I searched serverfault.com for duplicates of this question but couldn't find anything close enough for my needs, so here goes.
I'm administering a small Windows domain, where a Win SBS 2008 is the DC and a Win Server 03 acts as our print and file server.
Recently, we migrated our old DC (a SBS 03) to the SBS 08 we are using now, and also upgraded our computers, giving them different hostnames from the old ones we removed from the system.
Going through the SBS console, and AD Users and Computers snap-ins shows me that we have a lot of entries of computers that are no longer present at the organization, and additionally, that some of the old computers have DNS entries for their names that point to IP addresses of the new computers we are using, so you could ping "OldComp01" and it will actually answer back, even though the computer is actually "NewComp05".
How can I go about cleaning out the AD computer entries and DNS entries correctly?
Is it as simple as deleting the computers from the SBS console? If I do that, what happens to the DNS entries, do they simply dissapear (after a certain amount of time)?
Do I need to go into the DNS snap-in and manage from there as well?
Thanks in advance for reading this long question and any help or explanation! Also, if you have extra time and want to add in a little explanation as to why, that would be appreciated as I like to know what goes on under the hood, but am too new to have grasped everything I need to (might never be able to… who knows).
Thanks again,
Josh
Best Answer
Removing a computer from the domain doesn't remove its account, it disassociates the machine from its AD Object(1). This tool might help you find them
Personally, I would simply move them all to a new OU, disable the lot of them, wait a week, then delete. (You can use AD Explorer to search for last access time and object class.. he he, just like other LDAP tools)
The DNS side is separate, and is created by the DHCP server dynamically, typically the entries will last a week before being scraped(2).
You can "scavange" the stale DNS entries any time from the DNS console. However "stale" is defined by you. You can probably ignore the extra DNS entries.
(1): Revokes Kerberos certificates and trust relationships, restores the SAM database to the local machine. All local profiles will remain using the domain SID's but can be removed by the local administrator. It sounds like you will have a bunch of duplicated profiles lying around!
(2): Depending on your DNS settings and DHCP config. The DNS DB is actually stored in an Active Directory partition for replication, its still completely separate from AD.