Clean up AD DS server metadata (2024)

Table of Contents
In this article Clean up server metadata using Active Directory Users and Computers Clean up server metadata using Active Directory Sites and Services Clean up server metadata using the command line See Also FAQs
  • Article

Applies to: Windows Server 2022, Windows Server 2019, Windows Server

Metadata cleanup is a required procedure after a forced removal of Active Directory Domain Services (AD DS). You perform metadata cleanup on a domain controller in the domain of the domain controller that you forcibly removed. Metadata cleanup removes data from AD DS that identifies a domain controller to the replication system. Metadata cleanup also removes File Replication Service (FRS) and Distributed File System (DFS) Replication connections and attempts to transfer or seize any operations master (also known as flexible single master operations or FSMO) roles that the retired domain controller holds.

There are two options to clean up server metadata:

  • Clean up server metadata by using GUI tools.
  • Clean up server metadata using the command line.

Note

If you receive an "Access is denied" error when you use any of these methods to perform metadata cleanup, make sure that the computer object and the NTDS Settings object for the domain controller are not protected against accidental deletion. To verify this right-click the computer object or the NTDS Settings object, click Properties, click Object, and clear the Protect object from accidental deletion check box. In Active Directory Users and Computers, the Object tab of an object appears if you click View and then click Advanced Features.

See Also
NtdsutilTransfer or seize Operation Master roles - Windows ServerTransfer FSMO roles to another Domain Controller - Dimitris ToniasActive Directory Flexible Single Master Operation (FSMO) roles in Windows - Windows Server

When you use Remote Server Administration Tools (RSAT) or the Active Directory Users and Computers console (Dsa.msc) that is included with Windows Server to delete a domain controller computer account from the Domain Controllers organizational unit (OU), the cleanup of server metadata is performed automatically. Before Windows Server 2008, you had to perform a separate metadata cleanup procedure.

You can also use the Active Directory Sites and Services console (Dssite.msc) to delete a domain controller's computer account, which also completes metadata cleanup automatically. However, Active Directory Sites and Services removes the metadata automatically only when you first delete the NTDS Settings object below the computer account in Dssite.msc.

As long as you are using the Windows Server 2008 or newer RSAT versions of Dsa.msc or Dssite.msc, you can clean up metadata automatically for domain controllers running earlier versions of Windows operating systems.

Membership in Domain Admins, or equivalent, is the minimum required to complete these procedures.

See Also
What happens when a FSMO Role Fails in active directory

Clean up server metadata using Active Directory Users and Computers

  1. Open Active Directory Users and Computers.
  2. If you have identified replication partners in preparation for this procedure and if you are not connected to a replication partner of the removed domain controller whose metadata you are cleaning up, right-click Active Directory Users and Computers node, and then click Change Domain Controller. Click the name of the domain controller from which you want to remove the metadata, and then click OK.
  3. Expand the domain of the domain controller that was forcibly removed, and then click Domain Controllers.
  4. In the details pane, right-click the computer object of the domain controller whose metadata you want to clean up, and then click Delete.
  5. In the Active Directory Domain Services dialog box, confirm the name of the domain controller you wish to delete is shown, and click Yes to confirm the computer object deletion.
  6. In the Deleting Domain Controller dialog box, select This Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation Wizard (DCPROMO), and then click Delete.
  7. If the domain controller is a global catalog server, in the Delete Domain Controller dialog box, click Yes to continue with the deletion.
  8. If the domain controller currently holds one or more operations master roles, click OK to move the role or roles to the domain controller that is shown. You cannot change this domain controller. If you want to move the role to a different domain controller, you must move the role after you complete the server metadata cleanup procedure.

