Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
The Dcpromo process always contacts the DC available in its own site
first. If there is no DC in its own site then a DC from the nearest site is
contacted. You can check the Dcpromo process and see which DC it
contacted during the promotion by opening the DCPROMO.LOG file
found at %SystemRoot%\Debug folder. The log file will contain the
following lines for the source DC:
Don't just go ahead with D4/D2. D4/D2 shall be the last resort except
the followings:
-1-
For troubleshooting FRS and when you to use D4/D2, please check the
following Knowledge Base at Microsoft site:
technet.microsoft.com/en-us/library/Bb727056.aspx
The Primary Member is used by all the domain controllers to sync the
SYSVOL Replica Set. The first DC in a domain is always the FRS Primary
Member. This is useful when you want to perform a D4 operation on
SYSVOL Replica Set.
Steps:
• Log on to a DC.
• Use ADSIEdit.msc snap-in
• Navigate to the following location:
The above attribute will have the DC name on which the FRS was
initially started and created the SYSVOL folder. If you ever encounter
any problem and want to initate a D4/D2 operation on SYSVOL Replica
Set then always use this DC as the Primary DC for D4 and other
Domain Controllers as the D2. When you restart FRS, the D2 DCs will
sync from the D4 DC.
Steps:
-2-
• On RootDC1, RootDC1.txt
• On ADC2, ADC2.txt
• On ADC3, ADC3.txt
• On ADC4, ADC4.txt
• Wait for at least 5 minutes
• Log on to each DC and check all the four files you created.
If all DCs have the files you had created in its Netlogon share then that
means the FRS is working properly. If you see two or three files but not
all the files on a DC then check for which DC it hasn't received the file
and then troubleshoot using the more advanced tools available at
Microsoft site.
-3-
For example, query returns:
Clients will always use the server name with lowest priority first. For
example, you have changed SRV priority of Server2 from 10 to 6. After
changing the priority, the DNS query will return the list of domain
controllers in the following order:
The SRV resource record allows administrators to use several servers for a single domain, to move
services from host to host easily, and to designate some hosts as primary servers for a service and
others as backups.
-4-
wide DNS query. Instead it uses DynamicSiteName to query the
domain controllers in that site only.
If you want your client computers to belong to a specific site each time
they log on to the domain, you should create the following registry
entry on the local computer:
Hive: HKEY_LOCAL_MACHINE
Key: Syetem\CurrentControlSet\Services\Netlogon\Parameters
Name: SiteName
Type: REG_SZ
Value: After adding the above registry entry, the DynamicSiteName
value is ignored. DC Locator Service always uses the value stored in
SiteName registry entry to query the domain controllers in that site.
You can view the location of all five FSMO roles by using this
command: Netdom query fsmo
Alternatively, you can replace % with %% and run the command within
a batch file:
-5-
10) Troubleshooting the Domain Controller Locater Process
DNS relies heavily upon its caching abilities both on the client and
server level. Not only is this essential for basic functionality but it also
helps to improve the performance of the protocol. The DNS client
cache (also called the DNS resolver cache) stores any query response
it receives from a DNS server in its cache.
Each DNS client also contains a static file that contains hostname-to-IP
address mappings. This file is called the Hosts file and can be found at
C:\Windows\System32\Drivers\Etc. Any entry in this file is
automatically preloaded into the DNS resolver cache.
Aside from being a supplement to standard DNS caching, the hosts file
has several other uses such as being used to block access to known
malicious servers and domains by redirecting those DNS names to
known good sites.
The DNS resolver host file is something that can also be a very
appealing target to potential malicious activity. This is seen quite often
-6-
in spyware and adware infections where known good addresses such
as www.google.com are redirected to rogue advertising servers.
How can you quickly find the global catalog servers in your domain?
Two command-line tools can be helpful here:
1. First, you can type repadmin.exe /options * and use IS_GC for
current domain options.
In order for DNS server recursion to work properly, the DNS server
needs to know where to begin looking for names in the DNS
-7-
namespace. This information is made available through root hints.
These are resource records used by the DNS service to locate servers
authoritative for the root of the DNS domain namespace tree.
Be default, Windows 2003 DNS servers use a preset root hints file
stored at C:\Windows\System32\Dns\Cache.dns. This file contains a
listing of all of the addresses of the root servers in the Internet DNS
namespace. This means that if you are using the DNS server service to
resolve Internet-based DNS names, the root hints file doesn’t need to
be modified at all. However, if you are using DNS service on a private
network you can edit or replace this file with similar records that point
to your own internal DNS root servers.
