Ntdsutil Metadata Cleanup

ntdsutil metadata cleanup

This article will show you step-by-step how to clean up Active Directory metadata after killing a domain controller.

The steps listed should only be performed in case you have no intention of bringing the domain controller back online.

Cleanup includes deleting the computer account from the domain partition as well as removing replication objects in the configuration partition.

To perform the cleanup we use the Ntdsutil tool. The Ntdsutil is found on existing domain controllers and can be installed on a client machine using the RSAT installation.

Pre-requisites

Make sure you’re a member of the Enterprise Admins group and that your command prompt is elevated with admin rights. Check both by running the “whoami /all” command:

PS C:\Users\mskadm> whoami /all
USER INFORMATION
----------------
User Name       SID
=============== =============================================
E365M\mskadm    S-1-5-21-3247909092-157580105-2477339510-1480

GROUP INFORMATION
-----------------
Group Name                                      Type             SID                                            Attributes
=============================================== ================ ============================================== ===============================================================
Everyone                                        Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                                   Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access      Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators                          Alias            S-1-5-32-544                                   Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\REMOTE INTERACTIVE LOGON           Well-known group S-1-5-14                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE                        Well-known group S-1-5-4                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users                Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization                  Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
LOCAL                                           Well-known group S-1-2-0                                        Mandatory group, Enabled by default, Enabled group
E365M\Domain Admins                             Group            S-1-5-21-3247909092-157580105-2477339510-512   Mandatory group, Enabled by default, Enabled group
E365M\Enterprise Admins                         Group            S-1-5-21-3247909092-157580105-2477339510-519   Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level            Label            S-1-16-12288

Notice the last two lines in group membership in the above output! This indicates membership of the Enterprise Admins group and credential elevation.

Ntdsutil Metadata Cleanup

Perform the following steps to clean up domain controller metadata from your domain

1. Enter the Ntdsutil interactive session by typing “ntdsutil”

2. Switch to the metadata cleanup context by typing “metadata cleanup”

3. Switch to the operation target selection context by typing “select operation target”

4. List your your domains and select your target domain

5. List your AD sites and select your target site

6. List your AD domain controllers and select your target domain controller

7. Exit the operation target selection context by typing “quit”

8. Request metadata cleanup of the selected server by typing “remove selected server”

9. Verify your request to complete the cleanup

The obsolete domain controller is now removed from both the domain and the configuration partition of your Active Directory. Make sure you don’t bring it online again.

Sample Output

To see some sample commands let’s try to remove metadata for the obsolete domain controller, “E365M-DC01”.

Depending on your setup the complete output from the above commands may look like this:

C:\Users\mskadm> ntdsutil
C:\Windows\system32\ntdsutil.exe: metadata cleanup
metadata cleanup: select operation target
select operation target: list domains
Found 1 domain(s)
0 - DC=Easy365Manager,DC=local
select operation target: select domain 0
No current site
Domain - DC=Easy365Manager,DC=local
No current server
No current Naming Context
select operation target: list sites
Found 2 site(s)
0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Easy365Manager,DC=local
1 - CN=DataCenter,CN=Sites,CN=Configuration,DC=Easy365Manager,DC=local
select operation target: select site 1
Site - CN=DataCenter,CN=Sites,CN=Configuration,DC=Easy365Manager,DC=local
Domain - DC=Easy365Manager,DC=local
No current server
No current Naming Context
select operation target: list servers in site
Found 2 server(s)
0 - CN=E365M-DC01,CN=Servers,CN=DataCenter,CN=Sites,CN=Configuration,DC=Easy365Manager,DC=local
1 - CN=E365M-DC02,CN=Servers,CN=DataCenter,CN=Sites,CN=Configuration,DC=Easy365Manager,DC=local
select operation target: select server 0
Site - CN=DataCenter,CN=Sites,CN=Configuration,DC=Easy365Manager,DC=local
Domain - DC=Easy365Manager,DC=local
Server - CN=E365M-DC01,CN=Servers,CN=DataCenter,CN=Sites,CN=Configuration,DC=Easy365Manager,DC=local
        DSA object - CN=NTDS Settings,CN=E365M-DC01,CN=Servers,CN=DataCenter,CN=Sites,CN=Configuration,DC=Easy365Manager,DC=local
        DNS host name - Easy365Manager-DC01.Easy365Manager.local
        Computer object - CN=E365M-DC01,OU=Domain Controllers,DC=Easy365Manager,DC=local
No current Naming Context
select operation target: quit
metadata cleanup: remove selected server
Transferring / Seizing FSMO roles off the selected server.
Removing FRS metadata for the selected server.
Searching for FRS members under "CN=E365M-DC01,OU=Domain Controllers,DC=Easy365Manager,DC=local".
Deleting subtree under "CN=E365M-DC01,OU=Domain Controllers,DC=Easy365Manager,DC=local".
The attempt to remove the FRS settings on CN=E365M-DC01,CN=Servers,CN=DataCenter,CN=Sites,CN=Configuration,DC=Easy365Manager,DC=local failed because "No mapping for error code.";
metadata cleanup is continuing.
"CN=E365M-DC01,CN=Servers,CN=DataCenter,CN=Sites,CN=Configuration,DC=Easy365Manager,DC=local" removed from server "\\E365M-DC03.Easy365Manager.local"
metadata cleanup: quit
C:\Windows\system32\ntdsutil.exe: quit
PS C:\Users\mskadm>

Conclusion

The above steps show you how to completely remove domain controller info from Active Directory.

It’s vital that you perform these steps if your domain controller crashed or was shut down without running dcpromo to safely remove the AD service.

The steps are not too hard but be careful running it on a production environment. Make sure you have a full backup of your AD (and know how to restore it) before making these changes.