Pular para o conteúdo principal

Removing a read-only domain controller from a domain

Removing a read-only domain controller from a domain: "

Active Directory is a great product, except that it doesn’t natively do housekeeping functions for you. In my home lab, I noticed that I had an obsolete domain controller enumerated in the site (running at Windows Server 2008 R2 level). It may seem risky to delete a domain controller from the Active Directory Sites And Services utility because domain controller accounts are handled differently in Active Directory.


In my example, the domain controller RODC has been decommissioned but not removed from the RWVDEV.INTRA domain (Figure A).


Figure A



Click the image to enlarge.

The natural conclusion may be to simply delete the computer account. Active Directory associates a number of special characteristics with a domain controller. In the case of the RODC.RWVDEV.INTRA system, it was a read-only domain controller. Figure B shows the options associated with the deletion of the computer account.


Figure B



The first and second options to reset passwords for computer and user accounts cached on the read-only domain controller is a nice security feature, but it will surely create havoc if implemented. If the read-only domain controller was stolen or removed from the control of the infrastructure teams, this is the way to go.


The third option to export the list of the accounts cached on the domain controller can give you a more granular view to the system contents at the time of computer account deletion. Figure C shows the final warning message before this intrusive activity.


Figure C



In a default configuration, the read-only domain controller is also a global catalog server; there should be at least one other domain controller with the global catalog role (which should be the case anyway). Once the computer account is deleted from Active Directory Users And Computers, the domain controller should be removed from Active Directory Sites And Services. It will now be enumerated without any roles associated with it (Figure D).


Figure D



Click the image to enlarge.

The final step is a simple right-click and delete of the obsolete domain controller in Active Directory Sites And Services. At that point, removing the read-only domain controller is complete.


Did you try the read-only domain controller and back it out? If so, share your comments about the experience.





"

Comentários

Postagens mais visitadas deste blog

Improve Windows Security By Closing Open Ports

Improve Windows Security By Closing Open Ports : " A standard Windows operating system has a number of ports open after installation. Some of these ports are needed for the system to function properly while others might not. These ports can pose a security risk as every open port on a system might be an entry point for a malicious user. A port basically allows communication to or from the device. Characteristics are a port number, an IP address and a protocol type. This article will give you the tools at hand to identify and evaluate the open ports on your Windows system to make a decision in the end whether they can or should be closed or left open. Software programs and tools that we will use: CurrPorts : Available for 32-bit and 64-bit editions of Windows. It is a port monitor that displays all open ports on a computer system. We will use it to identify the ports and the programs that are using them. Windows Task Manager: Also used to identify the programs and link some p

Diagnosing a Blue Screen of Death Error in Windows

Diagnosing a Blue Screen of Death Error in Windows : For many years now the famous Blue Screen of Death (BSoD) has been the ultimate indication that something disastrous has happened to make your computer die, but how useful is the information in the BSoD and the respective crash dump file that Windows produces? The best article I ever found explaining the BSoD in depth is here on the Microsoft website, however it’s quite technical and doesn’t discuss how to actually troubleshoot a problem. The crash dump file is just technical details of what was being held in the computer’s memory at the time of the crash, and this will include details on every driver and service that was loaded, and every piece of software that was running. The most useful pieces of information are to be found on the BSoD itself and are highlighted on the screenshot below. These are the BSoD error name, the stop error code and the name of the driver or service that has failed (this last one might not always appea

FBackup is a simple, no-frills free backup application

FBackup is a simple, no-frills free backup application : "