Metadata cleanup over GUI

 

Sometimes we have problem with broken Domain Controller(s) within our environment. Then we do not think about consequences from removing failed DC from network. We just shut it down and replace with the new one, because mostly we have no system state backup of the old Domain Controller. Everything looks fine for us, we have no failed DC in a network. But Active Directory still knows about it and uses that DC for AD data replication which can cause errors.

To prevent replicating data between broken DC and the rest, you need to perform metadata cleanup.

This can be done using ntdsutil as I showed you some time ago in this article Metadata cleanup for broken Domain Controller or over graphical console – using Active Directory Users and Computers.

You still need to have Domain Admin account to do that and at least one Windows Server 2008 Domain Controller.

I will show you how to do that using Windows Server 2012 R2 Domain Controller but this is exactly the same procedure on previous servers.

To remove metadata about non-existing Domain Controller, log on to Windows Server 2008 or newer DC and open Active Directory Users and Computers console.

Click right mouse button (RMB) on start tile and choose “Run”

Execute run box

Execute run box

and type dsa.msc to open Active Directory Users and Computers console

Opening Active Directory Users and Computers console

Opening Active Directory Users and Computers console

Now, you need to go into main menu and search for “View -> Advanced features” option and select it

Selecting advanced features for ADUC console

Selecting advanced features for ADUC console

Now, go to “Domain Controllers” organizational unit and select Domain Controller for which you want to do metadata cleanup

Selection of Domain Controller to remove

Selection of Domain Controller to remove

Click on it RMB and choose “Properties

Properties of broken Domain Controller

Properties of broken Domain Controller

You need to check if this computer object is not protected by accidental deletion from domain environment. To see that, select “Object” tab. Looks if “Protect object from accidental deletion” is set. If so, uncheck it and apply changes.

Protect from accidental deletion check

Protect from accidental deletion check

Unchecking accidental deletion protection

Unchecking accidental deletion protection

Now, go back to Active Directory Users and Computers console to Domain Controllers OU and select this DC once again

Click RMB on it and choose “Deleteoption

Deleting broken Domain Controller from domain

Deleting broken Domain Controller from domain

Confirm that you are sure and you want to delete this object from the domain

Removing object from the domain

Removing object from the domain

You will get information that you are trying to remove Domain Controller from the domain without appropriate removal process

Domain Controller removal warning

Domain Controller removal warning

you are sure that this Domain Controller does not exists anymore and you wish to delete it anyway, so select this checkbox and confirm deletion

Confirm DC removal

Confirm DC removal

if your server was acting as Global Catalog, you need to confirm once again that you wish to delete it from the domain

Confirm DC removal

Confirm DC removal

There is one more place you need to visit to completely clean up your environment. Open Active Directory Sites and Services console and locate Site in which removed DC was authenticating objects

Sites and Services - removed DC

Sites and Services – removed DC

as you can see, this Domain Contoller has no NTDS Settiings object associated. Just click RMB on it and remove it

Removing DC from Sites and Services

Removing DC from Sites and Services

Confirm that you wnat to delete this object and that’s all!

Confirm DC object removal

Confirm DC object removal

You removed easily metedata of broken Domain Controller from your domain!

Author: Krzysztof Pytko

Facebooktwittergoogle_plusredditpinterestlinkedinmail

5 responses to “Metadata cleanup over GUI”

  1. Abhilash says :

    HI team,

    i have done the same but its showing as access denied. Can any one help me to resolve this issue. I am having enterprise admin access user id.

    Regards
    Abhilash

     
  2. Amjad Sawalmeh says :

    Hi

    I have a child domain ( mall.com.jo ) in the forest ( forest.com ).
    my child server got crashed without any backup and i need to rebuild a child domain server with the same name and detailed because its synchronized with office 365.

    is there is any way please ??

    when I tried to promote the new server it gave me that that “verification of child domain input failed , the child domain name has an invalid format ”

    logs:
    dcpromoui 914.6D8 029D 16:55:18.024 ValidateDomainDnsNameSyntax for parent forest.com returned 0
    dcpromoui 914.6D8 029E 16:55:18.024 Enter ValidateChildDomainLeafNameLabel
    dcpromoui 914.6D8 029F 16:55:18.024 Enter DoLabelValidation
    dcpromoui 914.6D8 02A0 16:55:18.024 Enter Dns::ValidateDnsLabelSyntax mall.com.jo
    dcpromoui 914.6D8 02A1 16:55:18.024 Enter DoDnsValidation s: mall.com.jo, max len unicode: 63, max len utf8: 63
    dcpromoui 914.6D8 02A2 16:55:18.024 name is 17 utf-8 bytes
    dcpromoui 914.6D8 02A3 16:55:18.024 Enter MyDnsValidateName mall.com.jo
    dcpromoui 914.6D8 02A4 16:55:18.024 Calling DnsValidateName
    dcpromoui 914.6D8 02A5 16:55:18.024 pszName : mall.com.jo
    dcpromoui 914.6D8 02A6 16:55:18.024 Format : 3
    dcpromoui 914.6D8 02A7 16:55:18.024 status 0x7B
    dcpromoui 914.6D8 02A8 16:55:18.024 ERROR_INVALID_NAME
    dcpromoui 914.6D8 02A9 16:55:18.024 ValidateChildDomainLeafNameLabel for lead mall.com.jo returned 3
    dcpromoui 914.6D8 02AA 16:55:18.031 VerifyChild error message: The child domain name “mall.com.jo” has an invalid format. This name may contain letters, numbers, and hyphens, but not spaces or periods.

    Characters that are not allowed include: ! ” # $ % & ( ) * + , ‘ / : ; ? @ [ \ ] ^ ` { | } ~

    dcpromoui 914.6D8 02AB 16:55:18.031 Test Failed
    dcpromoui 914.6D8 02AC 16:55:18.034 VerifyChild returns exit code: 28
    dcpromoui 914.6D8 02AD 16:55:18.034 END TEST: VerifyChild
    dcpromoui 914.6D8 02AE 16:55:18.034 Enter State::UnbindFromReplicationPartnetDC
    dcpromoui 914.A54 02AF 17:15:10.288 closing log

     

Trackbacks / Pingbacks

  1. $olución de problema$ & Escenarios | dILTEC - March 10, 2016

Leave a Reply

Your email address will not be published. Required fields are marked *