Active Directory metadata cleanup is an important step when a Domain Controller crashes and cannot be gracefully removed.

by

This is especially important in situations where:

  • A Domain Controller was forcefully demoted before replication could complete.
  • Entries of old or decommissioned Domain Controllers are still visible in Active Directory.
  • NTDS settings, server objects, or replication links have become orphaned or ‘ghost’ entries.

 Scenario for LAB testing:

  • Domain Name: lab.com
  • Working Domain Controller: DC.lab.com
  • Failed DC to Remove: P-DC-02.lab.com (this one crashed)
  • Site Name: India-Australia-2
  • A recent System State backup of a working DC is available before making any changes.

Required Permissions:

  • Enterprise Admin: This group has the highest level of privileges in a multi-domain forest and is required to remove metadata from other domains.
  • Domain Admin: If you’re cleaning up metadata within the same domain, Domain Admin might be sufficient. However, for cross-domain cleanup, Enterprise Admin is needed.
  • Schema Admin (sometimes): Rarely needed unless you’re modifying the schema, but not typically required for standard metadata cleanup.

Tools Used:

  • NTDSUtil
  • AD Sites and Services
  • Active Directory Users and Computers (ADUC) (for cleanup of associated objects like computers)
  • DNS Manage

Tip: Check for FSMO Role Ownership : Make sure the failed DC didn’t hold FSMO roles: If any FSMO roles are assigned to the failed DC, seize them before metadata cleanup

Here P-DC-02 was not demoted properly, and now need to remove all metadata associated with it.

1. Steps for Metadata cleanup and here we have to remove P-DC-02:

  1. Open CMD as Administrator on DC

         Ntdsutil

  2. Enter Metadata Cleanup Mode

                   ntdsutil: metadata cleanup

3. Connect with the Working DC

a. metadata cleanup: connections

                               Connected to dc using credentials of locally logged on user.

b. server connections: connect to server dc  (Here DC is my working domain controller name)

                               Disconnecting from dc…
                               Binding to dc …
Connected to dc using credentials of locally logged on user.

c. server connections: quit

4. Select Domain and Site of the Failed DC

a. metadata cleanup: select operation target
b. select operation target: list domains

Found 1 domain(s)
0 – DC=lab,DC=com

c. select operation target: select domain 0

No current site
Domain – DC=lab,DC=com
No current server
No current Naming Context

d. select operation target: list sites

Found 4 site(s)
0 – CN=Australia-India,CN=Sites,CN=Configuration,DC=lab,DC=com
1 – CN=India-Australia,CN=Sites,CN=Configuration,DC=lab,DC=com
2 – CN=India-Australia-2,CN=Sites,CN=Configuration,DC=lab,DC=com
3 – CN=Delhi-Brance,CN=Sites,CN=Configuration,DC=lab,DC=com

e. select operation target: select site 2      (Where failed DC existed)

Site – CN=India-Australia-2,CN=Sites,CN=Configuration,DC=lab,DC=com
Domain – DC=lab,DC=com
No current server
No current Naming Context

f. select operation target: list servers in site

Found 1 server(s)
0 – CN=P-DC-02,CN=Servers,CN=India- Australia-,CN=Sites,CN=Configuration,DC=lab,DC=com

g. select operation target: select server 0

Site – CN=India-Australia-2,CN=Sites,CN=Configuration,DC=lab,DC=com
Domain – DC=lab,DC=com
Server – CN=P-DC-02,CN=Servers,CN=India-Australia-2
,CN=Sites,CN=Configuration,DC=lab,DC=com
DSA object – CN=NTDS Settings,CN=P-DC-02,CN=Servers,CN=India-
Australia-2,CN=Sites,CN=Configuration,DC=lab,DC=com
  DNS host name – P-DC-02.lab.com
Computer object – CN=P-DC-02,OU=Domain Controllers,DC=lab,DC=com
No current Naming Context

Step 5: Remove the Failed DC

  1. select operation target: quit
  2. metadata cleanup: remove selected server

Transferring / Seizing FSMO roles off the selected server.
Removing FRS metadata for the selected server.
Searching for FRS members under “CN=P-DC-02,OU=Domain Controllers,DC=lab,DC=com”.
Deleting subtree under “CN=P-DC-02,OU=Domain Controllers,DC=lab,DC=com”.
The attempt to remove the FRS settings on CN=P-DC-02,CN=Servers,CN=India-Australia-2,CN=Sites,CN=Configuration,DC=lab,DC=com failed because “Element not found.”;
metadata cleanup is continuing.
“CN=P-DC-02,CN=Servers,CN=India-Australia-2,CN=Sites,CN=Configuration,DC=lab,DC=com” removed from server “dc”

  1. metadata cleanup: quit

2. Clean Up DNS

  1. Open DNS Manager on DC.
    • Forward Lookup Zones > lab.com
    • Delete A and CNAME records for P-DC-02
  2. Also check:
    • _msdcs.lab.com
    • _sites > India-Australia-2
    • _tcp, _udp, etc.

Optional: Run ipconfig /flushdns on affected systems to clear cached entries.

3. Cleanup Active Directory Sites and Services (ADSS)

  • Open Active Directory Sites and Services (ADSS).
  • Go to:
    Sites > India-Australia-2 > Servers
  • Expand P-DC-02, right-click NTDS Settings, and Delete.
  • Then, right-click the P-DC-02 server object and Delete it as well.

4. Delete Computer Account via ADUC

  1. Open ADUC (dsa.msc).
  2. Navigate to:
    Domain Controllers OU (Organizational Unit).
  3. Find the failed DC listed as a computer object.
  4. Right-click it and choose “Delete”.
  5. Confirm deletion.

5. Verify AD Health

repadmin /replsummary
repadmin /showrepl

Confirm failed DC doesn’t exist. “Example P-DC-02” is no longer listed.

Refer below

6. Summary Output

Successfully removed server P-DC-02
DNS entries cleaned
Replication health: OK
No lingering references to P-DC-02

7. Final Checklist

AreaAction  
NTDSUTILCleanup metadata
AD Sites and ServicesDelete Server and NTDS settings.
Active Directory Users & ComputersDelete from Domain Controllers
DNSRemove A/CNAME/SRV records
Replication TopologyVerify with repadmin
Lingering Objects (if needed)Remove with repadmin
FSMO RolesVerify and seize if needed
Global CatalogReassign if needed
File System (optional)Clean SYSVOL/NetLogon if accessible

Leave a Comment