Javascript required
Skip to content Skip to sidebar Skip to footer

How to Remove Domain Controller in Windows Server 2012

Metadata cleanup is a performed when a DC is forcefully removed from Active Directory Domain Services (AD DS) either due to permanent hardware failure of the server that cannot be fixed leading to decommissioning of the server or if the server cannot be gracefully demoted. Metadata cleanup removes stale data and entries from ADDS that are identified as a domain controller to the replication system. It also transfer or seize any flexible single master operations (FSMO) roles that the retired domain controller holds.

Metadata cleanup can be performed by using any of the following Methods:

  • Clean up server metadata by using GUI tools.
  • Clean up server metadata using the command line.
note Note
If you receive an "Access is denied" error when you use any of these methods to perform metadata cleanup, make sure that the computer object and the NTDS Settings object for the domain controller are not protected against accidental deletion. To verify this right-click the computer object or the NTDS Settings object, clickProperties, clickObject, and clear theProtect object from accidental deletion check box.

In Active Directory Users and Computers, theObject tab of an object appears if you clickView and then clickAdvanced Features.

Membership inDomain Admins, or equivalent, is the minimum required to complete these procedures.


A. Clean up server metadata by using GUI tools.
===========================================

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

When you use Remote Server Administration Tools (RSAT) or the Active Directory Users and Computers console (Dsa.msc) to delete a failed domain controller computer account from the Domain Controllers organizational unit (OU), the cleanup of server metadata is performed automatically. Previously, you had to perform a separate metadata cleanup procedure.

You can also use the Active Directory Sites and Services console (Dssite.msc) to delete a domain controller's computer account, which also completes metadata cleanup automatically. However, Active Directory Sites and Services removes the metadata automatically only when you first delete the NTDS Settings object below the computer account in Dssite.msc.

As long as you are using the Windows Server 2008, Windows Server 2008 R2, or RSAT versions of Dsa.msc or Dssite.msc, you can clean up metadata automatically for domain controllers running earlier versions of Windows operating systems.

  • Active Directory Users and Computers:
  1. Open Active Directory Users and Computers (dsa.msc).
  2. Find the domain controller whose metadata you want to clean up (Will be on Domain controllers OU) and then click Delete. 2
  3. In theActive Directory Domain Services dialog box, clickYes to confirm the computer object deletion.
  4. In theDeleting Domain Controller dialog box, selectThis Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation Wizard (DCPROMO), and then clickDelete.4
  5. If the domain controller is a global catalog server, in theDelete Domain Controller dialog box, clickYes to continue with the deletion.
  6. If the domain controller currently holds one or more operations master roles, clickOK to move the role or roles to the domain controller that is shown.
  7. You cannot change this domain controller. If you want to move the role to a different domain controller, you must move the role after you complete the server metadata cleanup procedure.
  • Active Directory Sites and Services
  1. Open Active Directory Sites and Services
  2. If you have identified replication partners in preparation for this procedure and if you are not connected to a replication partner of the removed domain controller whose metadata you are cleaning up, right-clickActive Directory Users and Computers <DomainControllerName>, and then clickChange Domain Controller. Click the name of the domain controller from which you want to remove the metadata, and then clickOK.
  3. Expand the site of the domain controller that was forcibly removed, expandServers, expand the name of the domain controller, right-click the NTDS Settings object (If NTDS settings object is missing, It might have been deleted when we deleted the DC from AD), and then clickDelete.
    9.JPGA) In theActive Directory Domain Services dialog box, clickYes to confirm the NTDS Settings deletion.

    B) In theDeleting Domain Controller dialog box, selectThis Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation Wizard (DCPROMO), and then clickDelete.

    C) If the domain controller is a global catalog server, in theDelete Domain Controller dialog box, clickYes to continue with the deletion.

    D) If the domain controller currently holds one or more operations master roles, clickOK to move the role or roles to the domain controller that is shown.

  4. Right-click the domain controller that was forcibly removed, and then click Delete.
  5. In theActive Directory Domain Services dialog box, clickYes to confirm the domain controller deletion.

Run Dcdiag to verify all the stale entries related to failed DC has been removed successfully.

B. Clean up server metadata using the command line:
================================================

You can clean up metadata by using Ntdsutil.exe, a command-line tool that is installed automatically on all domain controllers and servers that have Active Directory Lightweight Directory Services (AD LDS) installed.

Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.

Run Command Prompt (CMD) using administrator privileges.

  1. At the command line, type Ntdsutil and press ENTER.
    C:              \              WINDOWS              >              ntdsutil              ntdsutil:                          
  2. At the Ntdsutil: prompt, type metadata cleanup and press Enter.
    ntdsutil:              metadata                            cleanup              metadata              cleanup:
  3. At the metadata cleanup: prompt, type connections and press Enter.
                  metadata                            cleanup              :              connections              server                            connections              :            
  4. At the server connections: prompt, type connect to server <servername>, where <servername> is the domain controller (any functional domain controller in the same domain) from which you plan to clean up the metadata of the failed domain controller. Press Enter.
                  server                            connections              :              connect                            to                            server                                                              ServerA                                            Binding                            to ServerA              .              .              .              Connected                            to Server_Name                            using                            credentials                            of                            locally                            logged                            on                            user              .              server                            connections              :            

    Note: Windows Server 2003 Service Pack 1 eliminates the need for the above step.

