Metadata cleanup over GUI
Sometimes we have problem with broken Domain Controller(s) within our environment. Then we do not think about consequences from removing failed DC from network. We just shut it down and replace with the new one, because mostly we have no system state backup of the old Domain Controller. Everything looks fine for us, we have no failed DC in a network. But Active Directory still knows about it and uses that DC for AD data replication which can cause errors.
To prevent replicating data between broken DC and the rest, you need to perform metadata cleanup.
This can be done using ntdsutil as I showed you some time ago in this article Metadata cleanup for broken Domain Controller or over graphical console – using Active Directory Users and Computers.
You still need to have Domain Admin account to do that and at least one Windows Server 2008 Domain Controller.
I will show you how to do that using Windows Server 2012 R2 Domain Controller but this is exactly the same procedure on previous servers.
To remove metadata about non-existing Domain Controller, log on to Windows Server 2008 or newer DC and open Active Directory Users and Computers console.
Click right mouse button (RMB) on start tile and choose “Run”
and type dsa.msc to open Active Directory Users and Computers console
Now, you need to go into main menu and search for “View -> Advanced features” option and select it
Now, go to “Domain Controllers” organizational unit and select Domain Controller for which you want to do metadata cleanup
Click on it RMB and choose “Properties”
You need to check if this computer object is not protected by accidental deletion from domain environment. To see that, select “Object” tab. Looks if “Protect object from accidental deletion” is set. If so, uncheck it and apply changes.
Now, go back to Active Directory Users and Computers console to Domain Controllers OU and select this DC once again
Click RMB on it and choose “Delete” option
Confirm that you are sure and you want to delete this object from the domain
You will get information that you are trying to remove Domain Controller from the domain without appropriate removal process
you are sure that this Domain Controller does not exists anymore and you wish to delete it anyway, so select this checkbox and confirm deletion
if your server was acting as Global Catalog, you need to confirm once again that you wish to delete it from the domain
There is one more place you need to visit to completely clean up your environment. Open Active Directory Sites and Services console and locate Site in which removed DC was authenticating objects
as you can see, this Domain Contoller has no NTDS Settiings object associated. Just click RMB on it and remove it
Confirm that you wnat to delete this object and that’s all!
You removed easily metedata of broken Domain Controller from your domain!
Author: Krzysztof Pytko