It is important to note that DNS root servers should not use root hints
at all, and by default Windows Server 2003 automatically deletes the
Cache.dns file in these scenarios.
The other day an IT guy I know tried to do this but when he opened the
properties of the remote server in ADUC, there was no Delegation tab!
Why? Because he hadn't raised his domain yet to Windows Server
2003 domain functional level.
-8-
modifications had been made to the schema were…let's say…sorely
lacking.
The company wanted to know if there was some way of finding out
what differences there were between the schema of the original forest
and the schema of the new forest. After some searching around, the
consultant came up with Schema Analyzer, a tool included with ADAM
(Active Directory in Application Mode) and using this tool the company
could compare the two schemas and determine which classes and
attributes were present in the original schema that were not present in
the new schema. Then the company could use this information to
create the necessary classes and attributes in the new schema.
In order to create a trust between two domains, you need to have TCP
port 445 (the Microsoft SMB port) open on both sides. Having open
ports though (especially for SMB traffic) is an invitation to attacks by
worms and other malware, so the few ports you need to keep open the
better, right?
What's not often known though is that once the trust has been
established between the two domains, port 445 can then be closed
since the port only needs to be open during trust creation. See Domain
and Forest Trust Tools and Settings for details.
One of the strengths of the AGPM tool is how it has extended the
-9-
delegation of group policy objects. One of these features is the more
granular control over delegation. The AGPM has its own delegation
model which allows for more specific settings giving greater leverage
over delegation assignments. AGPM also allows for a new feature in the
offline editing of GPO’s. This means that group policy administrators
will now have to check-in and check-out GPO’s for editing. This not only
provides better security but also prevents multiple people from editing
the same live GPO at the same time.
Enable port exceptions for ports 53 (TCP and UDP), 88 (TCP and UDP),
123 (UDP), 135 (TCP), 137 (TCP), 389 (UDP), 464 (TCP and UDP) and
636 (TCP).
- 10 -
time. After discussing several options, they came up with the following
solution: use the DSQUERY computer -inactive NumberOfWeeks
command to identify all machines that were not logged on to Active
Directory during the specified NumberOfweeks.
You have to choose who will be your domain admins very carefully,
even in a multi-domain environment. That’s because there are exploits
that can enable Domain Admins to make themselves into Enterprise
Admins or even Schema Admins! And this works even if you are a
Domain Admin in a child domain! What this means that if you need
true separation of admin powers, you need to deploy multiple forests.
That’s because the forest is the only real security boundary in Active
Directory. Domains are not true security boundaries. And this is also
reason that Microsoft has stopped promoting the idea of an empty
forest root domain where only Enterprise Admins reside, since these
exploits can enable a Domain Admin in a child domain to easily
become an Enterprise Admin and own the forest.
There are various different reasons why you might want to remove a
computer from a domain within your network. Regardless of the
- 11 -
reason, you have to be careful that you take notice of group policy
being applied to the computer in order to prevent “orphaned” GPO’s.
If you have ever done any work with group policy you may notice that
it sometimes takes two or three reboots of a client computer before
some policies take effect. This is pretty commonly seen with software
installation and folder redirection policies more than any other. This
delay is caused by a “feature” of Windows XP called “Fast Logon
Optimization”. This means that group policy is processed at the same
time as when the processor is performing other tasks to get the
computer booted up into a usable state.
- 12 -
Mitch Tulloch was lead author for the Windows Vista Resource Kit from
Microsoft Press, which is THE book for IT pros who want to deploy,
maintain and support Windows Vista in mid- and large-sized network
environments. For more information see www.mtit.com.
Mitch Tulloch was lead author for the Windows Vista Resource Kit from
Microsoft Press, which is THE book for IT pros who want to deploy,
maintain and support Windows Vista in mid- and large-sized network
environments. For more information see www.mtit.com.
I don’t know about your company, but when I look at users’ desktops
they are usually covered with files, shortcuts, and other junk. Why do
they save stuff to their desktops instead of saving it in My Documents
where it belongs? Who knows…
But is there any way of preventing users from saving files on their
desktops? Yes there is: use Folder Redirection policy to redirect the
Desktop folder within a user’s profile to a read-only file share on
network server. Note that to redirect this to read-only share you have
to use following redirection option: uncheck the "Move folder contents"
option and uncheck the "Set ACLs" boxes. As an additional benefit of
using this approach, you can also populate the initial contents of users’
desktops if you need to do so.
