Yesterday I demoted a 2003R2 DC (but forgot to remove the DNS role), removed it from the domain, changed it's IP address and shut it down. Everything went pretty well (minus a host of authentication issues across the domain until I added the old IP for this DC to it's replacement 2008R2 DC) but I'm still seeing four SRV records in DNS for this DC. DNS is still showing _ldap SRV records for DC1, one each under:
DomainDNSZones->_sites->Default-First-Site-Name->_tcp
DomainDNSZones->_tcp
ForestDNSZones->_sites->Default-First-Site-Name->_tcp
ForestDNSZones->_tcp
DC1 is not listed under any other zone including _msdcs.
Can I simply delete these _ldap SRV records for the demoted DC?
This might be indicative of a replication problem in your environment. You should use
repadminanddcdiagto make sure that there aren't replication problems. If there aren't you might consider usingntdsutilto do a metadata cleanup since it sounds like the demotion might not have happened cleanly despite the wizard's completion.In all likelihood, you are safe to just delete the offending SRV records, but they may be the tip of the iceberg for a larger problem. Better safe than sorry.
Remove them!
Let's say a client needs to locate an ldap endpoint in the
Default-First-Site-Namesite.NetLogon queries its DNS server for
to acquire information about such a service. DC1 is returned, and the client tries to resolve DC1, and has to wait for the query to either timeout or return false.
Now it can start the process over, and the old records thus resulted in degraded performance ;-)
If you're not using that server for DNS and your hosts don't have to make service requests you can delete the records, or simply uninstall DNS