Archived from groups: microsoft.public.win2000.active_directory (
More info?)
Thanks guys,
It worked. I tried to use ADSIEDIT to remove the reference in the place
that was suggested in the Domain NC | System | object of class
trustedDomain, but I couldn't find it. So I used the metadata cleanup
function of ntdsutil and found the domain object and deleted it. As soon as
I did that, all of the computers automatically were updated. I appreciate
all of the help and suggestions.
-John
"Herb Martin" <news@LearnQuick.com> wrote in message
news:OScq$wc6EHA.3908@TK2MSFTNGP12.phx.gbl...
> "John Rosenlof" <greyseal96@hotmail.com> wrote in message
> news:OGhPRna6EHA.3856@tk2msftngp13.phx.gbl...
> > > > Is there something else that I can do to remove it? Do I
> > > > just take the setting out of the registry, or is there something
more?
> > >
> > > What setting?
> >
> > I found a setting in the registry that contains the domains listed at
the
> > logon screen. If I deleted that, I'm assuming that that would solve
this.
> > The only problem that I see with that is that I would have to delete
that
> > value on all of the computers in the network. I'm hoping to find a way
to
> > get the DC's to tell all of the computers.
>
> I don't think you can hurt anything by removing that
> REMOVED domain -- but like all of the MS KBs
> on the registry, I warn you to first backup (maybe
> it's time for a System State backup anyway).
>
> I would also just write down the key and value so
> that I could type it back in.
>
> Chances are it will just come back if the domain is
> still known to the DCs.
>
> > > Have you removed the trust from Domains and Trusts
> > > or however you created it...?
> >
> > Yes and no. The trust is broken, but it is still listed. I cleaned up
> and
> > removed all of the stuff in AD, but in Domains and Trusts I can't delete
> the
> > icon for the formerly trusted domain. When I right-click it there is no
> > delete option. I'm not sure, after going through the whole removal
> process,
> > how to get that deleted. Any ideas would be greatly appreciated.
>
> You might look to see if there is a Trust delete procedure
> for NTDSUtil (or ADSIEdit) -- I do not personally know
> of one.
>
> > Thanks again. Merry Christmas.
> > -John
>
>
> --
> Herb Martin
>
>
> >
> >
> > "Herb Martin" <news@LearnQuick.com> wrote in message
> > news:ObERzSS6EHA.2196@TK2MSFTNGP14.phx.gbl...
> > > "John Rosenlof" <greyseal96@hotmail.com> wrote in message
> > > news:eWMIlaR6EHA.2592@TK2MSFTNGP09.phx.gbl...
> > > > I went in and changed the DNS settings to what you instructed. We
> have
> > > two
> > > > DC's doing DNS and the forward lookup zones for our domain were both
> > doing
> > > > dynamic update. The reverse lookup zones were not doing it for our
> > subnet
> > > > so I set it to do so.
> > >
> > > Good, doing that for the reverse zones is fine but it
> > > was not likely to have causing you any troubles --
> > > reverse zones are nearly as important as many people
> > > seem to think.
> > >
> > > > I made the setting to both DC's and it appears that
> > > > they both show the change as being made, although I'm not exactly
sure
> > on
> > > > how to verify that other than looking in the DNS mmc on each
computer.
> > I
> > >
> > > Dynamic? Just watch to see if new records appear...or
> > > get corrected or just make sure that nothing you need is
> > > missing.
> > >
> > > > then set the workstations and servers to use only those two DC's for
> DNS
> > > and
> > > > verified that they are set that way through ipconfig. I restarted
> > > netlogon
> > > > on the two DC's. The name of the removed domain is still listed at
> the
> > > > logon screen.
> > >
> > > Those domains may still be listed in the trusts.
> > >
> > > The reason for fixing the DNS was to make sure the
> > > DCs replicated AND to make sure the clients authenticate,
> > > rather than to fix the problem directly.
> > >
> > > > Is there something else that I can do to remove it? Do I
> > > > just take the setting out of the registry, or is there something
more?
> > >
> > > What setting?
> > >
> > > Have you removed the trust from Domains and Trusts
> > > or however you created it...?
