Metadata cleanup over GUI
Sometimes we have problem with broken Domain Controller(s) within our environment. Then we do not think about consequences from removing failed DC from network. We just shut it down and replace with the new one, because mostly we have no system state backup of the old Domain Controller. Everything looks fine for us, we have no failed DC in a network. But Active Directory still knows about it and uses that DC for AD data replication which can cause errors.
To prevent replicating data between broken DC and the rest, you need to perform metadata cleanup.
This can be done using ntdsutil as I showed you some time ago in this article Metadata cleanup for broken Domain Controller or over graphical console – using Active Directory Users and Computers.
You still need to have Domain Admin account to do that and at least one Windows Server 2008 Domain Controller.
I will show you how to do that using Windows Server 2012 R2 Domain Controller but this is exactly the same procedure on previous servers.
To remove metadata about non-existing Domain Controller, log on to Windows Server 2008 or newer DC and open Active Directory Users and Computers console.
Click right mouse button (RMB) on start tile and choose “Run”
and type dsa.msc to open Active Directory Users and Computers console
Now, you need to go into main menu and search for “View -> Advanced features” option and select it
Selecting advanced features for ADUC console
Now, go to “Domain Controllers” organizational unit and select Domain Controller for which you want to do metadata cleanup
Click on it RMB and choose “Properties”
You need to check if this computer object is not protected by accidental deletion from domain environment. To see that, select “Object” tab. Looks if “Protect object from accidental deletion” is set. If so, uncheck it and apply changes.
Now, go back to Active Directory Users and Computers console to Domain Controllers OU and select this DC once again
Click RMB on it and choose “Delete” option
Confirm that you are sure and you want to delete this object from the domain
You will get information that you are trying to remove Domain Controller from the domain without appropriate removal process
you are sure that this Domain Controller does not exists anymore and you wish to delete it anyway, so select this checkbox and confirm deletion
if your server was acting as Global Catalog, you need to confirm once again that you wish to delete it from the domain
There is one more place you need to visit to completely clean up your environment. Open Active Directory Sites and Services console and locate Site in which removed DC was authenticating objects
as you can see, this Domain Contoller has no NTDS Settiings object associated. Just click RMB on it and remove it
Confirm that you wnat to delete this object and that’s all!
You removed easily metedata of broken Domain Controller from your domain!
Author: Krzysztof Pytko
5 responses to “Metadata cleanup over GUI”
Trackbacks / Pingbacks
- - March 10, 2016














HI team,
i have done the same but its showing as access denied. Can any one help me to resolve this issue. I am having enterprise admin access user id.
Regards
Abhilash
Hello,
you must do this directly on a Domain Controller. It will fail over an Remote Admin Client.
Regards
Hi Abhilash,
Though this article looks very informative for such Metadata cleanup tasks.
However, if the issue still persist, you may look towards this another article if it helps you to perform the task in hassle-free manner – https://community.spiceworks.com/how_to/132621-how-to-perform-metadata-cleanup-in-active-directory
Hi
I have a child domain ( mall.com.jo ) in the forest ( forest.com ).
my child server got crashed without any backup and i need to rebuild a child domain server with the same name and detailed because its synchronized with office 365.
is there is any way please ??
when I tried to promote the new server it gave me that that “verification of child domain input failed , the child domain name has an invalid format ”
logs:
dcpromoui 914.6D8 029D 16:55:18.024 ValidateDomainDnsNameSyntax for parent forest.com returned 0
dcpromoui 914.6D8 029E 16:55:18.024 Enter ValidateChildDomainLeafNameLabel
dcpromoui 914.6D8 029F 16:55:18.024 Enter DoLabelValidation
dcpromoui 914.6D8 02A0 16:55:18.024 Enter Dns::ValidateDnsLabelSyntax mall.com.jo
dcpromoui 914.6D8 02A1 16:55:18.024 Enter DoDnsValidation s: mall.com.jo, max len unicode: 63, max len utf8: 63
dcpromoui 914.6D8 02A2 16:55:18.024 name is 17 utf-8 bytes
dcpromoui 914.6D8 02A3 16:55:18.024 Enter MyDnsValidateName mall.com.jo
dcpromoui 914.6D8 02A4 16:55:18.024 Calling DnsValidateName
dcpromoui 914.6D8 02A5 16:55:18.024 pszName : mall.com.jo
dcpromoui 914.6D8 02A6 16:55:18.024 Format : 3
dcpromoui 914.6D8 02A7 16:55:18.024 status 0x7B
dcpromoui 914.6D8 02A8 16:55:18.024 ERROR_INVALID_NAME
dcpromoui 914.6D8 02A9 16:55:18.024 ValidateChildDomainLeafNameLabel for lead mall.com.jo returned 3
dcpromoui 914.6D8 02AA 16:55:18.031 VerifyChild error message: The child domain name “mall.com.jo” has an invalid format. This name may contain letters, numbers, and hyphens, but not spaces or periods.
Characters that are not allowed include: ! ” # $ % & ( ) * + , ‘ / : ; ? @ [ \ ] ^ ` { | } ~
dcpromoui 914.6D8 02AB 16:55:18.031 Test Failed
dcpromoui 914.6D8 02AC 16:55:18.034 VerifyChild returns exit code: 28
dcpromoui 914.6D8 02AD 16:55:18.034 END TEST: VerifyChild
dcpromoui 914.6D8 02AE 16:55:18.034 Enter State::UnbindFromReplicationPartnetDC
dcpromoui 914.A54 02AF 17:15:10.288 closing log