May 16 2010
Active Directory Metadata Cleanup
Sometimes it can/will happen that a correct removal from a Domain Controller isn’t possible because of a hardware crash, you have to force the removal of a DC or the previous admin have left some “garbage” for you.
So you have to do a metadata cleanup, otherwise all other DCs will try to replicate with that machine, as they are “thinking” this Domain Controller still exists, which fills also the event viewer with not wanted error messages. Additional the support tools dcdiag and repadmin or replmon will report problems.
The metadata cleanup can be done with NTDSUTIL for the AD database part according to:
How to remove data in Active Directory after an unsuccessful domain controller demotion
The above article applies to all Windows versions starting with Windows 2000 Server up to Windows Server 2008 R2.
There can also be the situation that the FSMO roles must be seized as the not longer existing DC was the owner of them:
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
———————————————————————————————————
With the RSAT (Remote Server Administration Tools or DSA.MSC) coming with Windows Server 2008 or Windows Server 2008 R2, there is also the option to remove a DC from AD Users and Computers or AD Sites and Services which also triggers the metadata cleanup.
To remove a RWDC with AD UC:
– therefore right click the RWDC in question and choose the DELETE option
– an additional popup will inform you, that the DC isn’t demoted with dcpromo and you have to choose the checkmark to accept that normal removal isn’t possible anymore
– after accepting the above popup you will be informed if the Domain Controller is also Global catalog server, (make sure other GCs exist in the domain)
– you have again to accept the deletion message to go on
– now the last possible popup option can occur, if the DC is also FSMO roles holder you will be prompted to accept the move to another DC of the FSMO roles
– in AD sites and services remove the NTDS Settings, also cleanup all DNS zones from CNAME and server records and the DNS server properties, Name server tab.
To remove a RODC with AD UC:
– therefore right click the RODC in question and choose the DELETE option
– now the option will be offered to reset all user passwords (requires a new password for a user), computer passwords (requires to re-add the computer to the domain), additional you can view/export the on the RODC saved user accounts and computer accounts. This option will NOT be offered if you work with NTDSUTIL.
– you will see now an overview with the chosen options to accept
– after accepting the above popup you will be informed if the Domain Controller is also Global catalog server, (make sure other GCs exist in the domain)
– in AD sites and services remove the NTDS Settings, DNS cleanup isn’t needed for a RODC, this is done automatically
For removal of a RWDC or RODC from AD Sites and Services you have to choose the NTDS Settings object to delete and after this step delete the DC.
———————————————————————————————————
For an old Domain that should be removed or the last DC of a domain is demoted, the steps are a bit different, therefore you can follow this article:
How to remove orphaned domains from Active Directory
Related links:
Remove Active Directory Domain Controller Metadata with a script
NTDSUTIL Windows 2000 Server
NTDSUTIL Windows Server 2003 and higher
Clean Up Server Metadata Windows Server 2003 and Windows Server 2003 R2
Clean Up Server Metadata Windows Server 2008 and higher
very nice step by step review on active directory metadata cleanup.
Hi … a thing to watch is make sure you are a member of the SCHEMA ADMINS group and logged in as such or it will all work except getting the GC role transferred … that fails with a security failure message. Had me stumped for a while ! Hope this helps someone …
Rgds
Pete M.