Computers & ProgrammingComputers & NetworkingWindows Server

Metadata Cleanup for Active Directory 2000/2003

This article describes how to remove data in Active Directory due to an unsuccessful domain controller (DC) demotion via DCPROMO or simply because you have a DC that failed and you are unable to restart it to properly demote it to a member server.

If you attempted to demote the DC using DCPROMO, as part of the demotion process, the configuration data is removed for the domain controller from Active Directory. This data is in the form of an NTDS Settings object that exists as a child of the server object in Active Directory Sites and Services.

The information is in the following location in Active Directory:

CN=NTDS Settings,CN=SERVERNAME,CN=Servers,CN=SITENAME,CN=Sites,CN=Configuration,DC=DOMAIN
  • Removes the NTDSA or NTDS Setting subject.
  • Removes inbound AD connection objects that existing destination DCs use to replicate from the source DC being deleted.
  • Removes the computer account.
  • Removes FRS member object.
  • Removes FRS subscriber objects.
  • Tries to seize flexible single operations master roles (also known as flexible single master operations or FSMO) held by the DC that are being removed.

To begin the cleanup process click Start, point to Programs, point to Accessories, and then click Command Prompt. Run as an Enterprise Admin.

  • At the command prompt, type ntdsutil, and then press ENTER.
  • Type metadata cleanup, and then press ENTER.
  • Type connections and press ENTER.
  • Type connect to server servername, and then press ENTER.
  • Type quit, and then press ENTER.
  • Type select operation target and press ENTER.
  • Type list domains and press ENTER.
  • Type select domain number and press ENTER.
  • Type list sites and press ENTER.
  • Type select site number and press ENTER.
  • Type list servers in site and press ENTER.
  • Type select server number.
  • Type quit and press ENTER.
  • Type remove selected server and press ENTER.
  • Type quit, and then press ENTER at each menu quit the Ntdsutil utility.

You should receive confirmation that the removal was completed successfully. If you receive the error message, “The DSA object could not be found”, the NTDS Settings object may already be removed from Active Directory as the result of another administrator removing the NTDS Settings object or replication of the successful removal of the object after running the DCPROMO utility.

You may also see this error when you try to bind to the domain controller that will be removed. Ntdsutil has to bind to a domain controller other than the one that will be removed with metadata cleanup.

Additional Steps for pre-Windows 2003 SP1, but should be verified in all versions. Use ADSIEdit to delete the computer account. To do this, follow these steps:

  • Click Start, click Run, type adsiedit.msc in the Open box, and then click OK.
  • Expand the Domain NC container.
  • Expand DC=domain name, DC=ext.
  • Expand OU=Domain Controllers.
  • Right-click CN=domain controller name, and then click Delete.

Additional Steps for pre-Windows 2003 SP1, but should be verified in all versions. Use ADSIEdit to delete the FRS member object.

  • Click Start, click Run, type adsiedit.msc in the Open box, and then click OK.
  • Expand the Domain NC container.
  • Expand DC=domain name, DC=ext.
  • Expand CN=System.
  • Expand CN=File Replication Service.
  • Expand CN=Domain System Volume (SYSVOL share).
  • Right-click the domain controller you are removing, and then click Delete.

Additional cleanup steps to perform… Windows 200x

  • Remove the cname record in the _msdcs.root domain of forest zone in DNS.
  • As best practice, you should delete the host name and other associated DNS records.
  • Delete the cname record in the _msdcs container.
  • If this is a DNS server, remove the reference to this DC under the Name Servers tab.
  • If you have reverse lookup zones, also remove the server from these zones.

If the deleted computer is the last domain controller in a child domain, and the child domain was also deleted, use ADSIEdit to delete the trustDomain object for the child. To do this, follow these steps:

  • Click Start, click Run, type adsiedit.msc, and then click OK.
  • Expand the Domain NC container.
  • Expand DC=domain name, DC=ext.
  • Expand CN=System.
  • Right-click the Trust Domain object, and then click Delete.
  • Use Active Directory Sites and Services to remove the domain controller.
  • Start Active Directory Sites and Services.
  • Expand Sites.
  • Expand the server’s site.
  • Expand Server.
  • Right-click the domain controller, and then click Delete.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top