This article will show you step-by-step how to clean up Active Directory metadata after killing a domain controller.
The steps listed should only be performed in case you have no intention of bringing the domain controller back online.
Cleanup includes deleting the computer account from the domain partition as well as removing replication objects in the configuration partition.
To perform the cleanup we use the Ntdsutil tool. The Ntdsutil is found on existing domain controllers and can be installed on a client machine using the RSAT installation.
Pre-requisites
Make sure you’re a member of the Enterprise Admins group and that your command prompt is elevated with admin rights. Check both by running the “whoami /all” command:
PS C:\Users\mskadm> whoami /allUSER INFORMATION----------------User Name SID=============== =============================================E365M\mskadm S-1-5-21-3247909092-157580105-2477339510-1480GROUP INFORMATION-----------------Group Name Type SID Attributes=============================================== ================ ============================================== ===============================================================Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled groupBUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled groupBUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled groupBUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group ownerNT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled groupLOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled groupE365M\Domain Admins Group S-1-5-21-3247909092-157580105-2477339510-512 Mandatory group, Enabled by default, Enabled groupE365M\Enterprise Admins Group S-1-5-21-3247909092-157580105-2477339510-519 Mandatory group, Enabled by default, Enabled groupMandatory Label\High Mandatory Level Label S-1-16-12288
Notice the last two lines in group membership in the above output! This indicates membership of the Enterprise Admins group and credential elevation.
Ntdsutil Metadata Cleanup
Perform the following steps to clean up domain controller metadata from your domain
1. Enter the Ntdsutil interactive session by typing “ntdsutil”
2. Switch to the metadata cleanup context by typing “metadata cleanup”
3. Switch to the operation target selection context by typing “select operation target”
4. List your your domains and select your target domain
5. List your AD sites and select your target site
6. List your AD domain controllers and select your target domain controller
7. Exit the operation target selection context by typing “quit”
8. Request metadata cleanup of the selected server by typing “remove selected server”
9. Verify your request to complete the cleanup
The obsolete domain controller is now removed from both the domain and the configuration partition of your Active Directory. Make sure you don’t bring it online again.
Sample Output
To see some sample commands let’s try to remove metadata for the obsolete domain controller, “E365M-DC01”.
Depending on your setup the complete output from the above commands may look like this:
C:\Users\mskadm> ntdsutilC:\Windows\system32\ntdsutil.exe: metadata cleanupmetadata cleanup: select operation targetselect operation target: list domainsFound 1 domain(s)0 - DC=Easy365Manager,DC=localselect operation target: select domain 0No current siteDomain - DC=Easy365Manager,DC=localNo current serverNo current Naming Contextselect operation target: list sitesFound 2 site(s)0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Easy365Manager,DC=local1 - CN=DataCenter,CN=Sites,CN=Configuration,DC=Easy365Manager,DC=localselect operation target: select site 1Site - CN=DataCenter,CN=Sites,CN=Configuration,DC=Easy365Manager,DC=localDomain - DC=Easy365Manager,DC=localNo current serverNo current Naming Contextselect operation target: list servers in siteFound 2 server(s)0 - CN=E365M-DC01,CN=Servers,CN=DataCenter,CN=Sites,CN=Configuration,DC=Easy365Manager,DC=local1 - CN=E365M-DC02,CN=Servers,CN=DataCenter,CN=Sites,CN=Configuration,DC=Easy365Manager,DC=localselect operation target: select server 0Site - CN=DataCenter,CN=Sites,CN=Configuration,DC=Easy365Manager,DC=localDomain - DC=Easy365Manager,DC=localServer - CN=E365M-DC01,CN=Servers,CN=DataCenter,CN=Sites,CN=Configuration,DC=Easy365Manager,DC=local DSA object - CN=NTDS Settings,CN=E365M-DC01,CN=Servers,CN=DataCenter,CN=Sites,CN=Configuration,DC=Easy365Manager,DC=local DNS host name - Easy365Manager-DC01.Easy365Manager.local Computer object - CN=E365M-DC01,OU=Domain Controllers,DC=Easy365Manager,DC=localNo current Naming Contextselect operation target: quitmetadata cleanup: remove selected serverTransferring / Seizing FSMO roles off the selected server.Removing FRS metadata for the selected server.Searching for FRS members under "CN=E365M-DC01,OU=Domain Controllers,DC=Easy365Manager,DC=local".Deleting subtree under "CN=E365M-DC01,OU=Domain Controllers,DC=Easy365Manager,DC=local".The attempt to remove the FRS settings on CN=E365M-DC01,CN=Servers,CN=DataCenter,CN=Sites,CN=Configuration,DC=Easy365Manager,DC=local failed because "No mapping for error code.";metadata cleanup is continuing."CN=E365M-DC01,CN=Servers,CN=DataCenter,CN=Sites,CN=Configuration,DC=Easy365Manager,DC=local" removed from server "\\E365M-DC03.Easy365Manager.local"metadata cleanup: quitC:\Windows\system32\ntdsutil.exe: quitPS C:\Users\mskadm>
Conclusion
The above steps show you how to completely remove domain controller info from Active Directory.
It’s vital that you perform these steps if your domain controller crashed or was shut down without running dcpromo to safely remove the AD service.
The steps are not too hard but be careful running it on a production environment. Make sure you have a full backup of your AD (and know how to restore it) before making these changes.
