the FSMO roles to the remaining Active Directory domain controllers if you are removing the FSMO role holder from the domain or forest.

To seize or transfer the FSMO roles by using Ntdsutil, follow these steps:
1. On any domain controller, click Start, click Run, type ntdsutil in the Open box, and then click OK.

Note Microsoft recommends that you use the domain controller that is taking the FSMO roles.
2. Type roles, and then press ENTER.

To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER.
3. Type connections, and then press ENTER.
4. Type connect to server servername, where servername is the name of the server you want to use, and then press ENTER.
5. At the server connections: prompt, type q, and then press ENTER again.
6. Type seize role, where role is the role you want to seize. For a list of roles that you can seize, type ? at the Fsmo maintenance: prompt, and then press ENTER, or consult the list of roles at the beginning of this article. For example, to seize the RID Master role, you would type seize rid master. The one exception is for the PDC Emulator role, whose syntax would be "seize pdc" and not "seize pdc emulator".

Note All five roles need to be in the forest. If the first domain controller is out of the forest then seize all roles. Determine which roles are to be on which remaining domain controllers so that all five roles are not on only one server.

Microsoft recommends that you only seize all roles when the other domain controller is not returning to the domain, otherwise fix the broken domain controller with the roles.

Note If the domain controller that formerly held any FSMO role is not present in the domain and if it has had its roles seized by the earlier steps in this article, remove it from the Active Directory by following the procedure that is outlined in the following Microsoft Knowledge Base article: For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
216498 HOW TO: Remove Data in Active Directory After an Unsuccessful Domain Controller Demotion
If the original domain controller with the FSMO roles is still online, transfer the roles. Type transfer role.
7. After you seize or transfer the roles, type q, and then press ENTER until you quit the Ntdsutil tool.
Note Do not put the Infrastructure Master role on the same domain controller as the global catalog.

To check if a domain controller is also a global catalog server:
1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
2. Double-click Sites in the left pane, and then browse to the appropriate site or click Default-first-site-name if no other sites are available.
3. Open the Servers folder, and then click the domain controller.
4. In the domain controller's folder, double-click NTDS Settings.
5. On the Action menu, click Properties.
6. On the General tab, locate the Global Catalog check box to see if it is selected.
6. Reboot ServerBad and verify that you can successfully log in under Active Directory Restore Mode.
7. On ServerBad run DCPROMO /FORCEREMOVAL
Refer to MSKB 332199 for additional details if needed.
8. ServerBad should now be in a workgroup.
9. On ServerGood, execute the MetaCleaner.vbs script and select the ServerBad computer name to delete it from the metabase.
Note: if MetaCleaner.vbs is unavailable you can follow MSKB 216498.
10. Launch the MMC and add the ADSIEdit snap-in.
Remove ServerBad from everything
Now that the NTDS Settings object has been deleted, you can delete the computer account, the FRS member object, the cname (or Alias) record in the _msdcs container, the A (or Host) record in DNS, the trustDomain object for a deleted child domain, and the domain controller.
1. Use ADSIEdit to delete the computer account. To do this, follow these steps:
a. Start ADSIEdit.
b. Expand the Domain NC container.
c. Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET.
d. Expand OU=Domain Controllers.
e. Right-click CN=domain controller name, and then click Delete.
Note: you may need to expand the object and manually delete child objects to delete the computer account if you receive a message that you have insufficient rights to delete the computer account..
If you receive the "DSA object cannot be deleted" error when you try to delete the object, change the UserAccountControl value. To change the UserAccountControl value, right-click the domain controller in ADSIEdit, and then click Properties. Under Select a property to view, click UserAccountControl. Click Clear, change the value to 4096, and then click Set. You can now delete the object.

Note The FRS subscriber object is deleted when the computer object is deleted because it is a child of the computer account.
2. Use ADSIEdit to delete the FRS member object. To do this, follow these steps:
a. Start ADSIEdit.
b. Expand the Domain NC container.
c. Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET.
d. Expand CN=System.
e. Expand CN=File Replication Service.
f. Expand CN=Domain System Volume (SYSVOL share).
g. Right-click the domain controller you are removing, and then click Delete.
3. In the DNS console, use the DNS MMC to delete the A record in DNS. The A record is also known as the Host record. To delete the A record, right-click the A record, and then click Delete. Also delete the cname (also known as the Alias) record in the _msdcs container. To do so, expand the _msdcs container, right-click the cname, and then click Delete.

