Did you find this useful?
Socialize it today.


Metadata Cleanup for Active Directory 2000/2003

Friday, October 28, 2011

This article describes how to remove data in Active Directory due to an unsuccessful domain controller (DC) demotion via DCPROMO or simply because you have a DC that failed and you are unable to restart it to properly demote it to a member server. If you attempted to demote the DC using DCPROMO, as part of the demotion process, the configuration data is removed for the domain controller from Active Directory. This data is in the form of an NTDS Settings object that exists as a child of the server object in Active Directory Sites and Services. The information is in the following location in Active Directory:


CN=NTDS Settings,CN=SERVERNAME,CN=Servers,CN=SITENAME,CN=Sites,CN=Configuration,DC=DOMAIN

The attributes of the NTDS Settings object include data representing how the domain controller is identified in respect to its replication partners, the naming contexts that are maintained on the machine, whether the domain controller is a global catalog server, and the default query policy. The NTDS Settings object is also a container that may have child objects that represent the domain controller's direct replication partners. This data is required for the domain controller to operate in the environment, but is retired upon demotion.

If the NTDS Settings object is removed incorrectly, the administrator can manually remove the metadata for a server object. In Windows Server 200x Server, the administrator can use the Ntdsutil.exe utility to manually remove the NTDS Settings object. The following steps list the procedure for removing the NTDS Settings object in Active Directory for a particular domain controller. Windows Server 2003 Service Pack 1 (SP1), or later, includes an enhanced version of Ntdsutil.exe to make the metadata cleanup process more complete. Pre-Windows 2003 SP1 requires additional steps listed below. The enhanced version does the following:
  • Removes the NTDSA or NTDS Setting subject.
  • Removes inbound AD connection objects that existing destination DCs use to replicate from the source DC being deleted .
  • Removes the computer account .
  • Removes FRS member object.
  • Removes FRS subscriber objects.
  • Tries to seize flexible single operations master roles (also known as flexible single master operations or FSMO) held by the DC that are being removed.

To begin the cleanup process click Start, point to Programs, point to Accessories, and then click Command Prompt. Run as an Enterprise Admin.

  • At the command prompt, type ntdsutil, and then press ENTER.
  • Type metadata cleanup, and then press ENTER.
  • Type connections and press ENTER.
  • Type connect to server servername, and then press ENTER.
  • Type quit, and then press ENTER.
  • Type select operation target and press ENTER.
  • Type list domains and press ENTER.
  • Type select domain number and press ENTER
  • Type list sites and press ENTER.
  • Type select site number and press ENTER
  • Type list servers in site and press ENTER.
  • Type select server number
  • Type quit and press ENTER.
  • Type remove selected server and press ENTER.
  • Type quit, and then press ENTER at each menu quit the Ntdsutil utility.

You should receive confirmation that the removal completed successfully. If you receive the error message, "The DSA object could not be found", the NTDS Settings object may already be removed from Active Directory as the result of another administrator removing the NTDS Settings object or replication of the successful removal of the object after running the DCPROMO utility. You may also see this error when you try to bind to the domain controller that will be removed. Ntdsutil has to bind to a domain controller other than the one that will be removed with metadata cleanup.

Additional Steps for pre-Windows 2003 SP1, but should be verified in all versions.

  • Use ADSIEdit to delete the computer account. To do this, follow these steps:
  • Click Start, click Run, type adsiedit.msc in the Open box, and then click OK.
  • Expand the Domain NC container.
  • Expand DC=domain name, DC=ext
  • Expand OU=Domain Controllers.
  • Right-click CN=domain controller name, and then click Delete
Additional Steps for pre-Windows 2003 SP1, but should be verified in all versions.

Use ADSIEdit to delete the FRS member object.
  • Click Start, click Run, type adsiedit.msc in the Open box, and then click OK
  • Expand the Domain NC container.
  • Expand DC=domain name, DC=ext
  • Expand CN=System.
  • Expand CN=File Replication Service.
  • Expand CN=Domain System Volume (SYSVOL share).
  • Right-click the domain controller you are removing, and then click Delete.
Additional cleanup steps to preform... Windows 200x
  • Remove the cname record in the _msdcs.root domain of forest zone in DNS.
  • As best practice, you should delete the host name and other associated DNS records.
  • Delete the cname record in the _msdcs container.
  • If this is a DNS server, remove the reference to this DC under the Name Servers tab.
  • If you have reverse lookup zones, also remove the server from these zones.
If the deleted computer is the last domain controller in a child domain, and the child domain was also deleted, use ADSIEdit to delete the trustDomain object for the child. To do this, follow these steps:
  • Click Start, click Run, type adsiedit.msc, and then click OK
  • Expand the Domain NC container.
  • Expand DC=domain name, DC=ext
  • Expand CN=System.
  • Right-click the Trust Domain object, and then click Delete.
  • Use Active Directory Sites and Services to remove the domain controller.
  • Start Active Directory Sites and Services.
  • Expand Sites.
  • Expand the server's site.
  • Expand Server.
  • Right-click the domain controller, and then click Delete.

Please help us spread the word by socializing it today!

email contact us

Did you find something wrong with the information on this page? Please take a moment to report it to us so that we can continue to improve the quality of the information on this site. Click here to report an issue with this page.



Recommended Books & Training Resources

MCITP Windows Server 2008 Enterprise Administrator: Training Kit 4-Pack: Exams 70-640 70-642 70-643 70-647 Windows Server 2008 R2 Unleashed