Saturday, April 29, 2023

How to Remove an orphaned Windows Domain

I recently had to remove a Domain Controller and a Child Domain from a Windows Forest because it was no longer needed by my client. I tried using the Server Manager GUI and kept running into errors after errors. So, I turned my focus to ntdsutil which I have used many, many times in the past to solve this type of issues with orphaned DC's.

First, you must remove the orphaned DC's and then you can remove the orphaned Domain.

Process: Locate the DC that has the Domain Naming Master role you can do this by typing

netdom query fsmo and use that server to run the ntdsutil and metadata cleanup commands. 

How to remove DC's manually

  1. Type ntdsutil

  2. Type metadata cleanup

  3. Type connections

  4. Type connect to server "servername" This is the name of the domain controller that holds the Domain Naming Master FSMO Role.

  5. Type quit and then you are in the Metadata Cleanup menu

  6. Type select operation target

  7. Type list sites. Which displays a list of sites in the forest and each site has a number associated with it.

  8. Type select site "number". Important - Make sure you select the number of the domain to be removed

  9. Type list domains in site, and then press Enter. A list of domains in the site is displayed, each with an associated number.

  10. Type select domain "number". Select the number associated with the domain to be removed.

  11. Type list servers for domain in site. A list of domain controllers in the domain is displayed  and each DC has an associated number.

  12. Type select server "number".  Select the number that is associated with the domain controller to be removed.

  13. Type quit. The Metadata Cleanup menu is then displayed.

  14. Type remove selected server.You should now receive the confirmation that the removal of the DC that you selected to be removed was successful.

  15. Type quit at each menu

Repeat the steps above for any remaining or orphaned DC's of the child domain to be removed.

How to remove a Domain manually

    1. Type ntdsutil

    2. Type metadata cleanup

    3. Type connections

    4. Type connect to server "servername", This is the name of the domain controller that holds the Domain Naming Master FSMO Role.

    5. Type quit. The Metadata Cleanup menu is then displayed.

    6. Type select operation target.

    7. Type list domains. A list of domains in then displayed that belong to the forest, each has an associated number.

    8. Type select domain "number".  Important - Select the umber of the domain to be removed.

    9. Type quit. The Metadata Cleanup menu is then displayed.

    10. Type remove selected domain.You will receive confirmation that the removal was successful.

    11. Type quit

    Open the Active Directory Sites and Services and remove the domain controllers of the domain to be removed from their site, manually.

  2. Open Active Directory Domains and Trusts and remove any trust relationships if applicable to the domain that you deleted.

  3. Remove all entries in DNS related to the domain that you removed, also remove any SRV records.

    Check for any other reminiscences of the DC's and Domain that you removed in DNS, Active Directory Sites and Services, etc.

Posted by at No comments:

Wednesday, April 19, 2023

How to Add UPN suffix in Microsoft Active Directory

How to Add UPN suffix in Microsoft Active Directory?

First, what is a UPN?

The User Principal Name (UPN) suffix is part of the logon name in Active Directory. When you create a logon account, by default it will use the DNS name of your AD domain. Example: Your local domain name phmservices.local. The user that you want to create is WMays therefore, the username would be wmays@phmservices.local. 

However, what if you want it to be something else like wmays@phmservices.com? You can add an alternate UPN or second UPN.

What are some reasons that you might need a second UPN for?

  • A future implementation of Office 365
  • The internal domain is a domainname.local and you want users to sign in with the domain.com suffix
  • New software or a software upgrade that requires the users UPN to match the user’s email address

 How to Add the second UPN?

Open Active Directory Domains and Trusts, right-click Active Directory Domains and Trusts, and then choose Properties.

On the UPN Suffixes tab, in the Alternative UPN Suffixes tab, type the new UPN suffix you want, and then select Add, then click OK.

Note: You can also use powershell  

Posted by at No comments:
Subscribe to: Posts (Atom)