Awinish's

I have found misconception regarding Metadata cleanup reading various forums & question, so I decided to write something which will be useful to help them understand, what is metadata cleanup & when it’s required to be run.

Consider, one of the DC which was serving as a PDC got crashed, what you did, you seized the FSMO role on the healthy DC as well as followed by transferring all other AD services like DNS/GC/DHCP etc on it. You thought you are done now, but here you skipped an important to remove/clean the crashed DC objects & its references from AD to inform that this DC is no more.

There is two types of demoting a DC one is normal demotion using DCPROMO other is forceful removal using DCPROMO /FORCEREMOVAL, which requires additional steps of metadata cleanup, but keep in mind, your first option should be always to try for graceful demotion, if it doesn’t work then only use force removal. If the server is crashed then there is no question of graceful demotion, because graceful can be used when on DC you can run dcpromo to remove AD, but if the DC is already crashed then metadata cleanup is the only option.

Metadata cleanup is process which is required to remove the failed DC from the domain which can’t be demoted gracefully. Do metadata cleanup removes all the entry from AD, the answer is NO, it doesn’t remove all the records from AD & from few places manual cleaning of those objects are required & one being DNS server. But, why it doesn’t remove all the records while I performed metadata cleanup following the steps. The reason is there is different aging/scavenging configuration defined on DNS to remove the entries from DNS when it becomes stale. When a system/DC is removed, the computer object is deleted from AD but not from AD database for later deletion in TSL(Tombstone Lifetime). In DNS each records has attribute called Dnstombstoned value which can be either True or False. When a host record is removed, its actually not removed but its Dnstombstoned attribute is set to true for later point of deletion using again/scavenging configured interval, so the records still exists in AD.

The places required to look after either using normal demotion or force demotion of a DC are below.

-Each & every sub folder inside _msdcs folder in DNS

-Name server tab in DNS

-Host records in DNS

-Server object under NTDS setting in AD sites & services.

-Open ADSIEDIT.MSC, connect to configuration partition

CN=Configuration, DC=domain, DC=com > CN=Sites > locate DC to be removed from the sites.

Note: ADSIEDIT is a powerful tool to edit AD database objects & modification made is permanent, so if you are unsure what you are doing it, take System state backup & then modify from there as anything deleted from there will require system state backup to restore the deleted objects.

Metadata cleanup is made simple in windows 2008, which provides GUI interface, so if you got any DC running on windows 2008, you can use metadata cleanup from that DC, but it doesn’t matter which DC you choose the cleanup failed DC records.

Note: Once you perform the metadata cleanup of DC, don’t immediately reuse the same Hostname/IP of failed DC to configure it back to a new DC, because you have to allow changes to be replicated to all other domain controllers in the forest by allowing & waiting for at least one replication cycle to complete. But if you got few DC’s & good bandwidth, you can force the replication using repadmin /syncall /Aped

E switch will force the replication between all the dc’s in the forest & there might be extra traffic generation during business hours, so use it at COB(Close of Business) hours.

Few Questions:

-Do metadata cleanup is required on all the DC or from particular DC?

The answer is No & NO.

-Metatdata cleanup removes all the records from AD?

The answer is no & never. There is no such tool from Microsoft which removes all the records of failed DC.

-Metadata cleanup is also required post normal demotion of DC?

The answer is no, as its only used for removing failed domain controller which can’t be removed gracefully.

-Metadata cleanup is required for removing member server?

The answer is no, its only required for Domain controller.

Related link for Metadata cleanup in windows 2003

http://www.petri.co.il/delete_failed_dcs_from_ad.htm

http://support.microsoft.com/kb/216498

http://support.microsoft.com/kb/555846

Metadata cleanup in windows 2008

http://technet.microsoft.com/en-us/library/cc816907%28WS.10%29.aspx

I have posted the below article at Technet Wiki too, below is the link.

http://social.technet.microsoft.com/wiki/contents/articles/3984.aspx