Performing Active Directory Metadata Cleanup

When deleting a domain controller from Active Directory, it is advisable to use the DCPromo (demote) procedure, which allows you to correctly delete all records about the old domain controller from the Active Directory database (the computer object, NTDS Settings, site settings, cross-site links and replication metadata).

If for some reason your controller fails and it is not planned to return it, you can perform forced removal of the failed domain controller. This procedure is called Metadata cleanup. When you perform metadata cleanup, you will delete all data about the failed DC from Active Directory Domain Services (AD DS). This correctly cleans replication metadata, including the objects in File Replication Service (FRS) and Distributed File System (DFS).

Hint. Keep in mind to check that there are no FSMO roles on the broken DC, and if necessary, you can seize these roles to another DC.

In a domain with a functional level of Windows Server 2008 R2 and newer, you can clean server metadata using the standard Active Directory Users and Computers (Dsa.msc) graphical console.

To do this, just find the failed DC in the ADUC console and delete it as a regular computer object. Right click on it, select Delete, and confirm the deletion.

READ ALSO  How to Delete AD User Using PowerShell?

active directory metadata cleanup

In the next dialog box, check the item “This Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation Wizard (DCPROMO)”, and click Delete button.

ntdsutil metadata cleanup

Hint. If the following error appears when you try to remove a DC “You do not have sufficient privileges to delete DC02, or this object is protected from accidental deletion”, please make sure:

ad metadata cleanup

  1. Your account is a member of the Domain admins group;
  2. The option “Protect object from accidental deletion” must be disabled in the object properties (ADUC snap-in > DC > Object tab).

metadata cleanup domain controller

Then you need to open the Active Directory Sites and Services snap-in (dssite.msc) and delete the corresponding NTDS Settings object (expand the domain controller site, which forcibly removed, expand Servers > expand the DC name, right click on the NTDS Settings object > Delete ). Confirm the deletion of the object.

Next, ADDS will automatically perform metadata cleanup.

metadata cleanup using ntdsutil in windows server

You can also clean up server metadata using the command-line tool ntdsutil (this is the only correct way to force remove failed DC in domains with a functional level of Windows Server 2008 and lower).

Run command prompt as an administrator on any of the remaining domain controllers.

READ ALSO  Understanding Global Catalog (Active Directory)

Type ntdsutil on the command line and press Enter.

Enter the following commands one after another:

metadata cleanup

remove selected server <failedDCName>

# specify the name of the DC to be removed from the AD database

Press Yes to correctly remove the DC object and metadata.

domain metadata cleanup

Type quit.

Verify that the domain controller has been successfully removed:

  1. Run the ADUC console. Make sure that the domain controller that you deleted has disappeared from the Domain Controllers container.
  2. Launch Sites and Services snap-in, check if your DC object does not contain an NTDS Settings object. If so, you can delete the server object in the console.
Cyril Kardashevsky

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.