Chris Beams’s Blog

Active Directory and more….

Archive for June 2nd, 2009

Operations Master Role Functionality Risk Assessment

Posted by chrisbeams on June 2, 2009

Always good to have close at hand .. just in case you lose a FSMO role and are unsure of the impact.

Taken from Link:

Posted in Active Directory | Tagged: , | Leave a Comment »

Active Directory – Remove a Domain Using NTDSUTIL

Posted by chrisbeams on June 2, 2009

Active Directory – Remove a Domain Using NTDSUTIL
So say for some reason you want to remove a Domain from Active Directory that no longer exists… how do you do it?

As always with Metadata Cleanups NTDSUTIL is your friend.

To remove the domain you need to remove the following using NTDSUTIL:
1. All Domain Controllers for the domain you want to remove.
2. All Naming Contexts for the Domain you want to remove.

You can then remove the actual Domain itself. Its important to remember when removing the naming contexts that there will be more than one. So for example:
DC=DomainDnsZones,DC=domain,DC=net Its the DNS Zone that people tend to forget !!

If you get an error about Leaf Objects you havent removed all the Naming Contexts. You also need to ensure you are connected to the Domain Naming Master to perform the actual Domain Removal.

Please ensure you are 100% certain you want to do the below, and dont do in a production environment without testing first
Below are some screenshots and bullet points on the end to end process:
With NTDSUTIL all of the commands can be abbreviated as long as they are unique, I have put some in brackets next to the full command.
First of all Connect to the Domain Naming Master

Connect using NTDSUTIL
1. Start up NTDSUTIL from a command prompt
Go into the Metadata Cleanup (M C for short)
2. Metadata Cleanup
Go into connections
3. Connections
Connect to the Domain Naming FSMO holder for your forest
4. Connect to <Server>


First of all remove any Domain Controllers from the Domain you wish to remove.
Quit Connections (Q)
1. Quit
Select the object you want to remove by using Select Operations Target ( S O T for short)
2. Select Operations Target
List the Domains in your Forest
3. List Domains
Connect to Domain you wish to remove
4. Select Domain <number>
List the Sites in your Forest and Select the Site which contains the first (or only) domain controller you wish to remove
5. Select Site <number>


List Domain Controllers in the site you connected to above
1. List Servers in Site
Select Domain Controller you want to remove
2. Select Server <number>


You are ready to remove the Domain Controllers
1. Quit
Remove the Domain Controller
2. Remove Selected Server
3. Select Yes on the pop up window


4. Select Yes on the pop up windows


5. You will get back a message saying the Domain Controller has been removed.


Then you need to remove the naming contexts for the Domain you wish to remove.

Move back to the objects you can select to select the Naming Context you want to remove
1. S O T
List the naming contexts for your Forest
2. List Naming Contexts
Select the Naming Context you wish to remove
3. Select Naming Context <number>


Then quit back to remove the Naming Context
1. Quit
2. Remove Selected Naming Context
3. Select yes to remove the naming Context


4. You will get back a message saying the Naming Context has been removed.


Repeat the above steps for all Domain Controllers and Naming Contexts for the Domain you wish to remove.
Next you need to remove the Domain itself !!PLEASE TAKE NOTE OF THE MESSAGE !!!

1. Remove Selected Domain



And thats it .. should be all gone..

Posted in Active Directory | Tagged: , | 5 Comments »

Exchange 2007 Schema – Issues

Posted by chrisbeams on June 2, 2009

As I mentioned recently I recently did the exchange 2007 schema change. What a change it is!!:
1. Numerous new indexes
2. Pwd-Last-Set added to GC
3. Plenty of ACEs added
4. New groups created

It’s not to be taken lightly and needs plenty of testing

Issues I had.

Adding Domain Group to “Exchange Servers”
When running Domain Prep a new group is created in the Domain which must be to the Group “Exchange Servers”. If you have a distributed multi domain forest the script does not take into account replication. So it trys to add the group before it has replicated round. This causes the script to bomb out and you can either add the group manually or rerun the script after waiting at least 15Min’s (for inter site replication).

Adding Legacy ACEs – setup /pl
This is a strange one , again in a multi domain forest when you run the legacy permissions it does not always ACL everything with the correct group. I have now seen twice where it adds a Group from another domain to the ACL and not the Domain it should. You get no error but when you looking at the ACLS through the GUI you will see one or maybe two are missing. This is also shown in the log files, search for the GUID of the groups is ACLing and make sure you have one for each Domain you are running the tool against. I have seen it fail to ACL the Configuration Container and the Root of the Name NC.  The group that was added incorrectly was the “Exchange Enterprise Servers” Group and the “Exchange Domain Servers”  Group. So just check you see these groups in the logs correctly.  What we had was another Domains Group be ACLed twice (or trying to) and another Domain being missed.

GC Traffic
Another one to look out for. The Schema change changes makes pwdlastset attribute part of the partial attribute set, which basically means its in the GC. Again if you a lot of Domains and a globally distributed environment this is going to cause a lot of traffic (assuming all DCs are GCs).  Alot of other attributes are also added check out the links below for a full list.


Exchange 2007 Schema Changes

The SP1 Schema change is a lot smaller and therefore a lot less painful 🙂

Exchange 2007 Sp1 Schema Changes



Posted in Active Directory | Tagged: | Leave a Comment »