Metadata Cleanup of a Domain controller (2024)

Metadata cleanup is a performed when a DC is forcefully removed from ActiveDirectory Domain Services (ADDS) either due to permanent hardware failure of the server that cannot be fixed leading to decommissioning of the server or if the server cannot be gracefully demoted. Metadata cleanup removes stale data and entries from ADDS that are identified as a domain controller to the replication system. It also transfer or seize any flexible single master operations (FSMO) roles that the retired domain controller holds.

Metadata cleanup can be performed by using any of the following Methods:

  • Clean up server metadata by using GUI tools.
  • Clean up server metadata using the command line.
Metadata Cleanup of a Domain controller (1)Note
If you receive an “Access is denied” error when you use any of these methods to perform metadata cleanup, make sure that the computer object and the NTDS Settings object for the domain controller are not protected against accidental deletion. To verify this right-click the computer object or the NTDS Settings object, clickProperties, clickObject, and clear theProtect object from accidental deletioncheck box.

In Active Directory Users and Computers, theObjecttab of an object appears if you clickViewand then clickAdvanced Features.

Membership inDomain Admins, or equivalent, is the minimum required to complete these procedures.


A. Clean up server metadata by using GUI tools.
===========================================

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

When you use Remote Server Administration Tools (RSAT) or the ActiveDirectory Users and Computers console (Dsa.msc) to delete a failed domain controller computer account from the Domain Controllers organizational unit (OU), the cleanup of server metadata is performed automatically. Previously, you had to perform a separate metadata cleanup procedure.

You can also use the ActiveDirectory Sites and Services console (Dssite.msc) to delete a domain controller’s computer account, which also completes metadata cleanup automatically. However, ActiveDirectory Sites and Services removes the metadata automatically only when you first delete the NTDS Settings object below the computer account in Dssite.msc.

As long as you are using the Windows Server2008, Windows Server2008R2, or RSAT versions of Dsa.msc or Dssite.msc, you can clean up metadata automatically for domain controllers running earlier versions of Windows operating systems.

  • ActiveDirectory Users and Computers:
  1. Open Active Directory Users and Computers (dsa.msc).
  2. Find the domain controller whose metadata you want to clean up (Will be on Domain controllers OU) and then clickDelete.Metadata Cleanup of a Domain controller (2)
  3. In theActive Directory Domain Servicesdialog box, clickYesto confirm the computer object deletion.
  4. In theDeleting Domain Controllerdialog box, selectThis Domain Controller is permanently offline and can no longer be demoted using the ActiveDirectory Domain Services Installation Wizard (DCPROMO), and then clickDelete.Metadata Cleanup of a Domain controller (3)
  5. If the domain controller is a global catalog server, in theDelete Domain Controllerdialog box, clickYesto continue with the deletion.
  6. If the domain controller currently holds one or more operations master roles, clickOKto move the role or roles to the domain controller that is shown.
  7. You cannot change this domain controller. If you want to move the role to a different domain controller, you must move the role after you complete the server metadata cleanup procedure.
  • ActiveDirectory Sites and Services
  1. Open Active Directory Sites and Services
  2. If you have identified replication partners in preparation for this procedure and if you are not connected to a replication partner of the removed domain controller whose metadata you are cleaning up, right-clickActive Directory Users and Computers <DomainControllerName>, and then clickChange Domain Controller. Click the name of the domain controller from which you want to remove the metadata, and then clickOK.
  3. Expand the site of the domain controller that was forcibly removed, expandServers, expand the name of the domain controller, right-click the NTDS Settings object (If NTDS settings object is missing, It might have been deleted when we deleted the DC from AD), and then clickDelete.
    Metadata Cleanup of a Domain controller (4)A) In theActive Directory Domain Servicesdialog box, clickYesto confirm the NTDS Settings deletion.

    B) In theDeleting Domain Controllerdialog box, selectThis Domain Controller is permanently offline and can no longer be demoted using the ActiveDirectory Domain Services Installation Wizard (DCPROMO), and then clickDelete.

    C) If the domain controller is a global catalog server, in theDelete Domain Controllerdialog box, clickYesto continue with the deletion.

    D) If the domain controller currently holds one or more operations master roles, clickOKto move the role or roles to the domain controller that is shown.

  4. Right-click the domain controller that was forcibly removed, and then click Delete.
  5. In theActive Directory Domain Servicesdialog box, clickYesto confirm the domain controller deletion.
  • Remove DNS Entries:

    1. Right click a Zone in DNS console and go to properties, Under Name server tab delete the entries that are related to decommissioned DC.
    Metadata Cleanup of a Domain controller (5)
    Metadata Cleanup of a Domain controller (6)
    2. Open DNS Console (dnsmgmt.msc) and expand the zone that is related to the domain from where the server has been removed,Remove the CNAME record in the _msdcs.root domain of forest zone in DNS. You should also delete the HOSTNAME and other DNS records.If you have reverse lookup zones, also remove the PTR record of the server from these zones.
    Metadata Cleanup of a Domain controller (7)3. Remove the IP of the decommissioned DC that might be present on the network adapter(ncpa.cpl) primary or secondary DNS.

Run Dcdiag to verify all the stale entries related to failed DC has been removed successfully.

B. Clean up server metadata using the command line:
================================================

You can clean up metadata by using Ntdsutil.exe, a command-line tool that is installed automatically on all domain controllers and servers that have Active Directory Lightweight Directory Services (ADLDS) installed.

Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.

Run Command Prompt (CMD) using administrator privileges.