- 13 -
Disable File and Print Sharing for Microsoft Networks
Disable Client for Microsoft Networks
Disable NetBIOS over TCPIP
Well, you can’t do it using normal Group Policy settings, but you can do
it as follows: Create a batch file that contains netsh.exe commands to
perform the network configuration actions you want to perform, then
use Group Policy to deploy this batch file to client machines as a
startup script.
Want to proactively check for problems with GPOs before they start
affecting your environment? GPOs can become unlinked, corrupted,
and misbehave in various ways, so here are a few things you can do to
check them:
- 14 -
an unmanaged state, which might contravene your company’s security
policy.
Ever had a need to push out Group Policy settings to one client
platform but not to another? For example, say you have a mixed
Windows XP/2000 desktop computer environment and you want your
Windows XP machines to receive some policy but not your Windows
2000 machines. How can you do this?
But what if you can’t do this? What if your computer accounts are
mixed together in a single OU and need to stay that way? Well, what
you could do is to create two new security groups, one called Windows
2000 Computers and the other called Windows XP Computers. Make all
your Windows 2000 computer accounts members of the first group,
and all your Windows XP computer accounts members of the second.
Then use Group Policy security filtering to ensure that the GPO only
applies to members of one group or the other as required. See my
tutorial at http://www.windowsnetworking.com/articles_tutorials/Group-
Policy-Security-Filtering.html for more information.
- 15 -
The preferred solution is to delete the local user accounts from each
workstation that has them. A possible alternative is to use Group Policy
to manipulate the Log On Locally user right to prevent anyone except
domain users from logging on to desktop computers targeted by such
policy. The Log On Locally user right is found under Computer
Configuration \ Windows Settings \ Security Settings \ Local Policies \
User Rights Assignment. But the Log On Locally approach should be
carefully tested on a test network before using it on your product
network to ensure no unpredictable effects result from implementing it
in your environment.
- 16 -
limit settings, and the quota logging settings. After you have
customized this GPO to your liking all that is left is to apply it to the
organizational unit of your choice.
1. Go to Start > Programs > Administrative Tools > and open the
“Active Directory Sites and Services” MMC.
2. Expand the “Sites” container in the left pane by clicking the plus
(+) to the left of it.
3. Expand the container that represents the name of the site
containing the server that needs to be synchronized.
4. Expand the “Servers” container and then expand the target
server to display the NTDS settings object.
5. Click the “NTDS Settings” option. In the right pane should now be
a list of the target server’s replication partners.
6. Right click a connection object in the right pane and click
“Replicate Now”.
- 17 -
38) Authoritative vs. Non-Authoritative Restoration of Active
Directory
Non-Authoritative Restoration
Used most commonly in cases when a DC because of a hardware or
software related reasons, this is the default directory services restore
mode selection. In this mode, the operating system restores the
domain controller’s contents from the backup. After this, the domain
controller then through replication receives all directory changes that
have been made since the backup from the other domain controllers in
the network.
Authoritative Restoration
An authoritative restore is most commonly used in cases in which a
change was made within the directory that must be reversed, such as
deleting an organization unit by mistake. This process restores the DC
from the backup and then replicates to and overwrites all other domain
controllers in the network to match the restored DC. The especially
valuable thing about this is that you can choose to only make certain
objects within the directory authoritative. For example, if you delete an
OU by mistake you can choose to make it authoritative. This will
replicate the deleted OU back to all of the other DC’s in the network
and then use all of the other information from these other DC’s to
update the newly restored server back up to date.
- 18 -
Enterprise Domain Controllers – Read, Special Permissions
System – Read, Write, Create All Child Objects, Delete All Child
Objects, Special Permissions
One simple way to get better file server performance is to make sure
you use a separate server as your file server. In other words, don't use
your domain controller as your file server. Why, you might ask. After
all, domain controllers don't do all that much most of the time--
everyone logs on in the morning, downloads GPOs, and the DC goes
quiet, right?
