Rogue DC in AD sites & ervices

[gregfranklin]

I have 2 Windows 2000 DCs, server-a and server-b. server-a has all of the FSMO roles. I am getting a lot of NTFRS errors in the event log because in AD sites & services, there are three NTDS entries for server-b, so two of them are obviously out of date and should be deleted. I have has to restore ad a couple of times so maybe this is why the rougue NTDS entries are there.

My first question is, how do I know which two to remove?

The first one under server-b says NTDS Settings. The second one says NTDS Settings[]CNF:56e9du9-d0u-dud etc. same with the third one.

I have tried to remove one, but it won't let me. Using ntdsutil and the metadata cleanup doesn't work either. Any ideas?

 

[kmcferrin]

The second and third entries sound like they are the most likely candidates to be removed. But if you actually have the server present, you may be having trouble removing entries that it thinks are related to that server. I suppose it might be possible that the second or third entry is the active one. Are you getting an error message related to NTFRS which indicates which ones it is having trouble with?

Also, have you tried removing both entries, or just the same one? It could be that you have the valid one.

Not sure if it's possible in your config, but you might try demoting the second DC (since it has no FSMO roles), then using NTDSUTIL to clean things up from the remaining DC, then promoting the second server back to DC.

 

[gregfranklin]

Thanks for your ideas, I have tried to delete all of them actually, none of them can be deleted. Note I have a backup of my AD, just in case I did manage to remove an active one.

This has been happening for a few months, I have two new Windows 2003 DC's ready to go which will replace server-a and b, going to run the adprep on server-a, I just wanted to clear up any errors before replacing these two DC's. Perhaps I should wait until the old servers are gone, then remove them then??

I know FRS is running fine, here is the error msg.

The File Replication Service is having trouble enabling replication from SERVER-A to SERVER-B for c:\winnt\sysvol\domain using the DNS name SERVER-A.wattscanada.ca. FRS will keep retrying.
Following are some of the reasons you would see this warning.

[1] FRS can not correctly resolve the DNS name server-a.wattscanada.ca from this computer.
[2] FRS is not running on server-a.wattscanada.ca.
[3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.

This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.