Sometimes domain controllers encounter catastrophic failures that take them off the network permanently – perhaps a hardware failure or an extended network outage that exceeds the tombstone lifetime. In these cases, the traditional process of demoting the domain controller won’t work and you’ll be forced to manually clean up Active Directory instead. This manual process is known as metadata cleanup. Metadata cleanup removes all of the references to the domain controller from Active Directory so that things like replication continue to work without error. Depending on what version of Windows you’re working with, this can be as simple as deleting the domain controller’s computer account with AD Users and Computers, or it might require a trip to the command line to put ntdsutil to work.

Windows Server 2008 and Newer (Active Directory Users and Computers)

The Windows Server 2008 version of Active Directory Users and Computers (ADUC) introduced a convenient one click approach to performing metadata cleanup. To take advantage of this feature, follow these steps:

If you are using the Windows Server 2003 version of ADUC, skip down to the NTDSUtil version of these steps. The Windows Server 2003 version of ADUC will not perform a metadata cleanup for you!
  1. Launch ADUC (Start>Run>dsa.msc) and browse to the Domain Controllers OU.
  2. Select the domain controller you want to delete. You will first receive the traditional prompt shown below:

image

  1. Once you click Yes, you will subsequently receive a confirmation prompt similar to the one shown below:

image

  1. If you’re certain that you want to proceed, check the box and click Delete. ADUC may prompt you for further confirmation if the domain controller is a Global Catalog or a FSMO role holder.

That’s all there is to it. If the domain controller ever comes back online, you must either erase the server and reinstall Windows or perform a forced demotion of the domain controller.

Windows Server 2003 (NTDSUtil)

If you’re running Windows Server 2003 or you would rather do a metadata cleanup using the command line, the NTDSUtil command line utility is what you’ll need.

  1. Open an elevated command prompt
  2. Type ntdsutil and press Enter.
  3. Type metadata cleanup and press Enter.
  4. Type connections and press Enter.
  5. Type connect to server coho-chi-adc02 and press Enter.
  6. Type quit and press Enter. After this step, your screen should look similar to the image below:

image

  1. Type select operation target and press Enter.
  2. Type list domains and press Enter.
  3. Type select domain 0, where 0 is the number of the listed domain that contains the domain controller you want to clean up.
  4. Type list sites and press Enter.
  5. Type select site 0, where 0 is the number of the listed site that contains the domain controller you want to clean up. After this step, your screen should look similar to the image below:

image

  1. Type list servers in site and press Enter.
  2. Type select server 0, where 0 is the number of the listed server that you want to clean up. After this step, your screen should look similar to the image below:
If you discover that you selected the wrong domain or site, you can return to steps eight or ten.

image

  1. Type quit and press Enter.
  2. Type remove selected server and press Enter. You will be prompted to confirm your selection before continuing:

image

Once the process completes, you will see output similar to the following

Transferring / Seizing FSMO roles off the selected server.
Removing FRS metadata for the selected server.
Searching for FRS members under "CN=COHO-CHI-ADC01,OU=Domain Controllers,DC=cohovines,DC=com".

Removing FRS member "CN=COHO-CHI-ADC01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=cohovines,DC=com".
Deleting subtree under "CN=COHO-CHI-ADC01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=cohovines,DC=com".
Deleting subtree under "CN=COHO-CHI-ADC01,OU=Domain Controllers,DC=cohovines,DC=com".
The attempt to remove the FRS settings on CN=COHO-CHI-ADC01,CN=Servers,CN=Chicago,CN=Sites,CN=Configuration,DC=cohovines,DC=com failed because "Element not found.";
metadata cleanup is continuing.
"CN=COHO-CHI-ADC01,CN=Servers,CN=Chicago,CN=Sites,CN=Configuration,DC=cohovines,DC=com" removed from server "coho-chi-adc02"

This completes the process to manually remove a domain controller from Active Directory by performing a metadata cleanup with NTDSUtil.