How to Remove Domain Controller in Windows Server 2012
Metadata cleanup is a performed when a DC is forcefully removed from Active Directory Domain Services (AD DS) either due to permanent hardware failure of the server that cannot be fixed leading to decommissioning of the server or if the server cannot be gracefully demoted. Metadata cleanup removes stale data and entries from ADDS that are identified as a domain controller to the replication system. It also transfer or seize any flexible single master operations (FSMO) roles that the retired domain controller holds.
Metadata cleanup can be performed by using any of the following Methods:
- Clean up server metadata by using GUI tools.
- Clean up server metadata using the command line.
.gif?f=255&MSPPError=-2147217396 "note"){kind=small} Note |
|---|
| If you receive an "Access is denied" error when you use any of these methods to perform metadata cleanup, make sure that the computer object and the NTDS Settings object for the domain controller are not protected against accidental deletion. To verify this right-click the computer object or the NTDS Settings object, clickProperties, clickObject, and clear theProtect object from accidental deletion check box. In Active Directory Users and Computers, theObject tab of an object appears if you clickView and then clickAdvanced Features. Membership inDomain Admins, or equivalent, is the minimum required to complete these procedures. |
A. Clean up server metadata by using GUI tools.
===========================================
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012
When you use Remote Server Administration Tools (RSAT) or the Active Directory Users and Computers console (Dsa.msc) to delete a failed domain controller computer account from the Domain Controllers organizational unit (OU), the cleanup of server metadata is performed automatically. Previously, you had to perform a separate metadata cleanup procedure.
You can also use the Active Directory Sites and Services console (Dssite.msc) to delete a domain controller's computer account, which also completes metadata cleanup automatically. However, Active Directory Sites and Services removes the metadata automatically only when you first delete the NTDS Settings object below the computer account in Dssite.msc.
As long as you are using the Windows Server 2008, Windows Server 2008 R2, or RSAT versions of Dsa.msc or Dssite.msc, you can clean up metadata automatically for domain controllers running earlier versions of Windows operating systems.
- Active Directory Users and Computers:
- Open Active Directory Users and Computers (dsa.msc).
- Find the domain controller whose metadata you want to clean up (Will be on Domain controllers OU) and then click Delete.
- In theActive Directory Domain Services dialog box, clickYes to confirm the computer object deletion.
- In theDeleting Domain Controller dialog box, selectThis Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation Wizard (DCPROMO), and then clickDelete.
- If the domain controller is a global catalog server, in theDelete Domain Controller dialog box, clickYes to continue with the deletion.
- If the domain controller currently holds one or more operations master roles, clickOK to move the role or roles to the domain controller that is shown.
- You cannot change this domain controller. If you want to move the role to a different domain controller, you must move the role after you complete the server metadata cleanup procedure.
- Active Directory Sites and Services
- Open Active Directory Sites and Services
- If you have identified replication partners in preparation for this procedure and if you are not connected to a replication partner of the removed domain controller whose metadata you are cleaning up, right-clickActive Directory Users and Computers <DomainControllerName>, and then clickChange Domain Controller. Click the name of the domain controller from which you want to remove the metadata, and then clickOK.
- Expand the site of the domain controller that was forcibly removed, expandServers, expand the name of the domain controller, right-click the NTDS Settings object (If NTDS settings object is missing, It might have been deleted when we deleted the DC from AD), and then clickDelete.
A) In theActive Directory Domain Services dialog box, clickYes to confirm the NTDS Settings deletion. B) In theDeleting Domain Controller dialog box, selectThis Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation Wizard (DCPROMO), and then clickDelete.
C) If the domain controller is a global catalog server, in theDelete Domain Controller dialog box, clickYes to continue with the deletion.
D) If the domain controller currently holds one or more operations master roles, clickOK to move the role or roles to the domain controller that is shown.
- Right-click the domain controller that was forcibly removed, and then click Delete.
- In theActive Directory Domain Services dialog box, clickYes to confirm the domain controller deletion.
Run Dcdiag to verify all the stale entries related to failed DC has been removed successfully.
B. Clean up server metadata using the command line:
================================================
You can clean up metadata by using Ntdsutil.exe, a command-line tool that is installed automatically on all domain controllers and servers that have Active Directory Lightweight Directory Services (AD LDS) installed.
Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.
Run Command Prompt (CMD) using administrator privileges.
- At the command line, type Ntdsutil and press ENTER.
C: \ WINDOWS > ntdsutil ntdsutil:
- At the Ntdsutil: prompt, type metadata cleanup and press Enter.
ntdsutil: metadata cleanup metadata cleanup:
- At the metadata cleanup: prompt, type connections and press Enter.
metadata cleanup : connections server connections :
- At the server connections: prompt, type connect to server <servername>, where <servername> is the domain controller (any functional domain controller in the same domain) from which you plan to clean up the metadata of the failed domain controller. Press Enter.
server connections : connect to server ServerA Binding to ServerA . . . Connected to Server_Name using credentials of locally logged on user . server connections :
Note: Windows Server 2003 Service Pack 1 eliminates the need for the above step.