Well, if you are running Windows Server 2003 then SMB signing is
turned on by default for security reasons to safeguard network
communciations between client computers and DCs by protecting
against man in the middle attacks and SMB packet replay attacks. But
SMB signing also means that all packets in a TCP session that are
exchanged between clients and DCs are serialized i.e. packet 1 must
be acknowledged as received before packet 2 is sent, and so on. And
this can have a huge impact if you try to transfer a large file between a
client and a DC.
Rather than disable SMB signing, which would expose your domain
controller to possible attack, why not migrate your file server functions
to a separate machine instead.
Why, in this age of Windows Server 2003 R2, is it *still* a good idea to
run WINS servers on your Active Directory network? Doesn't AD use
DNS for name resolution? Yes. Isn't NetBIOS obsolete? Yes. Do any
applications still use NetBIOS? Unfortunately, yes! Some of the
common apps that need WINS servers in order to run effectively are:
- 19 -
- Any third-party network applications that leverage the browse list to
find network resources users can attach to. You can probably track
these puppies down by monitoring activity on your WINS servers by
logging perfmon counters on them.
There is a simple way how to do it: create a grp.txt file whose content
would be names of departments, and second a changemembership.bat
file in the same path, where inside would be:
- 20 -
dsquery computer -inactive 8 -limit 0
The DSQUERY utility comes with the Windows Server 2003 Support
Tools package (Adminpak.msi) which can be installed directly from
your Windows Server 2003 installation media or downloaded from
the Microsoft website.
Microsoft documentation on this isn't clear, but built-in local groups like
Account Operators, Server Operators, and others found in the Builtin
container of Active Directory are legacy groups that are basically only
there to maintain backward compatibility with Windows NT.
If you want to grant users rights to perform certain tasks like create
new accounts, reset passwords, and so on, avoid using these built-in
groups and use Active Directory delegation instead. Delegation gives
you greater control over which groups of users you can assign to
perform different kinds of admin-level tasks, and it's easy to use as
well, just right-click on an OU and select Delegate Control and a wizard
opens to walk you through the process.
- 21 -
LimitLogon is an unsupported tool and can be downloaded here from
Microsoft. There's also a FAQ on Bink.nu that explains how the tool is
used. As usual, use unsupported tools with caution and try them out in
a test environment first before using them on your production network.
Joeware has come to the rescue here with a new utility called
DNSSrvRec that you can use to create and delete SRV records easily.
You can download this utility for free from
http://www.joeware.net/win/free/tools/DNSSrvRec.htm
- 22 -
1. I can't add a new domain to my forest. Which FSMO role might be
down?
2. I tried running adprep /domain but it failed. Which FSMO role might
be down?
3. Some users changed their password but now they can't log on.
Which FSMO role might be down?
ANSWERS:
@echo off
SET /P usr=Please enter the username you wish to reset the password
for:
net user %usr% * /DOMAIN
Once you run pwreset.bat the file prompts the staff member for the
username of the account they wish to reset. After this it prompts for
what the password should be set to, then requests the password be
typed a second time for confirmation purposes. Once this is done the
user account is updated on the domain controller and you are good to
go!
- 23 -
Group Policy is a great tool for managing the configurations and
security of your desktop computers, but in very large environments
there can be some performance problems with it. Specifically, let's say
you have a large company with thousands or workers and a complex
administrative structure but with only a single Active Directory domain
deployed. This means you may literally have hundreds of
organizational units (OUs) in your domain, with OUs nested within
other OUs to several levels. Then let's say you've linked Group Policy
Objects (GPOs) to most of these OUs, some perhaps with several GPOs
linked, so you can satisfy all the security requirements of your
organization.
The problem that now arises is that each GPO is stored in the SYSVOL
share of each domain controller in your domain. These GPOs can be
found at %systemroot%\sysvol\domainname\Policies\POLICYGUID
where POLICYGUID is the globally unique identifier of the GPO. Now
Group Policy has grown considerably in power and flexibility since it
was first released for Windows 2000, and that's fine but it also means
that you can now manage several thousand policy settings using it.
That means the ADM files for Group Policy have also grown, and are
now at the point where they occupy almost 2 MB of disk space. Now
these ADM files are also copied to each GPO on each domain controller
and are stored in the folder %systemroot
%\sysvol\domainname\Policies\POLICYGUID\Adm. This means that
every GPO in your domain occupies at least 2 MB of disk space in the
SYSVOL share EVEN IF there are no actual policy settings configured in
that GPO! Think of what this can mean regarding (a) disk utilization on
your domain controllers and (b) file replication of the SYSVOL share
between domain controllers.