  1. At the command line, type Ntdsutil and press ENTER.
    C:\WINDOWS>ntdsutilntdsutil:
  2. At the Ntdsutil: prompt, type metadata cleanup and press Enter.
    ntdsutil: metadata cleanupmetadata cleanup:
  3. At the metadata cleanup: prompt, type connections and press Enter.
    metadata cleanup: connectionsserver connections:
  4. At the server connections: prompt, type connect to server <servername>, where <servername> is the domain controller (any functional domain controller in the same domain) from which you plan to clean up the metadata of the failed domain controller. Press Enter.
    server connections: connect to server ServerABinding to ServerA ...Connected to Server_Name using credentials of locally logged on user.server connections:

    Note: Windows Server 2003 Service Pack 1 eliminates the need for the above step.

  5. Type quit and press Enter to return you to the metadata cleanup: prompt.
    server connections: qmetadata cleanup:
  1. Type select operation target and press Enter.
    metadata cleanup: Select operation targetselect operation target:
  1. Type list domains and press Enter. This lists all domains in the forest with a number associated with each.
    select operation target: list domainsFound 1 domain(s)0 - DC=Domain_Name,DC=comselect operation target:
  1. Type select domain <number>, where <number> is the number corresponding to the domain in which the failed server was located. Press Enter.
    select operation target: Select domain 0No current siteDomain - DC=Domain_name,DC=comNo current serverNo current Naming Contextselect operation target:
  1. Type list sites and press Enter.
    select operation target: List sitesFound 1 site(s)0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain_name,DC=comselect operation target:
  1. Type select site <number>, where <number> refers to the number of the site in which the domain controller was a member. Press Enter.
    select operation target: Select site 0Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain_name,DC=comDomain - DC=Domain_name,DC=comNo current serverNo current Naming Contextselect operation target:
  1. Type list servers in site and press Enter. This will list all servers in that site with a corresponding number.
    select operation target: List servers in siteFound 2 server(s)0 - CN=SERVERA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain_name,DC=com1 - CN=SERVERB,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain_name,DC=comselect operation target:
  1. Type select server <number> and press Enter, where <number> refers to the domain controller to be removed.
    select operation target: Select server 1Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain_name,DC=comDomain - DC=Domain_name,DC=comServer - CN=SERVERB,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain_name,DC=comDSA object - CN=NTDS Settings,CN=SERVERB,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain_name,DC=comDNS host name - serverB.Domain_Name.comComputer object - CN=SERVERB,OU=Domain Controllers,DC=Domain_name,DC=comNo current Naming Contextselect operation target:
  1. Type quit and press Enter. The Metadata cleanup menu is displayed.
    select operation target: qmetadata cleanup:
  1. Type remove selected server and press Enter.

You will receive a warning message. Read it, and if you agree, press Yes.

metadata cleanup: Remove selected server"CN=SERVERB,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain_name,DC=com" removed from server "serverA"metadata cleanup:

At this point, Active Directory confirms that the domain controller was removed successfully. If you receive an error that the object could not be found, Active Directory might have already removed from the domain controller.

Metadata Cleanup of a Domain controller (8)

15. Type quit, and press Enter until you return to the command prompt.

16. Remove the failed server object from the sites

  • Open Active Directory Sites and Services andexpand the appropriate site.
  • Right-click the server object of failed DC and then click Delete.

17. If you are able to find the failed Domain controller in ADDS then delete it.

18. Remove the failed server object from DNS

A. In the DNS snap-in, expand the zone that is related to the domain from where the server has been removed,Remove the CNAME record in the _msdcs.root domain of forest zone in DNS. You should also delete the HOSTNAME and other DNS records.

Metadata Cleanup of a Domain controller (9)

B. If you have reverse lookup zones, also remove the server from these zones.

C.Right click a Zone in DNS console and go to properties, Under Name server tab delete the entries that are related to decommissioned DC.
Metadata Cleanup of a Domain controller (10)

Metadata Cleanup of a Domain controller (11)

D.Remove the IP of the decommissioned DC that might be present on the network adapter(ncpa.cpl) primary or secondary DNS.

Metadata Cleanup of a Domain controller (12)

Also, consider the following:

  • If the removed domain controller was a global catalog server, evaluate whether application servers that pointed to the offline global catalog server must be pointed to a live global catalog server.
  • If the removed DC was a global catalog server, evaluate whether an additional global catalog must be promoted to the address site, the domain, or the forest global catalog load.
  • If the removed DC was a Flexible Single Master Operation (FSMO) role holder, relocate those roles to a live DC.
  • If the removed DC was a DNS server, update the DNS client configuration on all member workstations, member servers, and other DCs that might have used this DNS server for name resolution. If it is required, modify the DHCP scope to reflect the removal of the DNS server.
  • If the removed DC was a DNS server, update the Forwarder settings and the Delegation settings on any other DNS servers that might have pointed to the removed DC for name resolution.

For more details refer below articles:

http://support.microsoft.com/kb/216498
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

Metadata Cleanup of a Domain controller (2024)
Top Articles
Latest Posts
Article information

Author: Tyson Zemlak

Last Updated:

Views: 5742

Rating: 4.2 / 5 (63 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Tyson Zemlak

Birthday: 1992-03-17

Address: Apt. 662 96191 Quigley Dam, Kubview, MA 42013

Phone: +441678032891

Job: Community-Services Orchestrator

Hobby: Coffee roasting, Calligraphy, Metalworking, Fashion, Vehicle restoration, Shopping, Photography

Introduction: My name is Tyson Zemlak, I am a excited, light, sparkling, super, open, fair, magnificent person who loves writing and wants to share my knowledge and understanding with you.