Metadata cleanup for broken Domain Controller

 

Sometimes we have problem with broken Domain Controller(s) within our environment. Then we do not think about consequences from removing failed DC from network. We just shut it down and replace with the new one, because mostly we have no system state backup of the old Domain Controller. Everything looks fine for us; we have no failed DC in a network. But Active Directory still knows about it and uses that DC for AD data replication which can cause errors. To prevent replicating data between broken DC and the rest, you need to perform metadata cleanup. This can be done using ntdsutil on any workstation/server in a network. You just need to have Domain Admin account to do that.

When you do metadata cleanup, tool tries to automatically seize FSMO roles which were held on that Domain Controller. This process is automatic and you cannot control it. If you wish to choose which DC should hold them, you need to seize roles by yourself.

Let’s start to do metadata cleanup. Open command-line and type: ntdsutil

ntdsutil tool

Now, you need to use appropriate context to enter into metadata cleanup.

ntdsutil: metadata cleanup (enter)

ntdsutil – metadata cleanup context

you have to choose Domain, Site and then Domain Controller which you want to remove from Active Directory metadata. For that you need to go into “select operation target” context and select appropriate data

metadata cleanup: select operation target (enter)

ntdsutil – performing metadata cleanup

To successful remove DC from Active Directory metadata we need to know in which domain and site that controller was located. Follow below steps to connect to domain in which you want to perform metadata cleanup.

select operation target: connections (enter)

server connections: connect to domain <DNS-Domain-Name> (enter)

server connections: quit (enter)

ntdsutil – performing metadata cleanup

Now, you are connected to particular domain and you are in context where you can enumerate Domains, Sites and Domain Controllers. List available domains and choose appropriate one (this where your broken DC was located)

select operation target: list domains (enter)

ntdsutil – performing metadata cleanup

choose domain using its number from the list

select operation target: select domain <Domain-Number> (enter)

ntdsutil – performin metadata cleanup

you’re connected to the domain, now list available Sites and choose appropriate one (this where your broken DC was located)

select operation target: list sites (enter)

ntdsutil – performing metadata cleanup

Select Site’s number to connect to that Site

select operations target: select site <Site’s-Number> (enter)

ntdsutil – performing metadata cleanup

and now, list all Domain Controllers in this Site

select operation target: list servers in site (enter)

ntdsutil – performing metadata cleanup

the last thing to do is to select failed Domain Controller from displayed list. In my case this is DC03 (its number on the list is 2). You need to select DC using its number from the list.

 select operation target: select server <Failed-DC-Number> (enter)

ntdsutil – performing metadata cleanup

finally, we have all necessary data collected to perform metadata cleanup. Go one level up in ntdsutil context by typing quit (enter)

select operation target: quit (enter)

metadata cleanup:

the final step will remove all metadata of failed Domain Controller from Active Directory. To do that type remove selected server and confirm that you want to do that

metadata cleanup: remove selected server (enter)

Confirm DC metadata removal

you will see that broken server was removed from a network

metadata cleanup completed

leave ntdsutil by typing quit twice and close command-line.

metadata cleanup: quit (enter)

ntdsutil: quit (enter)

To summarize metadata cleanup commands:

ntdsutil: metadata cleanup (enter)

metadata cleanup: select operation target (enter)

select operation target: connections (enter)

server connections: connect to domain <DNS-Domain-Name> (enter)

server connections: quit (enter)

select operation target: list domains (enter)

select operation target: select domain <Domain-Number> (enter)

select operation target: list sites (enter)

select operations target: select site <Site’s-Number> (enter)

select operation target: list servers in site (enter)

select operation target: select server <Failed-DC-Number> (enter)

select operation target: quit (enter)

metadata cleanup: remove selected server (enter)

metadata cleanup: quit (enter)

ntdsutil: quit (enter)

Review DNS management console and Sites and Services if there are no records about that DC. You can simply remove them, it’s not necessary anymore.

It’s done.

You may also wish to view how to do Metadata cleanup over GUI

Author: Krzysztof Pytko

Facebooktwittergoogle_plusredditpinterestlinkedinmail

11 responses to “Metadata cleanup for broken Domain Controller”

  1. Oscar says :

    This is a great tutorial, thanks a lot.

     
  2. osi says :

    thats what i call a “perfect documentation” 🙂 .. thank you !!!

     
  3. Krissh says :

    Very well documented. Thanks so much and keep up good work . Cheers

     
  4. Tod Madderra says :

    Great article, however there is a type-o in the first metadata cleanup command, “metadata cleanup: select operations target (enter)” – It is actually …operation target as you have in the remainder of commands… I was getting a syntax error until I read further… again great article and saved me time. Thanks.

     
    • kpytko says :

      Thank you! Now, it is fixed. No more “operations” word in the syntax 🙂

      Regards,
      Krzysztof

       
  5. Pablo225 says :

    Great tutorial! really helped me out

     
  6. Stefan says :

    Thanks for this!!

     
  7. Régis says :

    Perfect!

     

Leave a Reply

Your email address will not be published. Required fields are marked *