This article will show you step-by-step how to clean up Active Directory metadata after killing a domain controller.
The steps listed should only be performed in case you have no intention of bringing the domain controller back online.
Cleanup includes deleting the computer account from the domain partition as well as removing replication objects in the configuration partition.
To perform the cleanup we use the Ntdsutil tool. The Ntdsutil is found on existing domain controllers and can be installed on a client machine using the RSAT installation.
Pre-requisites
Make sure you’re a member of the Enterprise Admins group and that your command prompt is elevated with admin rights. Check both by running the “whoami /all” command:
PS C:\Users\mskadm> whoami /all USER INFORMATION ---------------- User Name SID =============== ============================================= E365M\mskadm S-1-5-21-3247909092-157580105-2477339510-1480 GROUP INFORMATION ----------------- Group Name Type SID Attributes =============================================== ================ ============================================== =============================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group E365M\Domain Admins Group S-1-5-21-3247909092-157580105-2477339510-512 Mandatory group, Enabled by default, Enabled group E365M\Enterprise Admins Group S-1-5-21-3247909092-157580105-2477339510-519 Mandatory group, Enabled by default, Enabled group Mandatory Label\High Mandatory Level Label S-1-16-12288
Notice the last two lines in group membership in the above output! This indicates membership of the Enterprise Admins group and credential elevation.
Ntdsutil Metadata Cleanup
Perform the following steps to clean up domain controller metadata from your domain
1. Enter the Ntdsutil interactive session by typing “ntdsutil”
2. Switch to the metadata cleanup context by typing “metadata cleanup”
3. Switch to the operation target selection context by typing “select operation target”
4. List your your domains and select your target domain
5. List your AD sites and select your target site
6. List your AD domain controllers and select your target domain controller
7. Exit the operation target selection context by typing “quit”
8. Request metadata cleanup of the selected server by typing “remove selected server”
9. Verify your request to complete the cleanup
The obsolete domain controller is now removed from both the domain and the configuration partition of your Active Directory. Make sure you don’t bring it online again.
Sample Output
To see some sample commands let’s try to remove metadata for the obsolete domain controller, “E365M-DC01”.
Depending on your setup the complete output from the above commands may look like this:
C:\Users\mskadm> ntdsutil C:\Windows\system32\ntdsutil.exe: metadata cleanup metadata cleanup: select operation target select operation target: list domains Found 1 domain(s) 0 - DC=Easy365Manager,DC=local select operation target: select domain 0 No current site Domain - DC=Easy365Manager,DC=local No current server No current Naming Context select operation target: list sites Found 2 site(s) 0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Easy365Manager,DC=local 1 - CN=DataCenter,CN=Sites,CN=Configuration,DC=Easy365Manager,DC=local select operation target: select site 1 Site - CN=DataCenter,CN=Sites,CN=Configuration,DC=Easy365Manager,DC=local Domain - DC=Easy365Manager,DC=local No current server No current Naming Context select operation target: list servers in site Found 2 server(s) 0 - CN=E365M-DC01,CN=Servers,CN=DataCenter,CN=Sites,CN=Configuration,DC=Easy365Manager,DC=local 1 - CN=E365M-DC02,CN=Servers,CN=DataCenter,CN=Sites,CN=Configuration,DC=Easy365Manager,DC=local select operation target: select server 0 Site - CN=DataCenter,CN=Sites,CN=Configuration,DC=Easy365Manager,DC=local Domain - DC=Easy365Manager,DC=local Server - CN=E365M-DC01,CN=Servers,CN=DataCenter,CN=Sites,CN=Configuration,DC=Easy365Manager,DC=local DSA object - CN=NTDS Settings,CN=E365M-DC01,CN=Servers,CN=DataCenter,CN=Sites,CN=Configuration,DC=Easy365Manager,DC=local DNS host name - Easy365Manager-DC01.Easy365Manager.local Computer object - CN=E365M-DC01,OU=Domain Controllers,DC=Easy365Manager,DC=local No current Naming Context select operation target: quit metadata cleanup: remove selected server Transferring / Seizing FSMO roles off the selected server. Removing FRS metadata for the selected server. Searching for FRS members under "CN=E365M-DC01,OU=Domain Controllers,DC=Easy365Manager,DC=local". Deleting subtree under "CN=E365M-DC01,OU=Domain Controllers,DC=Easy365Manager,DC=local". The attempt to remove the FRS settings on CN=E365M-DC01,CN=Servers,CN=DataCenter,CN=Sites,CN=Configuration,DC=Easy365Manager,DC=local failed because "No mapping for error code."; metadata cleanup is continuing. "CN=E365M-DC01,CN=Servers,CN=DataCenter,CN=Sites,CN=Configuration,DC=Easy365Manager,DC=local" removed from server "\\E365M-DC03.Easy365Manager.local" metadata cleanup: quit C:\Windows\system32\ntdsutil.exe: quit PS C:\Users\mskadm>
Conclusion
The above steps show you how to completely remove domain controller info from Active Directory.
It’s vital that you perform these steps if your domain controller crashed or was shut down without running dcpromo to safely remove the AD service.
The steps are not too hard but be careful running it on a production environment. Make sure you have a full backup of your AD (and know how to restore it) before making these changes.