- 24 -
Windows Server 2003 includes a new feature called universal group
membership caching (UGMC) to locally cache a user's membership in
universal groups on the domain controller authenticating the user. This
can be useful in branch office scenarios where you don't want to
deploy a global catalog (GC) because of the extra WAN traffic that the
GC needs to replicate with other domain controllers in the domain. The
cached membership for UGMC is then refreshed every 8 hours to keep
it up to date.
If UGMC can speed logons at remote sites then it sounds like a good
idea. But when is it better to simply deploy a GC at the remote office
instead?
4. When the branch office and headquarters both belong to the same
AD site.
If any of these is true, it's best if you simply make one of the domain
controllers at your remote office a global catalog server.
It's well-known that you should never restore a backup copy of Active
Directory older than the tombstone lifetime, which by default is 60
days. That's because after 60 days objects that have been deleted
from AD are scavanged and permantently deleted. You see, when you
delete something from AD it doesn't really get deleted, it just gets
tombstoned i.e. marked as deleted. Such tombstones have a lifetime of
60 days and after that they're cleaned out of the directory and gone
forever.
Unless you try and restore a backup of AD that's more than 60 days
old. The problem with doing this however is that you're likely to end up
with objects that have been permanently deleted suddenly coming
- 25 -
alive again, sort of like zombies in that Eddie Murphy movie. In fact, if
you do have to restore AD you should use as recent a backup copy as
you possibly have i.e. a day old at most. And even that can cause a
few hiccups on a large network since computer accounts have their
passwords randomly changed every 30 days for security reasons, so if
you have a lot of computers on your network then it's very likely that
even in a span of one day a few computer accounts will change, and
these machines will need to have their computer accounts reset. The
same goes for trust relationships, which also have their passwords
changed every 30 days, so you may need to delete and re-create a
trust or two in a multi-domain environment, though that's less likely.
What most admins don't know however is that this grace period for
restores of 60 days (the tombstone lifetime) has been lengthed in
W2K3 SP1 to 180 days--but only for domains where the first DC has
been dcpromo-ed on a standalone W2K3 SP1 machine. In other words,
if you already have a domain and you upgrade your DC with SP1, the
grace period is still 60 days.
This can happen when the account you are trying to delegate to is a
member of one of the protected groups i.e. Domain Admins, Server
Operators, Backup Operators, and similar built-in groups. These groups
are themselves designed to facilitiate delegation by automatically
granting certain user rights to any account that belongs to them as a
member. But the Delegation of Control Wizard works differently, and
the permission and rights assigned to an account by this wizard are
enforced once an hour by a special thread running on the PDC
Emulator, the big kahuna of domain controllers on your network. So
what happens is that if you delegate some task to Bob, and Bob is a
member of Backup Operators (either explicitely or through nesting of
some other group Bob belongs to), and if the delegation of the task to
- 26 -
Bob assigns permissions or rights that conflict with the implicit
permissions and rights granted to any member of Backup Operators,
then in less than an hour you're likely to see Bob's delegation revoked
and Bob unable to perform the task you delegated to him.
Watch out for this. You can avoid this problem by not using the
protected groups at all, except for the high-level ones of Enterprise,
Schema and Domain Admins. If you do choose to use the Operators
groups however, then make sure you carefully check the group
membership (explicit and nested) of a user or group before you
delegate a task to them using the Delegation of Control Wizard.
Final caveat: this tip applies to AD in Windows 2000 SP4 or later, and
Windows Server 2003.
Protected groups are special built-in groups that are used to assign
administrative rights to users. These groups include:
• Enterprise Admins
• Schema Admins
• Domain Admins
• Account Operators
• Sever Operators
• Backup Operators
• Print Operators
This sound like a great idea but too much of a good thing can be bad
(as I know from experience the time I ate a whole pecan pie for
desert--I was sick afterwards). The problem is that Active Directory
keeps an eye on these groups to make sure that no-one changes the
rights they have or the permissions they have on resources. AD does
this by creating a special thread called AdminSdHolder/DsPropagator
and running this thread once each hour.
So what can go wrong with that? Well, if you have a lot of user
accounts that are members of different protected groups, then once
each hour you may see the CPU utilization on your PDC Emulator
domain controller go to 100% for a period of time as this thread does
- 27 -
it's housekeeping work. If you see this happening, you need to either
(a) move your PDC Emulator role to a beefier machine, or (b) reduce
the number of members of your protected groups.