> > >
> > > > Thanks for your patience and your help. And also, thanks for the
info
> > > about
> > > > GINA.
> > >
> > > Sure.
> > >
> > > --
> > > Herb Martin
> > >
> > >
> > > >
> > > > -John
> > > > "Herb Martin" <news@LearnQuick.com> wrote in message
> > > > news:ewu9vIJ6EHA.1404@TK2MSFTNGP11.phx.gbl...
> > > > > "John Rosenlof" <greyseal96@hotmail.com> wrote in message
> > > > > news:eGy$JwI6EHA.2584@TK2MSFTNGP10.phx.gbl...
> > > > > > Thanks again for the info. That helped out because just to
check
> on
> > > the
> > > > > > authentication, I unplugged my PC from the ethernet port and
> > attempted
> > > > to
> > > > > > sign on to the domain. It signed on without a problem which
tells
> > me
> > > > that
> > > > > > it is caching the info and not refreshing it. How do fix this?
> > > > >
> > > > > That part is normal. It is so a machine can log you
> > > > > onto (your own) machine when it travels or the net
> > > > > is down (e.g., a laptop.)
> > > > >
> > > > > > Is it a
> > > > > > setting in GP? The DC's are both replicating properly and the
DNS
> > > > records
> > > > > > are cleaned of the old domain. I just can't get that stupid
> domain
> > to
> > > > not
> > > > > > be listed on the logon screen.
> > > > >
> > > > > You can change the number of cached logons but let's
> > > > > fix the real problem first.
> > > > >
> > > > > It's probably a DNS issue:
> > > > >
> > > > > DNS for AD
> > > > > 1) Dynamic for the zone supporting AD
> > > > > 2) All internal DNS clients NIC\IP properties must specify
> SOLELY
> > > > > that internal, dynamic DNS server (set.)
> > > > > 3) DCs and even DNS servers are DNS clients too -- see #2
> > > > >
> > > > > Restart NetLogon on any DC if you change any of the above that
> > > > > affects a DC and/or use:
> > > > >
> > > > > nltest /dsregdns /server
C-ServerNameGoesHere
> > > > >
> > > > > Ensure that DNS zones/domains are fully replicated to all DNS
> > > > > servers for that (internal) zone/domain.
> > > > >
> > > > > > About the GINA--could you either explain that a little more or
> refer
> > > me
> > > > to
> > > > > > an article that explains it? I've never heard about it, and I'm
> > > always
> > > > > open
> > > > > > to learning new stuff.
> > > > >
> > > > > It's not usually imporatant -- I just happen to have worked
> > > > > with the signon source code, writing and advising on the
> > > > > writing of a custom GINA: Graphical Identification 'n
> > > > > Authentication.
> > > > >
> > > > > You can search for something like this through Google:
> > > > >
> > > > > [ msgina microsoft: ]
> > > > > or
> > > > > [ msgina site:microsoft.com ]
> > > > > or
> > > > > [ msgina site:msdn.microsoft.com ]
> > > > >
> > > > >
> > > > > --
> > > > > Herb Martin
> > > > >
> > > > >
> > > > > > Thanks!
> > > > > > -John
> > > > > > "Herb Martin" <news@LearnQuick.com> wrote in message
> > > > > > news:uURM8585EHA.2876@TK2MSFTNGP12.phx.gbl...
> > > > > > > "John Rosenlof" <greyseal96@hotmail.com> wrote in message
> > > > > > > news:O7#tol75EHA.3472@TK2MSFTNGP09.phx.gbl...
> > > > > > > > Thanks for the response. I appreciate the help.
> > > > > > > > A couple of questions--
> > > > > > > > How long should it take to remove itself from the list?
It's
> > been
> > > a
> > > > > few
> > > > > > > > days and it's still there?
> > > > > > > > What is an external trust?
> > > > > > >
> > > > > > > Generally it should remove on the next boot after
> > > > > > > replication of the DCs.
> > > > > > >
> > > > > > > Once the DCs don't know about the trust (it is removed)
> > > > > > > and the machine rebuilds (re-queries) from the DCs this
> > > > > > > should go.
