Three times a week (Monday/Wednesday/Friday), John Savill tackles your most pressing IT questions.
Read through the FAQ archives, or send him your questions via email.
Today, he shares more about removing a dead Domain Controller from Windows Server 2016, manually installing System Center Endpoint Protection on a device, and assigning limited scope administrator role in Azure Active Directory via the portal.
Q. I need to remove a dead DC from Windows Server 2016. Do I need to use NTDSUTIL?
A. In earlier versions of Active Directory, if you had an unavailable DC that was not coming back, you would use NTDSUTIL and the metadata cleanup to remove all signs of the DC. This is not the case in newer versions of Active Directory. Instead perform the following:
- In AD Users and Computers, delete the computer object from the Domain Controllers OU
- In AD Sites and Services, delete the server object in its site
- While still in AD Sites and Services, expand out in DC in the sites, right click its NTDS Settings object and select All Tasks - Check Replication Topology
You can still use NTDSUTIL to check everything is cleaned up and I also like to run repadmin /syncall then repadmin /showrepl. To check with NTDSUTIL:
C:\Windows\system32>ntdsutil ntdsutil: activate instance ntds Active instance set to "ntds". ntdsutil: partition management partition management: connections server connections: connect to server dal-dc02 Binding to dal-dc02 ... Connected to dal-dc02 using credentials of locally logged on user. server connections: quit ntdsutil: metadata cleanup metadata cleanup: select operation target select operation target: list sites Found 1 site(s) 0 - CN=Dallas,CN=Sites,CN=Configuration,DC=SAVILLTECH,DC=NET select operation target: select site 0 Site - CN=Dallas,CN=Sites,CN=Configuration,DC=SAVILLTECH,DC=NET No current domain No current server No current Naming Context select operation target: list servers in site Found 3 server(s) 0 - CN=DAL-DC01,CN=Servers,CN=Dallas,CN=Sites,CN=Configuration,DC=SAVILLTECH,DC=NET 1 - CN=DAL-DC03,CN=Servers,CN=Dallas,CN=Sites,CN=Configuration,DC=SAVILLTECH,DC=NET 2 - CN=DAL-DC02,CN=Servers,CN=Dallas,CN=Sites,CN=Configuration,DC=SAVILLTECH,DC=NET select operation target: quit metadata cleanup: quit ntdsutil: quit
Q. How can I manually install System Center Endpoint Protection on a machine?
A. System Center Configuration Manager also provides a built-in antivirus solution, System Center Endpoint Protection. Although it can be deployed easily using Configuration Manager, you can also manually install the client. To install manually perform the following:
- Navigate to folder C:\Program Files\Microsoft Configuration Manager\Client on the Configuration Manager server
- Copy the ep_defauiltpolicy.xml and scepinstall.exe files to a shared location
- On the target server with access to the files run:
scepinstall.exe /policy\ep_defaultpolicy.xml
The install will complete, update then perform a scan. The anti-virus definition files will update via Windows Update.
Q. How do I assign a limited scope administrator role in Azure AD via the portal?
A. There are a number of different roles available in Azure AD however if you look at a user and directory roles available you only see three:
- User
- Global administrator
- Limited administrator
What about other roles like Intune Administrator, Compliance Administrator etc. Simply select Limited Administrator and the additional roles will be displayed. Note if there is a role you want that is not shown, it is likely exposed via a specific portal.