Clean up server metadata using Active Directory Sites and Services

  1. Open Active Directory Sites and Services.
  2. If you have identified replication partners in preparation for this procedure and if you are not connected to a replication partner of the removed domain controller whose metadata you are cleaning up, right-click Active Directory Sites and Services, and then click Change Domain Controller. Click the name of the domain controller from which you want to remove the metadata, and then click OK.
  3. Expand the site of the domain controller that was forcibly removed, expand Servers, expand the name of the domain controller, right-click the NTDS Settings object, and then click Delete.
  4. In the Active Directory Sites and Services dialog box, click Yes to confirm the NTDS Settings deletion.
  5. In the Deleting Domain Controller dialog box, select This Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation Wizard (DCPROMO), and then click Delete.
  6. If the domain controller is a global catalog server, in the Delete Domain Controller dialog box, click Yes to continue with the deletion.
  7. If the domain controller currently holds one or more operations master roles, click OK to move the role or roles to the domain controller that is shown.
  8. Right-click the domain controller that was forcibly removed, and then click Delete.
  9. In the Active Directory Domain Services dialog box, click Yes to confirm the domain controller deletion.

Clean up server metadata using the command line

As an alternative, you can clean up metadata by using ntdsutil.exe, a command-line tool that is installed automatically on all domain controllers and servers that have Active Directory Lightweight Directory Services (AD LDS) installed. ntdsutil.exe is also available on computers that have RSAT installed. To clean up server metadata by using ntdsutil do the following:

  1. Open a command prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide credentials of an Enterprise Administrator if required, and then click Continue.

  2. At the command prompt, type the following command, and then press Enter:

    ntdsutil

  3. At the ntdsutil: prompt, type the following command, and then press Enter:

    metadata cleanup

  4. At the metadata cleanup: prompt, type the following command, and then press Enter:

    remove selected server <ServerName>

  5. In Server Remove Configuration Dialog, review the information and warning, and then click Yes to remove the server object and metadata.

    At this point, Ntdsutil confirms that the domain controller was removed successfully. If you receive an error message that indicates that the object cannot be found, the domain controller might have been removed earlier.

  6. At the metadata cleanup: and ntdsutil: prompts, type quit, and then press Enter.

  7. To confirm removal of the domain controller:

    Open Active Directory Users and Computers. In the domain of the removed domain controller, click Domain Controllers. In the details pane, an object for the domain controller that you removed should not appear.

    Open Active Directory Sites and Services. Navigate to the Servers container and confirm that the server object for the domain controller that you removed does not contain an NTDS Settings object. If no child objects appear below the server object, you can delete the server object. If a child object appears, do not delete the server object because another application is using the object.

See Also

  • Demoting Domain Controllers
  • Ntdsutil command reference
  • Clean Up Server Metadata reference
  • Ntdsutil metadata cleanup reference
Clean up AD DS server metadata (2024)

FAQs

How do I do a metadata cleanup in Active Directory? ›

In the details pane, right-click the computer object of the domain controller whose metadata you want to clean up, and then click Delete. In the Active Directory Domain Services dialog box, confirm the name of the domain controller you wish to delete is shown, and click Yes to confirm the computer object deletion.

Tell Me More
How do I remove metadata from Active Directory? ›

If you prefer a graphical user interface, you can use the Active Directory Users and Computers (ADUC) snap-in to clean up server metadata:
  1. Open ADUC and navigate to the domain controllers OU.
  2. Locate the failed domain controller object.
  3. Right-click on the object and select 'Delete. '
Feb 7, 2024

See More
How do I clean up Active Directory DNS? ›

Using a graphical user interface
  1. Open the DNS Management snap-in.
  2. Right-click on DNS in the left pane and select Connect to DNS Server.
  3. Enter the server you want to connect to and click Enter.
  4. Right-click on the server and select Clear Cache.

Tell Me More
How do I clean up my Active Directory? ›

Active Directory Cleanup: 5 Best Practices to Keep AD Clean
  1. Disable Accounts for Users on Extended or Permanent Leave. ...
  2. Disable Built-in and Unused Admin Accounts. ...
  3. Ensure that Guest Access is Disabled. ...
  4. Remove All Inactive User Accounts. ...
  5. Clean-up User Groups and Organizational Units. ...
  6. Active Directory Cleanup Solutions.
Feb 23, 2024

Explore More
How do I purge metadata? ›

Identifying and Removing Metadata
  1. Right-click on the file.
  2. View its Properties.
  3. If there is metadata that you would like to remove, select the Details tab.
  4. Click Remove Properties and Personal Information.

