Friday, April 23, 2010

Remove a Child Domain from AD 2008

So, had multiple issues with this. The real problem was that my original OS install (Server 2008 x64 Standard) had several NetBIOS/File Sharing/General Networking issues. Issues = Wouldn't work worth a crap. Kept getting "network path not found" or "network path does not exist" or "no network provider responded to the given path" errors. Very frustrating. All the other servers could get to my shares, but I couldn't get to theirs. So, I solved this by reinstalling. This time I installed Server 2008 x64 Enterprise R2. Immediately upon finishing the install, I was able to browse all network shares, so, props there. Don't know if Standard just didn't play with the other servers (all other servers are R2) or if it was just a hosed install, but the reinstall fixed that.

Then the new issue: Active Directory. The server in question was the DC for a child domain. I'd tried to demote it, i.e. ran dcpromo again, told it "this is the last dc in the domain" so it would delete the child domain. BUT, this didn't work BECAUSE the stupid network problem. It error'd out and said it couldn't contact the forest DC controller. So, it couldn't demote. Now I have to figure out how to strip the info out manually.

I went into AD on the forest controller, and deleted the record for the server. However, when I tried to re-dcpromo the newly installed server, I got an error. I tried to set it back up to the same child domain, etc, and the menu told me it would replace the old data with new data using the new server install. GREAT! NOT......I clicked next, it failed, and said it couldn't delete the old info. Why? Not sure. Found several great articles on how to manually remove info from AD using ntdsutil.exe. Props to Isaac Oben whose blog had the BEST walkthroughs on doing something that I've seen lately. Links Below:

A couple other links I found were:

So, back to the issue. When I tried to follow along with these to remove the domain, I got the same error, but in a different wording. Exactly what I got was this:

"DsRemoveDsDomainW error 0x2015"

Hmm... So, what is that? Not sure -> back to google. I finally found a solution, but here, I suppose, was the root problem. When I manually deleted the server record, it did not delete anything else. In other words, the server record was gone, but the "domain" and "naming context" for the old child domain were still there. You couldn't remove them, because SOMETHING had them locked, essentially. That "something" was an "application data partition" for the old domain.

The way to remove this (which also removes the domain and naming contexts) was found in the following link:

You follow it's instructions exactly, except for one big change. Instead of "domain management" you use "partition management". The rest works the same. Just delete all references to the old child domain. There will most likely be 2. One for the "DC=DomainDnsZones" that keeps up DNS records for the child domain, and then the "DC=child_domain" which is the AD metadata record for the actual child domain.

Problem solved!

PS - In case you're wondering, YES, I could have just used a new child domain name. But this would have left me with crap data left over from the original one, and I wanted my AD tree to stay clean.

No comments:

Post a Comment