Removal of Active Directory Metadata for failed Domain Controllers...

Last summer, after a botched XenServer upgrade, my Windows Active Directory Domain Controllers decided to play a fun game of musical IPs with me. Several of my Domain Controllers began, at random, to change IP addresses. While this is never a "good" situation It was compounded exponentially as trusts, backups and credentialing began to intermittently work. While I will speak on the resolution of the magic IPs in a later post I would like to first touch on what happens when a Domain Controller (DC) becomes so "broken" that it has to be removed .... by force.


First, as a prerequisite warning never and I repeat NEVER remove a domain controller manually unless absolutely necessary. I was only forced into this procedure as a worst case scenario. In my case a vacation coupled with the aforementioned problem caused one of our administrators to remove a couple of domain controllers one of these just so happened to hold FSMO rolls (Once again another topic for another day). When all of the other servers in our environment tried to reach out to the roll holder things began to get messy. So at this point there were two options. Rebuild the environment from scratch, not an option by the way, or find a way to remove the metadata for the FSMO roll server. Given that I only had roughly 12 hours to fix the mess that had been made I decided that the second option would be best in my case. 

To clean up the metadata on your DCs follow the proceeding steps (Since I was having all sorts of issues with servers speaking to one another and therefore syncing, these steps were performed on each of my DCs) 

At the command line, type “Ntdsutil” and press Enter

At the Ntdsutil: prompt, type “metadata cleanup” and press Enter

ntdsutil: metadata cleanup
metadata cleanup:

At the metadata cleanup: prompt, type “connections” and press Enter.

metadata cleanup : connections
server connection:

First we will need to connect our session to the server we are trying to delete the metadata on. When you get to the server connections: prompt, type "connect to server [server name]", where [server name] is the DC (any functional domain controller in the same domain) from which you plan to remove the metadata from.  Press Enter.

server connections: connect to server [server name]
binding to [server name]…
connected to [server name] using credentials of locally logged on user
server connections:

Type “quit” and press Enter to return to the metadata cleanup: prompt.

server connections: quit
metadata cleanup

Type “select operation target” and press Enter.

metadata cleanup: select operation target
select operation target:

Type “list domains” and press Enter. This lists all domains with a number associated with each.

select operation target: list domains
found 1 domains(s)
0 – DC=contoso,DC=com
select operation target:

Type “select domain [number]”, where [number] is the number corresponding to the domain in which the now defunct server was located. Press Enter.

Select operation target: select domain 0
No current site
Domain – DC=contoso,DC=com
No current server
No current Naming context
Select operation target:

Type “list sites” and press Enter.

Select operation target: list sites
Found 1 site(s)
0 – CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=com
select operation target:

Type “select site [number]”, where [number] corresponds to the number of the site in which the domain controller was a member. Press Enter.

select operation target: Select site 0
Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=com
Domain - DC=contoso,DC=com
No current server
No current Naming Context
select operation target:

Type “list servers in site” and press Enter. This will list all servers in that site with, you can start to see a pattern here, a corresponding number.

Select operation target: List servers in site
Found 2 server(s)
0 - CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=com
1 - CN=TEST2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=com
select operation target:

Type “select server [number]” and press Enter, where [number] refers to the number of the domain controller to be gotten rid of.

select operation target: Select server 0
Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=com
Domain - DC=contoso,DC=net
Server - CN=test1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=com
DSA object -CN=NTDS Settings,CN=test1,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=contoso,DC=com
DNS host name – test1.contoso.com
Computer object - CN=test1,OU=Domain Controllers,DC=contoso,DC=com
No current Naming Context
select operation target:

Type “quit” and press Enter. This will return you to the Metadata cleanup menu.

select operation target: quit
metadata cleanup:

Type “remove selected server” and press Enter.

As with all things Windows anymore you will receive a warning message. Read it, and if you agree, say Yes! 

After you have completed these steps you can go back through and verify that the metadata has been removed by going back through the commands to "select site [number]" and listing the servers in that site; "list servers in site'. If it all went according to plan you should no longer see the server you disposed of. Now don't forget, at least in my case, I had to go through the above steps on all of my DCs. This can be as simple as selecting a different server when you use the "connect to server" command in the beginning steps.

After all of these steps were completed, and I had verified that the servers were no longer displaying the metadata for the missing DCs, I was able to start force changing my FSMO rolls and re-adding DCs for redundancy, learning a valuable lesson, never go on vacation...Wait I mean how to remove metadata for a dirty removal of Domain Controllers.