{"id":259,"date":"2014-08-15T15:17:26","date_gmt":"2014-08-15T19:17:26","guid":{"rendered":"http:\/\/adsecurity.org\/?p=259"},"modified":"2014-09-16T21:43:05","modified_gmt":"2014-09-17T01:43:05","slug":"removing-an-orphan-inactive-active-directory-domain","status":"publish","type":"post","link":"https:\/\/adsecurity.org\/?p=259","title":{"rendered":"Removing an Orphan (inactive) Active Directory Domain"},"content":{"rendered":"<p><strong>Removing an Orphan (inactive) Active Directory Domain<\/strong><\/p>\n<p>One of my customers has a forest with several domains, one of which hasn\u2019t been used in a while (call it domain \u201cRedShirt\u201d). The 2 Domain Controllers in the domain, \u201cRedShirt\u201d both tombstoned. Yes, I know, how does that happen? ALWAYS monitor your environment. Since the domain hasn\u2019t been used in a while, it was decided to clean up the domain (remove it).\u00a0 However, with both DCs tombstoned, one can\u2019t just DCPromo down a domain DC and select \u201clast DC in the domain\u201d.<\/p>\n<p>Microsoft provided information on how to \u201cmetadata cleanup\u201d the dead \u201cRedShirt\u201d domain, though the process was not performed 100% properly (always connect to the Domain Naming Master for this process). This process is documented in KB 230306\u00a0 (<a href=\"http:\/\/support.microsoft.com\/kb\/230306\">How to remove orphaned domains from Active Directory<\/a>); however, this doesn\u2019t work on a 2008 R2 DC.<\/p>\n<p>Confirm the domain is still listed in the forest by listing the Naming Contexts using Powershell:<\/p>\n<p><em>Import-Module activedirectory ; (Get-ADRootDSE).namingContexts\u00a0<\/em><\/p>\n<p>Here\u2019s the correct process to clean-up an orphan domain on a 2008 R2 Domain Controller:<\/p>\n<ol>\n<li>Log onto the Domain Naming Master for the forest<\/li>\n<li>Open a command prompt as Administrator<\/li>\n<li>run ntdsutil<\/li>\n<li>activate instance ntds<\/li>\n<li>partition management<\/li>\n<li>connections<\/li>\n<li>connect to server &lt;DOMAIN NAMING MASTER&gt;<\/li>\n<li>q<\/li>\n<li>List<\/li>\n<li>Note the number &amp; DN of the Domain DNS zone for the orphan domain (in this instance it is #6). The Domain DNS zone needs to be removed first.<\/li>\n<li>Delete NC DC=DomainDNSZones,DC=RedShirt,DC=Metcorp,DC=Org<\/li>\n<li>List<\/li>\n<li>Note the number of the Domain partition for the orphan domain (in this instance it is #5)<\/li>\n<li>Delete NC DC=RedShirt,DC=Metcorp,DC=org<\/li>\n<li>qqq<\/li>\n<li>Force replication by running \u201crepadmin \/syncall\u201d<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>Removing an Orphan (inactive) Active Directory Domain One of my customers has a forest with several domains, one of which hasn\u2019t been used in a while (call it domain \u201cRedShirt\u201d). The 2 Domain Controllers in the domain, \u201cRedShirt\u201d both tombstoned. Yes, I know, how does that happen? ALWAYS monitor your environment. Since the domain hasn\u2019t &hellip; <\/p>\n<p><a class=\"more-link btn\" href=\"https:\/\/adsecurity.org\/?p=259\">Continue reading<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[75,90,575,91,92],"class_list":["post-259","post","type-post","status-publish","format-standard","hentry","category-technical-reference","tag-active-directory","tag-domain-statistics","tag-powershell","tag-remove-orphan-domain","tag-windows-server-2008-r2","item-wrap"],"_links":{"self":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/259","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=259"}],"version-history":[{"count":1,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/259\/revisions"}],"predecessor-version":[{"id":260,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/259\/revisions\/260"}],"wp:attachment":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=259"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=259"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=259"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}