  5. Type quit and press Enter to return you to the metadata cleanup: prompt.
                  server                            connections              :              q              metadata                            cleanup              :            
  1. Type select operation target and press Enter.
                  metadata                            cleanup              :              Select              operation                            target              select              operation                            target              :            
  1. Type list domains and press Enter. This lists all domains in the forest with a number associated with each.
                  select              operation                            target              :              list                            domains              Found              1              domain              (              s              )              0              -              DC              =              Domain_Name              ,              DC              =              com              select              operation                            target              :            
  1. Type select domain <number>, where <number> is the number corresponding to the domain in which the failed server was located. Press Enter.
                  select              operation                            target              :              Select              domain              0              No                            current                            site              Domain              -              DC              =              Domain_name              ,              DC              =com              No                            current                            server              No                            current                            Naming                            Context              select              operation                            target              :            
  1. Type list sites and press Enter.
                  select              operation                            target              :              List                            sites              Found              1              site              (              s              )              0              -              CN              =              Default-First              -Site              -Name              ,              CN              =              Sites              ,              CN              =              Configuration              ,              DC              =              Domain_name              ,              DC              =com              select              operation                            target              :            
  1. Type select site <number>, where <number> refers to the number of the site in which the domain controller was a member. Press Enter.
                  select              operation                            target              :              Select              site              0              Site              -              CN              =              Default-First              -Site              -Name              ,              CN              =              Sites              ,              CN              =              Configuration              ,DC                =                Domain_name,DC                =com                            Domain              -              DC              =              Domain_name              ,              DC              =com              No                            current                            server              No                            current                            Naming                            Context              select              operation                            target              :            
  1. Type list servers in site and press Enter. This will list all servers in that site with a corresponding number.
                    select                operation                                target                :                List                                servers                                in                site                Found                2                server                (                s                )                0                -                CN                =                SERVERA                ,                CN                =                Servers                ,                CN                =                Default-First                -Site                -Name                ,                CN                =                Sites                ,                CN                =                Configuration                ,DC                  =                  Domain_name,DC                  =com                                1                -                CN                =                SERVERB                ,                CN                =                Servers                ,                CN                =                Default-First                -Site                -Name                ,                CN                =                Sites                ,                CN                =                Configuration                ,DC                  =                  Domain_name,DC                  =com                                select                operation                                target                :              
  1. Type select server <number> and press Enter, where <number> refers to the domain controller to be removed.
                    select                operation                                target                :                Select                server                1                Site                -                CN                =                Default-First                -Site                -Name                ,                CN                =                Sites                ,                CN                =                Configuration                ,DC                  =                  Domain_name,DC                  =com                                Domain                -                                  DC                  =                  Domain_name,DC                  =com                                Server                -                CN                =                SERVERB                ,                CN                =                Servers                ,                CN                =                Default-First                -Site                -Name                ,                CN                =                Sites                ,                CN                =                Configuration                ,DC                  =                  Domain_name,DC                  =com                                DSA                                object                -                CN                =                NTDS                                Settings                ,                CN                =                SERVERB                ,                CN                =                Servers                ,                CN                =                Default-First                -Site                -Name                ,                CN                =                Sites                ,                CN                =                Configuration                ,DC                  =                  Domain_name,DC                  =com                                DNS                                host                                name                -                serverB.Domain_Name.com                Computer                                object                -                CN                =                SERVERB                ,                OU                =                Domain                                Controllers                ,DC                  =                  Domain_name,DC                  =com                                No                                current                                Naming                                Context                select                operation                                target                :              
  1. Type quit and press Enter. The Metadata cleanup menu is displayed.
                    select                operation                                target                :                q                metadata                                cleanup                :              
  1. Type remove selected server and press Enter.

You will receive a warning message. Read it, and if you agree, press Yes.

          metadata                    cleanup          :          Remove                    selected                    server          "CN=SERVERB,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,              DC              =              Domain_name,DC              =com            "          removed                    from                    server          "serverA"          metadata                    cleanup          :        

At this point, Active Directory confirms that the domain controller was removed successfully. If you receive an error that the object could not be found, Active Directory might have already removed from the domain controller.

cleanup

15. Type quit, and press Enter until you return to the command prompt.

16. Remove the failed server object from the sites

  • Open Active Directory Sites and Services and expand the appropriate site.
  • Right-click the server object of failed DC and then click Delete.

17. If you are able to find the failed Domain controller in ADDS then delete it.

18. Remove the failed server object from DNS

A. In the DNS snap-in, expand the zone that is related to the domain from where the server has been removed, Remove the CNAME record in the _msdcs.root domain of forest zone in DNS. You should also delete the HOSTNAME and other DNS records.

15.JPG

B. If you have reverse lookup zones, also remove the server from these zones.

C. Right click a Zone in DNS console and go to properties, Under Name server tab delete the entries that are related to decommissioned DC.
8

9.JPG

D. Remove the IP of the decommissioned DC that might be present on the network adapter(ncpa.cpl) primary or secondary DNS.

13.JPG

Also, consider the following:

  • If the removed domain controller was a global catalog server, evaluate whether application servers that pointed to the offline global catalog server must be pointed to a live global catalog server.
  • If the removed DC was a global catalog server, evaluate whether an additional global catalog must be promoted to the address site, the domain, or the forest global catalog load.
  • If the removed DC was a Flexible Single Master Operation (FSMO) role holder, relocate those roles to a live DC.
  • If the removed DC was a DNS server, update the DNS client configuration on all member workstations, member servers, and other DCs that might have used this DNS server for name resolution. If it is required, modify the DHCP scope to reflect the removal of the DNS server.
  • If the removed DC was a DNS server, update the Forwarder settings and the Delegation settings on any other DNS servers that might have pointed to the removed DC for name resolution.

For more details refer below articles:

http://support.microsoft.com/kb/216498
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

How to Remove Domain Controller in Windows Server 2012

Source: https://servergurunow.wordpress.com/2017/08/08/metadata-cleanup-of-a-domain-controller-2/