- Type quit and press Enter to return you to the metadata cleanup: prompt.
server connections : q metadata cleanup :
- Type select operation target and press Enter.
metadata cleanup : Select operation target select operation target :
- Type list domains and press Enter. This lists all domains in the forest with a number associated with each.
select operation target : list domains Found 1 domain ( s ) 0 - DC = Domain_Name , DC = com select operation target :
- Type select domain <number>, where <number> is the number corresponding to the domain in which the failed server was located. Press Enter.
select operation target : Select domain 0 No current site Domain - DC = Domain_name , DC =com No current server No current Naming Context select operation target :
- Type list sites and press Enter.
select operation target : List sites Found 1 site ( s ) 0 - CN = Default-First -Site -Name , CN = Sites , CN = Configuration , DC = Domain_name , DC =com select operation target :
- Type select site <number>, where <number> refers to the number of the site in which the domain controller was a member. Press Enter.
select operation target : Select site 0 Site - CN = Default-First -Site -Name , CN = Sites , CN = Configuration ,DC = Domain_name,DC =com Domain - DC = Domain_name , DC =com No current server No current Naming Context select operation target :
- Type list servers in site and press Enter. This will list all servers in that site with a corresponding number.
select operation target : List servers in site Found 2 server ( s ) 0 - CN = SERVERA , CN = Servers , CN = Default-First -Site -Name , CN = Sites , CN = Configuration ,DC = Domain_name,DC =com 1 - CN = SERVERB , CN = Servers , CN = Default-First -Site -Name , CN = Sites , CN = Configuration ,DC = Domain_name,DC =com select operation target :
- Type select server <number> and press Enter, where <number> refers to the domain controller to be removed.
select operation target : Select server 1 Site - CN = Default-First -Site -Name , CN = Sites , CN = Configuration ,DC = Domain_name,DC =com Domain - DC = Domain_name,DC =com Server - CN = SERVERB , CN = Servers , CN = Default-First -Site -Name , CN = Sites , CN = Configuration ,DC = Domain_name,DC =com DSA object - CN = NTDS Settings , CN = SERVERB , CN = Servers , CN = Default-First -Site -Name , CN = Sites , CN = Configuration ,DC = Domain_name,DC =com DNS host name - serverB.Domain_Name.com Computer object - CN = SERVERB , OU = Domain Controllers ,DC = Domain_name,DC =com No current Naming Context select operation target :
- Type quit and press Enter. The Metadata cleanup menu is displayed.
select operation target : q metadata cleanup :
- Type remove selected server and press Enter.
You will receive a warning message. Read it, and if you agree, press Yes.
metadata cleanup : Remove selected server "CN=SERVERB,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration, DC = Domain_name,DC =com " removed from server "serverA" metadata cleanup :
At this point, Active Directory confirms that the domain controller was removed successfully. If you receive an error that the object could not be found, Active Directory might have already removed from the domain controller.
15. Type quit, and press Enter until you return to the command prompt.
16. Remove the failed server object from the sites
- Open Active Directory Sites and Services and expand the appropriate site.
- Right-click the server object of failed DC and then click Delete.
17. If you are able to find the failed Domain controller in ADDS then delete it.
18. Remove the failed server object from DNS
A. In the DNS snap-in, expand the zone that is related to the domain from where the server has been removed, Remove the CNAME record in the _msdcs.root domain of forest zone in DNS. You should also delete the HOSTNAME and other DNS records.
B. If you have reverse lookup zones, also remove the server from these zones.
C. Right click a Zone in DNS console and go to properties, Under Name server tab delete the entries that are related to decommissioned DC.
D. Remove the IP of the decommissioned DC that might be present on the network adapter(ncpa.cpl) primary or secondary DNS.
Also, consider the following:
- If the removed domain controller was a global catalog server, evaluate whether application servers that pointed to the offline global catalog server must be pointed to a live global catalog server.
- If the removed DC was a global catalog server, evaluate whether an additional global catalog must be promoted to the address site, the domain, or the forest global catalog load.
- If the removed DC was a Flexible Single Master Operation (FSMO) role holder, relocate those roles to a live DC.
- If the removed DC was a DNS server, update the DNS client configuration on all member workstations, member servers, and other DCs that might have used this DNS server for name resolution. If it is required, modify the DHCP scope to reflect the removal of the DNS server.
- If the removed DC was a DNS server, update the Forwarder settings and the Delegation settings on any other DNS servers that might have pointed to the removed DC for name resolution.
For more details refer below articles:
http://support.microsoft.com/kb/216498
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx
How to Remove Domain Controller in Windows Server 2012
Source: https://servergurunow.wordpress.com/2017/08/08/metadata-cleanup-of-a-domain-controller-2/