Important If this was a DNS server, remove the reference to this DC under the Name Servers tab. To do this, in the DNS console, click the domain name under Forward Lookup Zones, and then remove this server from the Name Servers tab.

Note If you have reverse lookup zones, also remove the server from these zones.
4. If the deleted computer was the last domain controller in a child domain and the child domain was also deleted, use ADSIEdit to delete the trustDomain object for the child. To do this, follow these steps:
a. Start ADSIEdit.
b. Expand the Domain NC container.
c. Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET.
d. Expand CN=System.
e. Right-click the Trust Domain object, and then click Delete.
5. Use Active Directory Sites and Services to remove the domain controller. To do this, follow these steps:
a. Start Active Directory Sites and Services.
b. Expand Sites.
c. Expand the server's site. The default site is Default-First-Site-Name.
d. Expand Server.
e. Right-click the domain controller, and then click Delete.
11. Remove all references to ServerBad in DNS forward and reverse lookup zones.
12. Verify that ServerBad does not exist in AD Users and Computers.
13. It is now safe to have ServerBad rejoin the domain and use DCPROMO to make it a DC again if needed.

Copy all of the following text to a text file. Name the file MetaCleaner.vbs.

Code:
REM    ==========================================================
REM                GUI Metadata Cleanup Utility
REM             Written By Clay Perrine - clayp@microsoft.com
REM                          Version 2.5
REM    ==========================================================
REM     This tool is furnished "AS IS". NO warranty is expressed or Implied.

on error resume next
dim objRoot,oDC,sPath,outval,oDCSelect,objConfiguration,objContainer,errval,ODCPath,ckdcPath,myObj,comparename

rem =======This gets the name of the computer that the script is run on ======

Set sh = CreateObject("WScript.Shell")
key= "HKEY_LOCAL_MACHINE"
computerName = sh.RegRead(key & "\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName\ComputerName")

rem === Get the default naming context of the domain====

set objRoot=GetObject("LDAP://RootDSE")
sPath = "LDAP://OU=Domain Controllers," & objRoot.Get("defaultNamingContext")

rem === Get the list of domain controllers====

Set objConfiguration = GetObject(sPath)
For Each objContainer in objConfiguration
outval = outval & vbtab &  objContainer.Name & VBCRLF
Next
outval = Replace(outval, "CN=", "")

rem ==Retrieve the name of the broken DC from the user and verify it's not this DC.===

oDCSelect= InputBox (outval,"Type the Name of the Problem Domain Controller","")
comparename = UCase(oDCSelect)



if comparename = computerName then
msgbox "The Domain Controller you entered is the machine that is running this script." & vbcrlf & "You cannot clean up the metadata for the machine that is running the script!",,"Metadata Cleanup Utility Error."
wscript.quit
End If