Know More
How do I delete metadata in bulk? ›

Step-by-Step Guide to Removing Metadata from Excel
  1. Download and install the 4n6 Metadata Cleaner software on your computer.
  2. Launch the software, select the Excel file type, and browse to choose the files or folders you want to process.
  3. Preview the metadata properties of the loaded files before removal.
Mar 18, 2024

Find Out More
What are the benefits of cleaning up Active Directory? ›

To sum it up, regular cleanup of Active Directory is vital in keeping your IT environment secure, efficient, and compliant. This process, which includes everything from handling outdated accounts to in-depth metadata cleanup, is key to maintaining the health and performance of your IT infrastructure.

Learn More Now
What is Active Directory metadata? ›

Active Directory user objects possess a number of logon metadata attributes that are valuable for Active Directory audit reporting and administration. For example, they are commonly used to identify user accounts that have been inactive for a significant period, or as “stale” accounts.

Continue Reading
How do I view metadata in Active Directory? ›

From the menu, select Browse → Replication → View Metadata. For Object DN, type the distinguished name of the object you want to view.

Read The Full Story
How do I flush DNS cache in AD? ›

To clear the DNS cache on Microsoft Windows, follow these steps:
  • Open a DOS command window. To do this, click Start, click Run, type cmd, and then press Enter.
  • At the command prompt, type the following flush DNS command and then press Enter: ipconfig /flushdns.
  • The DNS cache is now clear.
Feb 24, 2023

Show Me More

How do I clear DNS cache on AD server? ›

Using the command prompt to clear the cache :
  1. Click on the Start button and type cmd.
  2. Open the command prompt.
  3. Enter the following command in the prompt: ipconfig/flushdns.
May 10, 2023

Get More Info
What is DNS scavenging? ›

DNS Scavenging is a Microsoft feature that removes outdated DNS resources. This ensures environments using DHCP do not detect duplicate devices based on multiple DNS entries for the same device.

Discover More Details
How do I fix corrupt Active Directory? ›

Run the Windows tool 'msconfig.exe' and change the boot mode option to switch to the DSRM mode at the next restart, this will save you from having to press F8 during boot time which is more difficult in a VM. Run 'msconfig.exe' and switch to the "Boot" tab. Under "Boot options", select "Active Directory repair".

See More
Should you delete old Active Directory accounts? ›

Removal of inactive accounts is essential for the security of the Active Directory. However, it is better to keep such accounts disabled for some time before deleting them. When employees leave the organization or when they take a long to leave, it is recommended to disable their user accounts.

Find Out More
Which command is used to do metadata cleanup of DC? ›

In the command line, type ntdsutil and press enter. Once you are done with that, the metadata cleanup prompt will appear like this: metadata cleanup: At the 'metadata cleanup:' prompt, type connections and press Enter.

View More
What is metadata scrubbing? ›

Metadata removal tool or metadata scrubber is a type of privacy software built to protect the privacy of its users by removing potentially privacy-compromising metadata from files before they are shared with others, e.g., by sending them as e-mail attachments or by posting them on the Web.

View Details
What tool removes metadata from files? ›

MetaCleaner is an online tool to clean metadata of various file formats developed by ODS. Storing files in the cloud or sharing files on the Internet is very useful but can be dangerous at the same time.

View More
Top Articles
Jakie składki na ubezpieczenia społeczne płaci przedsiębiorca do ZUS
How to Tell Someone They Didn’t Get the Job (Templates Included)
isolved hiring Implementation Consultant in United States | LinkedIn
isolved hiring Accounts Receivable Analyst in Fremont, IN | LinkedIn
Latest Posts
The Truth About Toxins
10 Biggest Oil Companies
Article information

Author: Stevie Stamm

Last Updated:

Views: 5262

Rating: 5 / 5 (80 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Stevie Stamm

Birthday: 1996-06-22

Address: Apt. 419 4200 Sipes Estate, East Delmerview, WY 05617

Phone: +342332224300

Job: Future Advertising Analyst

Hobby: Leather crafting, Puzzles, Leather crafting, scrapbook, Urban exploration, Cabaret, Skateboarding

Introduction: My name is Stevie Stamm, I am a colorful, sparkling, splendid, vast, open, hilarious, tender person who loves writing and wants to share my knowledge and understanding with you.