> > > > > > >
> > > > > > > One must wonder if your DCs are replicating and if the
> > > > > > > machines are properly authenticating with (a replicated)
> > > > > > > DC.
> > > > > > >
> > > > > > > PT mentioned WINS issues but that is generally only
> > > > > > > an issue for domains and servers continuing to show
> > > > > > > up in the BROWSE lists.
> > > > > > >
> > > > > > > (The code in the GINA which builds the logon list of
> > > > > > > domains does not use directly -- except may to find
> > > > > > > it's own DC. GINA==logon screen)
> > > > > > >
> > > > > > > The machines do however remember that list (I believe)
> > > > > > > between boots, in case they are offline, and so it can
> > > > > > > survive reboots if the machine is not authenticating.
> > > > > > >
> > > > > > > Most authentication problems are really DNS issues
> > > > > > > in Win2000+ Domains:
> > > > > > >
> > > > > > > DNS for AD
> > > > > > > 1) Dynamic for the zone supporting AD
> > > > > > > 2) All internal DNS clients NIC\IP properties must specify
> > > SOLELY
> > > > > > > that internal, dynamic DNS server (set.)
> > > > > > > 3) DCs and even DNS servers are DNS clients too -- see #2
> > > > > > >
> > > > > > > Restart NetLogon on any DC if you change any of the above that
> > > > > > > affects a DC and/or use:
> > > > > > >
> > > > > > > nltest /dsregdns /server
C-ServerNameGoesHere
> > > > > > >
> > > > > > > Ensure that DNS zones/domains are fully replicated to all DNS
> > > > > > > servers for that (internal) zone/domain.
> > > > > > >
> > > > > > > --
> > > > > > > Herb Martin
> > > > > > >
> > > > > > >
> > > > > > > >
> > > > > > > > Thank you
> > > > > > > > -John
> > > > > > > > "Herb Martin" <news@LearnQuick.com> wrote in message
> > > > > > > > news:#PTT0O75EHA.1120@TK2MSFTNGP11.phx.gbl...
> > > > > > > > > "John Rosenlof" <greyseal96@hotmail.com> wrote in message
> > > > > > > > > news:e7wJ7g55EHA.2124@TK2MSFTNGP15.phx.gbl...
> > > > > > > > > > Hi,
> > > > > > > > > >
> > > > > > > > > > As per the advice that I got here, I followed what KB
> 216498
> > > > said
> > > > > > and
> > > > > > > I
> > > > > > > > > > successfully removed a domain from Active Directory.
The
> > > domain
> > > > > > that
> > > > > > > > was
> > > > > > > > > > removed was had a trust relationship with our current
> > > > (surviving)
> > > > > > > domain
> > > > > > > > > and
> > > > > > > > > > consequently at the logon screen of the computers it was
> > > listed
> > > > as
> > > > > > an
> > > > > > > > > > available domain to log onto. My question has a couple
of
> > > > > > parts---1)
> > > > > > > > Now
> > > > > > > > > > that I've removed the trust and the computer metadata
from
> > AD,
> > > > > will
> > > > > > > that
> > > > > > > > > > disappear on the workstations, or do I have to manually
> > remove
> > > > it
> > > > > as
> > > > > > > > well?
> > > > > > > > > > and 2) We want to rejoin the computer that was removed
and
> > we
> > > > want
> > > > > > to
> > > > > > > > keep
> > > > > > > > > > the same domain and computer name. Will this cause any
> > > problems
> > > > > if
> > > > > > > that
> > > > > > > > > > domain is still listed on the workstations before it is
> > > > rejoined?
> > > > > > > > >
> > > > > > > > > It should disappear after the domain and it's trust are
> gone,
> > > > > > > > > replicated etc.
> > > > > > > > >
> > > > > > > > > IF this was an external trust you should also deleted this
> > > > > > > > > from the machine domain.
> > > > > > > > >
> > > > > > > > > > Thank you in advance for any help that can be given, and
> let
> > > me
> > > > > know
> > > > > > > if
> > > > > > > > I
> > > > > > > > > > outlined our problem clearly.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > Herb Martin
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > -John
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
Facebook
Twitter
Instagram