sPath = "LDAP://OU=Domain Controllers," & objRoot.Get("defaultNamingContext")
Set objConfiguration = GetObject(sPath)
For Each objContainer in objConfiguration
Err.Clear
ckdcPath = "LDAP://" & "CN=" & oDCSelect & ",OU=Domain Controllers," & objRoot.Get("defaultNamingContext")
set myObj=GetObject(ckdcPath)
If err.number <>0 Then
errval= 1
End If
Next
If errval = 1 then
msgbox "The Domain Controller you entered was not found in the Active Directory",,"Metadata Cleanup Utility Error."
wscript.quit
End If
abort = msgbox ("You are about to remove all metadata for the server " & oDCSelect & "! Are you sure?",4404,"WARNING!!")
if abort <> 6 then
msgbox "Metadata Cleanup Aborted.",,"Metadata Cleanup Utility Error."
wscript.quit
end if
oDCSelect = "CN=" & oDCSelect
ODCPath ="LDAP://" & oDCselect & ",OU=Domain Controllers," & objRoot.Get("defaultNamingContext")
sSitelist = "LDAP://CN=Sites,CN=Configuration," & objRoot.Get("defaultNamingContext")
Set objConfiguration = GetObject(sSitelist)
For Each objContainer in objConfiguration
Err.Clear
sitePath = "LDAP://" & oDCSelect & ",CN=Servers," &  objContainer.Name & ",CN=Sites,CN=Configuration," & objRoot.Get("defaultNamingContext")
set myObj=GetObject(sitePath)
If err.number = 0 Then
siteval = sitePath
End If	
Next
sFRSSysvolList = "LDAP://CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System," & objRoot.Get("defaultNamingContext")
Set objConfiguration = GetObject(sFRSSysvolList)
For Each objContainer in objConfiguration
Err.Clear
SYSVOLPath = "LDAP://" & oDCSelect & ",CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System," & objRoot.Get("defaultNamingContext")
set myObj=GetObject(SYSVOLPath)
If err.number = 0 Then
SYSVOLval = SYSVOLPath
End If
Next
SiteList = Replace(sSitelist, "LDAP://", "")
VarSitelist = "LDAP://CN=Sites,CN=Configuration," & objRoot.Get("defaultNamingContext")
Set SiteConfiguration = GetObject(VarSitelist)

For Each SiteContainer in SiteConfiguration
Sitevar = SiteContainer.Name
VarPath ="LDAP://OU=Domain Controllers," & objRoot.Get("defaultNamingContext")
Set DCConfiguration = GetObject(VarPath)
	For Each DomContainer in DCConfiguration
	DCVar = DomContainer.Name
	strFromServer = ""
	NTDSPATH =  DCVar & ",CN=Servers," & SiteVar & "," & SiteList
	GuidPath = "LDAP://CN=NTDS Settings,"& NTDSPATH 
	Set objCheck = GetObject(NTDSPATH)
		For Each CheckContainer in objCheck

rem ====check for valid site paths =======================
		ldapntdspath = "LDAP://" & NTDSPATH
		Err.Clear
		set exists=GetObject(ldapntdspath)
			If err.number = 0 Then
				Set oGuidGet = GetObject(GuidPath)

				For Each objContainer in oGuidGet
				oGuid = objContainer.Name
				oGuidPath = "LDAP://" & oGuid & ",CN=NTDS Settings," & NTDSPATH  
				Set objSitelink = GetObject(oGuidPath)
				objSiteLink.GetInfo
				strFromServer = objSiteLink.Get("fromServer")
				ispresent = Instr(1,strFromServer,oDCSelect,1)


					if ispresent <> 0 then

					Set objReplLinkVal = GetObject(oGuidPath)
					objReplLinkVal.DeleteObject(0)
					else
					end if
				next

				sitedelval = "CN=" & comparename & ",CN=Servers," & SiteVar & "," & SiteList
				if sitedelval = ntdspath then
					Set objguidpath = GetObject(guidpath)
					objguidpath.DeleteObject(0)
					Set objntdspath = GetObject(ldapntdspath)
					objntdspath.DeleteObject(0)
					else
				end if
			End If
		next
	next
next


Set AccountObject = GetObject(ckdcPath)
temp=Accountobject.Get ("userAccountControl")
AccountObject.Put "userAccountControl", "4096"
AccountObject.SetInfo
Set objFRSSysvol = GetObject(SYSVOLval)
objFRSSysvol.DeleteObject(0)
Set objComputer = GetObject(ckdcPath)
objComputer.DeleteObject(0)
Set objConfig = GetObject(siteval)
objConfig.DeleteObject(0)
oDCSelect = Replace(oDCSelect, "CN=", "")
msgval = "Metadata Cleanup Completed for " & oDCSelect
msgbox  msgval,,"Notice."
wscript.quit
Register to rate this FAQ  : BAD 1 2 3 4 5 6 7 8 9 10 GOOD
Please Note: 1 is Bad, 10 is Good :-)

Part and Inventory Search

Back
Top