If you find that permissions are not working properly for a user on
some resource, it may be because of the groups the user belongs to.
Access to shared resources is usually granted to groups, not users, so
if you don't know all the groups a user belongs to, the permissions the
user has on the resource may not be what you expect.
It's not as easy as you may think to find out what groups a user
belongs to. Opening up the properties of their user account in Active
- 28 -
Directory Users and Computers, you can examine the Members Of tab
to try and determine this. But if your Active Directory network is
running in Windows Server 2003 domain or forest functional level,
groups can be nested within groups to any degree, and the Members
Of tab for a user only shows the immediate groups the user explicitely
belongs to, not groups he may belong to implicitly through nesting.
But there's a catch--if the user belongs to any distribution groups then
these memberships may not be displayed because whoami doesn't
show groups nested within distribution groups. And although this may
not seem an issue since permissions aren't directly assigned to
distribution groups, it can be an issue since this can hide permissions
on nested security groups. So don't nest distribution groups within
security groups as it can make group permissions troubleshooting
more difficult.
You can use the Saved Queries feature of Windows Server 2003 to
query Active Directory for any locked-out accounts. Just open the
Active Directory Users and Computers console, right-click on Saved
- 29 -
Queries in the console tree and select New --> Query. Type a name
and description for the query, specify a query root (where in your
namespace your query begins searching), and click the Define Query
button. Since there's no default option for finding locked-out accounts
in the Common Queries box, select Custom Search instead to open the
Find Custom Search box. Then select the Advanced tab and enter the
following LDAP string in the Enter LDAP Query textbox:
(&(&(&(objectCategory=person)(objectClass=user)
(lockoutTime:1.2.840.113556.1.4.804:=4294967295))))
Update: Here's another LDAP query that finds all locked out accounts:
(&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\20 Group
Caching
It takes about half a dozen steps to search Active Directory using the
Desktop Search Assistant on Windows XP. That's frustrating for most
users. Fortunately you can make their life easier by creating a new
shortcut on their desktops that has the following path:
%windir%\system32\rundll32.exe dsquery.dll,OpenQueryWindow
Name the new shortcut something like Search Active Directory and
you're done. Users can now open the Find Users, Contacts, and Groups
dialog by simply double-clicking on this shortcut, making it easier for
them to find resources in Active Directory.
- 30 -
Universal groups are a powerful feature of Active Directory in Windows
2000 or later as they can contain almost anything, including domain
users, computers, global groups, and other universal groups from both
the local domain and any other domain in the forest, and you can nest
them to any degree as well. Universal groups have their downside
however, especially on networks running Windows 2000. This is
because by default only global catalog (GC) servers contain a list of all
universal groups in the forest. So, if you're using universal groups and
you try to log on to a domain, there needs to be a GC server available
to enumerate your universal group membership before you can be
authenticated to the domain.
- 31 -
63) TechNet Webcast: Windows Server 2003 Active Directory
Diagnostics, Troubleshooting and Recovery
Article not looking right or info is missing? Let us know so that we can
fix it: info@windowsnetworking.com.
- 32 -
This article describes how to remove the Cluster service on a Windows Server 2003-based cluster.
The files for the Cluster service are installed, by default, on computers that run either Windows
Server 2003, Enterprise Edition or Windows Server 2003, Datacenter Edition. In earlier versions of
Windows, this feature had been in the Add/Remove Programs tool.
You cannot remove the Cluster service, but you can return it to an unconfigured state. To remove
the cluster service from a failover node, follow these steps:
2. Right-click the node, and then click Stop the Cluster service.
Note: Do not perform this step if this server is the last node in the cluster.
This step returns the cluster to its original unconfigured state. You can re-add it later to the
To remove the cluster service from the last node, follow these steps:
- 33 -
Note The cluster service must be running if the cluster was configured to use the “Enable
3. Delete the computer object (network name) from Active Directory, and replicate for
If you cannot start the Cluster service, or if you have trouble removing the node, you can manually
2. At the command prompt, type cluster node nodename /forcecleanup, and then press
ENTER.
Note: If the Cluster service does not exist in the registry, the command does not respond.
To create a place holder, type the following line at the command line, and then press
ENTER:
sc create clussvc
- 34 -
- 35 -
- 36 -