Now that we have seized the operations masters (FSMO roles) on the second of our two domain controllers (the first being out of commission), we need to remove references to the defunct domain controller so clients are no longer directed to use it (in DNS for example).
With Windows 2012 (and even with Windows 2008) there are a number of methods to achieve this objective.
The "traditional" method uses NTDSUTIL to perform the cleanup. In fact, there are some variations. We can type out the complete commands one after another, we can use abbreviated commands and we can type a single command.
Since Windows 2008, we can also use the GUI for metadata cleanup.
In either case, my experience (and that of some colleagues) has shown that even after performing the cleanup operation in NTDSUTIL (or the GUI equivalent), there is still some follow-up cleanup to perform in DNS.
Note: optionally, we can configure the new PDCe to receive correct time from an outside source as well.
NTDSUTIL - option 1 (step by step, complete commands)
Note: for readibility, I have changed the font of some of the most verbose output so the reader can concentrate on the commands (in bold and underlined), while still having the output for reference.
PS C:\> ntdsutil
C:\Windows\system32\ntdsutil.exe: activate instance ntds
Active instance set to "ntds".
C:\Windows\system32\ntdsutil.exe: metadata cleanup
metadata cleanup: connections
server connections: connect to server DC5
Binding to DC5 ...
Connected to DC5 using credentials of locally logged on user.
server connections: quit
metadata cleanup: select operation target
select operation target: list domains
Found 1 domain(s)
0 - DC=mynet,DC=lan
select operation target: select domain 0
No current site
Domain - DC=mynet,DC=lan
No current server
No current Naming Context
select operation target: list sites
Found 1 site(s)
0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan
select operation target: select site 0
Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan
Domain - DC=mynet,DC=lan
No current server
No current Naming Context
select operation target: list servers in site
Found 2 server(s)
0 - CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan
1 - CN=DC5,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan
select operation target: select server 0
Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan
Domain - DC=mynet,DC=lan
Server - CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan
DSA object - CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan
DNS host name - DC2.mynet.lan
Computer object - CN=DC2,OU=Domain Controllers,DC=mynet,DC=lan
No current Naming Context
select operation target: quit
metadata cleanup: remove selected server
Transferring / Seizing FSMO roles off the selected server.
Removing FRS metadata for the selected server.
Searching for FRS members under "CN=DC2,OU=Domain Controllers,DC=mynet,DC=lan".
Removing FRS member "CN=DC2,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=mynet,DC=lan".
Deleting subtree under "CN=DC2,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=mynet,DC=lan".
Deleting subtree under "CN=DC2,OU=Domain Controllers,DC=mynet,DC=lan".
The attempt to remove the FRS settings on CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan failed because "Element not found.";
metadata cleanup is continuing.
"CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan" removed from server "DC5"
metadata cleanup: q
C:\Windows\system32\ntdsutil.exe: q
PS C:\>
NTDSUTIL option 2 - abbreviated commands
Note: the commands entered in the previous section can be more or less abbreviated, as shown below, as long as there is no ambuguity with other ntdsutil commands. Once again, I have made minor edits (font size and spacing) for readbility.
PS C:\Users\ufc> ntdsutil "act ins ntds" "meta clean" conn "co to ser DC5" q "s o t" "l d"
C:\Windows\system32\ntdsutil.exe: act ins ntds
Active instance set to "ntds".
C:\Windows\system32\ntdsutil.exe: meta clean
metadata cleanup: conn
server connections: co to ser DC5
Binding to DC5 ...
Connected to DC5 using credentials of locally logged on user.
server connections: q
metadata cleanup: s o t
select operation target: l d
Found 1 domain(s)
Note: we stopped the command above at "list domains" or "l d" since the choices that follow depend on the number of domains and the names of the sites and servers, which we may not know beforehand. If we do, we can enter all the information on a single line as shown in the next example.
0 - DC=mynet,DC=lan
select operation target: sel dom 0
No current site
Domain - DC=mynet,DC=lan
No current server
No current Naming Context
select operation target: list sites
Found 1 site(s)
0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan
select operation target: sel site 0
Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan
Domain - DC=mynet,DC=lan
No current server
No current Naming Context
select operation target: list serv in site
Found 2 server(s)
0 - CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan
1 - CN=DC5,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan
select operation target: sel ser 0
Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan
Domain - DC=mynet,DC=lan
Server - CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan
DSA object - CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan
DNS host name - DC2.mynet.lan
Computer object - CN=DC2,OU=Domain Controllers,DC=mynet,DC=lan
No current Naming Context
select operation target: q
metadata cleanup: rem sel ser
Transferring / Seizing FSMO roles off the selected server.
Removing FRS metadata for the selected server.
Searching for FRS members under "CN=DC2,OU=Domain Controllers,DC=mynet,DC=lan".
Removing FRS member "CN=DC2,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=mynet,DC=lan".
Deleting subtree under "CN=DC2,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=mynet,DC=lan".
Deleting subtree under "CN=DC2,OU=Domain Controllers,DC=mynet,DC=lan".
The attempt to remove the FRS settings on CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan failed because "Element not found.";
metadata cleanup is continuing.
"CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mynet,DC=lan" removed from server "DC5"
metadata cleanup:
NTDSUTIL - option 3 (single command)
Note: in fact, we have to enter three commands before entering the "remove selected server" command with the path to the server to remove.
PS C:\Users\ufc> ntdsutil
C:\Windows\system32\ntdsutil.exe: activate instance ntds
Active instance set to "ntds".
C:\Windows\system32\ntdsutil.exe: metadata cleanup
metadata cleanup: remove selected server cn=DC2,cn=servers,cn=default-first-site-name,cn=sites,cn=configuration,dc=mynet,dc=lan
Binding to localhost ...
Connected to localhost using credentials of locally logged on user.
Transferring / Seizing FSMO roles off the selected server.
Removing FRS metadata for the selected server.
[Same output as in previous examples - please see above]
GUI - delete object in Active Directory Users and Computers
Since Windows Server 2008, we can select the object representing the defunct domain controller in Active Directory Users and Computers. By default, it is located in the Domain Controllers organizational unit:
We are prompted once more and must acknowledge that we do indeed want to delete the object:
Just to be certain, we are prompted one last time since this domain controller was also a global catalog:
Metadata Cleanup - final steps
All the methods outlined above remove most references to the defunct domain controller. However, it is recommended to verify the following locations, and in particular DNS:
Active Directory Users and Computers (the domain controllers OU)
I have found that all methods above remove the object (and logically the GUI method where we delete the object directly)
Active Directory Users and Computers (File Replication Service)
Verification in this location requires us to select the "View | Advanced Features" setting.
Once we have done so, we proceed to the following location:
Domain icon (root) | System | File Replication Service | Domain System Volume (SYSVOL share)
Note: I have never found any references to defunct domain controllers in this location.
Active Directory Sites and Services
Although NTDS settings are removed, there still is a reference to the domain controller itself in the following location. It can and should be deleted:
DNS
This is the location where a number of records referring to the failed domain controller remain. The screenshot below is only one example. Each folder should be checked and any references to the domain controller in question be deleted:
References:
Clean Up Server Metadata
A very comprehensive article by a Directory Services MVP
Thank you for reading the article about Windows Server 2012 - Active Directory - Manual Removal of a domain controller, Part 2: metadata cleanup on the blog NEW TECH If you want to disseminate this article on please list the link as the source, and if this article was helpful please bookmark this page in your web browser by pressing Ctrl + D on your keyboard keys.