This article will show you step-by-step how to clean up Active Directory metadata after killing a domain controller.
The steps listed should only be performed in case you have no intention of bringing the domain controller back online.
Cleanup includes deleting the computer account from the domain partition as well as removing replication objects in the configuration partition.
To perform the cleanup we use the Ntdsutil tool. The Ntdsutil is found on existing domain controllers and can be installed on a client machine using the RSAT installation.
Make sure you’re a member of the Enterprise Admins group and that your command prompt is elevated with admin rights. Check both by running the “whoami /all” command:
Notice the last two lines in group membership in the above output! This indicates membership of the Enterprise Admins group and credential elevation.
Ntdsutil Metadata Cleanup
Perform the following steps to clean up domain controller metadata from your domain
1. Enter the Ntdsutil interactive session by typing “ntdsutil”
2. Switch to the metadata cleanup context by typing “metadata cleanup”
3. Switch to the operation target selection context by typing “select operation target”
4. List your your domains and select your target domain
5. List your AD sites and select your target site
6. List your AD domain controllers and select your target domain controller
7. Exit the operation target selection context by typing “quit”
8. Request metadata cleanup of the selected server by typing “remove selected server”
9. Verify your request to complete the cleanup
The obsolete domain controller is now removed from both the domain and the configuration partition of your Active Directory. Make sure you don’t bring it online again.
To see some sample commands let’s try to remove metadata for the obsolete domain controller, “E365M-DC01”.
Depending on your setup the complete output from the above commands may look like this:
The above steps show you how to completely remove domain controller info from Active Directory.
It’s vital that you perform these steps if your domain controller crashed or was shut down without running dcpromo to safely remove the AD service.
The steps are not too hard but be careful running it on a production environment. Make sure you have a full backup of your AD (and know how to restore it) before making these changes.