You've installed a new domain controller -- now what?

Once you've installed a new domain controller, you need to clean up references to the old one so that other computers in the domain don't try to connect to it anymore.

Sometimes you won't be able to or won't want to repair a failed domain controller, and will instead elect to install a new one. You can install a new domain controller either by promoting an existing member server so that it is a domain controller, or by installing a new computer and then promoting it. Either way, the domain controller will get its directory information from another domain controller.

Installing a new domain controller is the easy part. Once you've done that, you need to clean up references to the old domain controller so that other computers in the domain don't try to connect to it anymore. You need to remove references to the server in DNS, and you need to examine any roles that the failed server played.

If the failed server was a global catalog server, you should designate another domain controller as a global catalog server. If the failed server held an operations master role, you will need to seize the role and give it to another domain controller.

Let's start with DNS and roles. To clean up DNS, you need to remove all records for the server in DNS. This includes SRV records that designate the computer as domain controller and any additional records that designate the computer as a global catalog server or PDC emulator if applicable.

To clean up references to the failed domain controller in Active Directory, you'll need to use Ntdsutil. You must use an account with Administrator privileges in the domain. However, you can run Ntdsutil from any computer running Windows 2000 or later. The cleanup process is as follows:

  • Click Start, click Run, type cmd in the Open field, and then click OK.
  • At the command prompt, type ntdsutil. This starts the Directory Services Management Tool.
  • At the Ntdsutil prompt, type metadata cleanup. You should now be at the Metadata Cleanup prompt.
  • Access the Server Connections prompt so that you can connect to a domain controller. To do this, type connections and then type connect to serverDCName where DCName is the name of a working domain controller in the same domain as the failed domain controller.
  • Exit the Server Connections prompt by typing quit. You should now be back at the Metadata Cleanup prompt.
  • Access the Select Operation Target prompt so that you can work your way through Active Directory from a target domain to a target site to the actual domain controller you want to remove. Type select operation target.
  • List all the sites in the forest by typing list sites and then type select siteNumber, where Number is the number of the site containing the failed domain controller.
  • List all the domains in the site by typing list domains in site and then type select domainNumber, where Number is the number of the domain containing the failed domain controller.
  • List all the domain controllers in the selected domain and site by typing list servers in site and then type select serverNumber, where Number is the number of the server that failed.
  • Exit the Select Operation Target prompt by typing quit. You should now be back at the Metadata Cleanup prompt.
  • Remove the selected server from the directory by typing remove selected server. When prompted, confirm that you want to remove the selected server.
  • Type quit twice to exit Ntdsutil. Next, remove the related computer object from the Domain Controllers OU in Active Directory Users And Computers. Finally, remove the computer object from the Servers container for the site in which the domain controller was located, using Active Directory Sites And Services.

About the author: Rahul Shah currently works at a software firm in India, where he is a systems administrator maintaining Windows servers. He has also worked for various software firms in testing and analytics, and also has experiences deploying client/server applications in different Windows configurations.

This was first published in June 2006

Dig deeper on Microsoft Active Directory Design and Administration

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close