• Home
• Website Design
  • Website Design
  • Website Hosting
  • SEO
  • Usability
  • Ecommerce
  • Links
  • Example Projects
• IT Support
  • IT Support
  • Outsourced
  • Small Business IT
  • Enterprise IT
  • Email Security
  • Example Projects
• IT Security
  • IT Security
• Training
  • IT Training
  • Tutorials
  • Office Training
• Pricing
• Contact

Removing Orphaned Domain Controllers using META Data Cleanup

Posted 01 May 2008;

Warning

If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. We cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk

Overview

The Active Directory Installation Wizard (Dcpromo.exe) is used for promoting a server to a domain controller and for demoting a domain controller to a member server (or to a stand-alone server in a workgroup if the domain controller is the last in the domain). As part of the demotion process, the wizard removes the configuration data for the domain controller from Active Directory. This data takes the form of an NTDS Settings object that exists as a child of the server object in Active Directory Sites and Services.

The information is in the following location in Active Directory:

CN=NTDS Settings,CN=<servername>,CN=Servers,CN=<sitename>,CN=Sites,CN=Configuration,DC=<domain>

The attributes of the NTDS Settings object include data representing how the domain controller is identified in respect to its replication partners, the naming contexts that are maintained on the machine, whether the domain controller is a global catalog server, and the default query policy. The NTDS Settings object is also a container that may have child objects that represent the domain controller's direct replication partners. This data is required for the domain controller to operate in the environment, but is retired upon demotion.

Removing the orphaned Domain Controller

In the event that the NTDS Settings object is not removed correctly (for example, if the NTDS Settings object is not correctly removed from a demotion attempt), the administrator can use the Ntdsutil.exe utility to manually remove the NTDS Settings object. The following steps list the procedure for removing the NTDS Settings object in Active Directory for a particular domain controller. At each Ntdsutil menu, the administrator can type help for more information about the available options.

Windows Server 2003 Service Pack 1 (SP1) or later service packs – Enhanced version of Ntdsutil.exe
The version of Ntdsutil.exe that is included with Service Pack 1 or later service packs for Windows Server 2003 has been enhanced to make the metadata cleanup process complete. The Ntdsutil.exe version that is included with SP1 or later service packs does the following when metadata cleanup is run:

• Removes the NTDSA or NTDS Setting subject.
• Removes inbound AD connection objects that existing destination DCs use to replicate from the source DC being deleted
• Removes the computer account
• Removes FRS member object
• Removes FRS subscriber objects
• Tries to seize flexible single operations master roles (also known as flexible single master operations or FSMO) held by the DC that are being removed

Caution The administrator must also make sure that replication has occurred since the demotion before manually removing the NTDS Settings object for any server. Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.

Procedure for Windows Server 2003 SP1 or later service packs only

• Click Start, point to Run, in the window type cmd
• At the command prompt, type ntdsutil, and then press ENTER
• Type metadata cleanup, and then press ENTER. Based on the options given, the administrator can perform the removal, but additional configuration parameters must be specified before the removal can occur
• Type connections and press ENTER. This menu is used to connect to the specific server where the changes occur. If the currently logged on user does not have administrative permissions, different credentials can be supplied by specifying the credentials to use before making the connection. To do this, type set creds DomainNameUserNamePassword, and then press ENTER. For a null password, type null for the password parameter
• Type connect to server servername, and then press ENTER. You should receive confirmation that the connection is successfully established. If an error occurs, verify that the domain controller being used in the connection is available and the credentials you supplied have administrative permissions on the server
• Type quit, and then press ENTER. The Metadata Cleanup menu appears
• Type select operation target and press ENTER
• Type list domains and press ENTER. A list of domains in the forest is displayed, each with an associated number
• Type select domain number and press ENTER, where number is the number associated with the domain the server you are removing is a member of. The domain you select is used to determine whether the server being removed is the last domain controller of that domain
• Type list sites and press ENTER. A list of sites, each with an associated number, appears
• Type select site number and press ENTER, where number is the number associated with the site the server you are removing is a member of. You should receive a confirmation listing the site and domain you chose
• Type list servers in site and press ENTER. A list of servers in the site, each with an associated number, is displayed
• Type select server number, where number is the number associated with the server you want to remove. You receive a confirmation listing the selected server, its Domain Name System (DNS) host name, and the location of the server's computer account you want to remove.
• Type quit and press ENTER. The Metadata Cleanup menu appears
• Type remove selected server and press ENTER. You should receive confirmation that the removal completed successfully. If you receive the following error message, the NTDS Settings object may already be removed from Active Directory as the result of another administrator removing the NTDS Settings object or replication of the successful removal of the object after running the DCPROMO utility. Error 8419 (0x20E3)
  The DSA object could not be found
• Type quit, and then press ENTER at each menu quit the Ntdsutil utility. You should receive confirmation that the connection disconnected successfully
• Remove the cname record in the _msdcs.root domain of forest zone in DNS. Assuming that DC will be reinstalled and re-promoted, a new NTDS Settings object is created with a new GUID and a matching cname record in DNS. You do not want the DCs that exist to use the old cname record
• As best practice, you should delete the host name and other DNS records. If the lease time that remains on Dynamic Host Configuration Protocol (DHCP) address assigned to offline server is exceeded then another client can obtain the IP address of the problem DC
• In the DNS console, use the DNS MMC to delete the A record in DNS. The A record is also known as the Host record. To delete the A record, right-click the A record, and then click Delete. Also, delete the cname record in the _msdcs container. To do this, expand the _msdcs container, right-click cname, and then click Delete
• Important If this is a DNS server, remove the reference to this DC under the Name Servers tab. To do this, in the DNS console, click the domain name under Forward Lookup Zones, and then remove this server from the Name Servers tab
• Note If you have reverse lookup zones, also remove the server from these zones
• If the deleted computer is the last domain controller in a child domain, and the child domain was also deleted, use ADSI Edit to delete the trustDomain object for the child. To do this, follow these steps:
  • Click Start, click Run, type adsiedit.msc, and then click OK
  • Expand the Domain NC container
  • Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET
  • Expand CN=System
  • Right-click the Trust Domain object, and then click Delete
• Use Active Directory Sites and Services to remove the domain controller. To do this, follow these steps
  • Start Active Directory Sites and Services
  • Expand Sites
  • Expand the server's site. The default site is Default-First-Site-Name
  • Expand Server
  • Right-click the domain controller, and then click Delete

To see more information about our IT Support Services, click here

Copyright © 2008 Aerovision IT. All rights reserved.
Outsourced IT Support | Website Design | Information Security | IT Training