I'm trying to upgrade the domain functional level of a legacy network that's still on Windows Server 2012, and I'm using a new Domain Controller that's running Windows Server 2022. I removed several old Domain Controllers that were last running on 2012 from the Domain Controllers container in Active Directory Users and Computers (ADUC), but I'm still facing issues. It seems that even after removal, two of these old Domain Controllers are still being detected when I try to raise the functional level in Active Directory Domains and Trusts (ADDT).
According to the log, these old DCs keep reappearing, despite my attempts to clean everything up. I even went through the DNS records to ensure I removed references to them and tried using ntdsutil for metadata cleanup, just in case. I also did a global search in Active Directory Administrative Center (ADAC) for the old server names but found them still listed in the Domain Controllers container.
When I delete them again, I don't get any error messages, but they just come back after refreshing the container. I really need some advice on how to get rid of these stubborn old Domain Controllers once and for all!
4 Answers
I've had to deal with the aftermath of forced DC removals before, especially during upgrades. Definitely double-check all DNS entries to ensure they're completely gone. Sometimes they hide in the name server settings for each zone. That was where I found my old DCs popping back up after I thought I removed them!
Just a heads up, if an old DC has been desynchronized for too long, it can lead to issues with labelling and replication. In some cases, a full rebuild from scratch may become necessary. I had to do that once because the tombstones ran out. So, make sure you're monitoring any significant log events as well.
First, make sure you've seized any FSMO roles from the old Domain Controllers. You can check in Active Directory Sites and Services to see if they're still listed. After I've dealt with a similar issue, ensuring that all roles were transferred made a huge difference. If they still show up there, that could explain why they're reappearing.
Good point! I'll check that out and see if those roles are still lingering around.
Make sure you're demoting the DCs properly before removing them from the domain. That usually helps a lot! After you demote them, allow the changes to replicate and verify through ADUC that everything is in sync. Also, don’t forget to clean up the DNS entries after the removal.
Exactly! It can be tricky if you don’t check those roles. I ran into a similar issue once and had to follow Microsoft's guide on transferring FSMO roles to fully remove the old DCs.