Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

 

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: [ActiveDir] Scan AD Database
Prev Next
You are not authorized to post a reply.

AuthorMessages
hboogzUser is Offline

Posts:58

06/24/2009 7:51 PM  
I just demoted a child domain successfully using DCPROMO. However, i'd like
to scan thru the AD Database and verify there isn't any remaining remnants
of this child domain. I'm running windows 2003 R2 across my DC's and i'm now
running a SDSF. I'm thinking this is an adfind query, but i'm open to any
suggestions.

Thanks all.

BrettShUser is Offline

Posts:9

06/24/2009 9:18 PM  
Are you worried about actual secret data (like password hashes and keys) being scrubbed or just that the structure of your directory infrastructure is right?

If the later … then once the cross-Ref (in CN=Configuration,CN=Partitions) is deleted, it’s very gone. So much internal AD code depends upon the cross-Ref. After that is done, do a query to see if any nTDSDSA objects (in CN=Configuration,CN=Sites IIRC) have it has a master or partial NCs (the partial NCs may take a while to clear out) … don’t remember the specific attribute names, sorry. Once those two pieces are gone, I would not worry about it. My 2c. Note the cross-Ref will live as a deleted object for 60 or 180 days or whatever.

BTW, “dcdiag /d > ad.data.txt” might be an easier way to accumulate this data, as it prints out all your cross-refs, and NTDSA objections + their master and partial NCs, IIRC.

Thanks,
BrettSh [msft]
Ex-AD-Replication Programmer

Posting is “as is”.


From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Harry Singh
Sent: Wednesday, June 24, 2009 11:51 AM
To: ActiveDir
Subject: [ActiveDir] Scan AD Database

I just demoted a child domain successfully using DCPROMO. However, i'd like to scan thru the AD Database and verify there isn't any remaining remnants of this child domain. I'm running windows 2003 R2 across my DC's and i'm now running a SDSF. I'm thinking this is an adfind query, but i'm open to any suggestions.

Thanks all.
neil.ruston@credit-suisse.comUser is Offline

Posts:88

06/24/2009 9:35 PM  
Consider also the trusts involving this domain and any WINS 1B/1C records.

They too may need to be removed.


neil

________________________________

From: activedir-owner@mail.activedir.org on behalf of Harry Singh
Sent: Wed 6/24/2009 7:50 PM
To: ActiveDir
Subject: [ActiveDir] Scan AD Database


I just demoted a child domain successfully using DCPROMO. However, i'd like to scan thru the AD Database and verify there isn't any remaining remnants of this child domain. I'm running windows 2003 R2 across my DC's and i'm now running a SDSF. I'm thinking this is an adfind query, but i'm open to any suggestions.

Thanks all.


===============================================================================
Please access the attached hyperlink for an important electronic communications disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
===============================================================================


hboogzUser is Offline

Posts:58

06/24/2009 10:40 PM  
I am more concerned about the later, specifically cros-ref stuff.
Trusty WINS records, thanks for the reminder. Great, Thanks.

On 6/24/09, Ruston, Neil <neil.ruston@credit-suisse.com> wrote:
> Consider also the trusts involving this domain and any WINS 1B/1C records.
>
> They too may need to be removed.
>
>
> neil
>
> ________________________________
>
> From: activedir-owner@mail.activedir.org on behalf of Harry Singh
> Sent: Wed 6/24/2009 7:50 PM
> To: ActiveDir
> Subject: [ActiveDir] Scan AD Database
>
>
> I just demoted a child domain successfully using DCPROMO. However, i'd like
> to scan thru the AD Database and verify there isn't any remaining remnants
> of this child domain. I'm running windows 2003 R2 across my DC's and i'm now
> running a SDSF. I'm thinking this is an adfind query, but i'm open to any
> suggestions.
>
> Thanks all.
>
>
> ===============================================================================
> Please access the attached hyperlink for an important electronic
> communications disclaimer:
> http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
> ===============================================================================
>
>
You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > [ActiveDir] Scan AD Database



ActiveForums 3.7
Friends

Friends

VisualClickButoton
Members

Members

MembershipMembership:
Latest New UserLatest:mish
New TodayNew Today:2
New YesterdayNew Yesterday:5
User CountOverall:4858
People OnlinePeople Online:
VisitorsVisitors:61
MembersMembers:0
TotalTotal:61
Online NowOnline Now:

Ads

Copyright 2009 ActiveDir.org
Terms Of Use