Community Pick: Many members of our community have endorsed this article.

Removing Failed DC Data From Active Directory

Batuhan CetinCIO
CERTIFIED EXPERT
Published:
by Batuhan Cetin

In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment.

These steps are not necessary in a Windows Server 2008 environment as described in this article. In Windows Server 2008 and Windows Server 2008 R2, removing a failed DC computer account from the Active Directory Users and Computers console will automatically cleanup the server metadata.

DCPROMO is the tool provided by Microsoft to promote a server to the domain controller role or demote a domain controller to a member server. It creates the necessary records in AD when promoting and deletes them when demoting. However, if you have a failed DC you cannot gracefully demote from AD, or you try to remove a DC from a domain and fail or promoting a server to DC and fail, you will find this article helpful. The data left over in AD will cause some serious problems. You will continuously get replication errors, you will not be able to setup another DC with the same name... and so on.

What motivated me to write this article is a replication problem I encountered for one of my clients. Let me tell you the story and start then. I was going to setup a test environment for one of my client's System Center Configuration Manager (SCCM) deployment scenario. They have two DCs in their environment, one of which holds the FSMO roles such as PDC Emulator. I converted their production environment to a virtual ESX test environment. I turned on the virtual PDC Emulator and the new virtual server I created for SCCM. Everything went fine until I tried to extend the AD schema. I had an error that the extension cannot continue. I figured out from the replication logs that the schema extend tool was failing because the extended AD schema could not be replicated to the other Domain Controller. Then I realized the mistake I made. I had not converted the second Domain Controller to the ESX test environment! It is just like the scenario where you have a crashed DC and could not be brought back. So, I used the below method to remove that server from the test environment to stop any replication attempts and documented it for future use.

Note that I reproduced the problem in my test environment to write this article. All server names are from my test environment, not my client's environment.

Now let's begin.

Before we begin I must warn you that the wrong usage of NTDSUTIL may cause irreversible damage to your AD and may result in partial or complete loss of AD functionality. The article is written based on my field experience and I do not accept any responsibility for any damage. However, if you have problems regarding this, I will gladly try to help you in EE forums.

1. Open a command prompt. Write ntdsutil and press Enter.

C:\WINDOWS>ntdsutil
                      ntdsutil:

Open in new window


2. Write metadata cleanup and press Enter.

ntdsutil: metadata cleanup
                      metadata cleanup:

Open in new window


3. Write connections and press Enter.

metadata cleanup: connections
                      server connections:

Open in new window


4. Write connect to server <servername> and press Enter. Here, you need to provide the name of an active, online Domain Controller on which the metadata for the failed DC can be removed.

server connections: connect to server DC.OPSMGR.BCETIN
                      Binding to DC.OPSMGR.BCETIN ...
                      Connected to DC.OPSMGR.BCETIN using credentials of locally logged on user.
                      server connections:

Open in new window


5. Write q (quit) and press Enter.

server connections: q
                      metadata cleanup:

Open in new window


6. Write select operation target and press Enter.

metadata cleanup: Select operation target
                      select operation target:

Open in new window


7. Write list domains and press Enter.

select operation target: list domains
                      Found 1 domain(s)
                      0 - DC=OPSMGR,DC=BCETIN
                      1 - DC=UNTRUSTED,DC=BCETIN
                      select operation target:

Open in new window


8. Write select domain <n> and press Enter. n is the number which corresponds to the domain that includes the failed DC.

select operation target: Select domain 0
                      No current site
                      Domain - DC=OPSMGR,DC=BCETIN
                      No current server
                      No current Naming Context
                      select operation target:

Open in new window


9. Write list sites and press Enter.

select operation target: List sites
                      Found 2 site(s)
                      0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=OPSMGR,DC=BCETIN
                      1 - CN=REMOTESITE,CN=Sites,CN=Configuration,DC=OPSMGR,DC=BCETIN
                      select operation target:

Open in new window


10. Write select site <n> and press Enter. n is the number which corresponds to the site where the failed DC was located.

select operation target: Select site 1
                      Site - CN=REMOTESITE,CN=Sites,CN=Configuration,DC=OPSMGR,DC=BCETIN
                      Domain - DC=OPSMGR,DC=BCETIN
                      No current server
                      No current Naming Context
                      select operation target:

Open in new window


11. Write list servers in site and press Enter.

select operation target: List servers in site
                      Found 2 server(s)
                      0 - CN=RDC1,CN=Servers,CN=REMOTESITE,CN=Sites,CN=Configuration,DC=OPSMGR,DC=BCETIN
                      1 - CN=RADC,CN=Servers,CN=REMOTESITE,CN=Sites,CN=Configuration,DC=OPSMGR,DC=BCETIN
                      select operation target:

Open in new window


12. Write select server <n> and press Enter. n is the number which corresponds to the failed DC.

select operation target: Select server 1
                      Site - CN=REMOTESITE,CN=Sites,CN=Configuration,DC=OPSMGR,DC=BCETIN
                      Domain - DC=OPSMGR,DC=BCETIN
                      Server - CN=RADC,CN=Servers,CN=REMOTESITE,CN=Sites,CN=Configuration,DC=OPSMGR,DC=BCETIN
                       DSA object - CN=NTDS Settings,CN=RADC,CN=Servers,CN=REMOTESITE,CN=Sites,CN=Configuration,DC=OPSMGR,DC=BCETIN
                       DNS host name - RADC.OPSMGR.BCETIN
                       Computer object - CN=RADC,OU=Domain Controllers,DC=OPSMGR,DC=BCETIN
                      No current Naming Context
                      select operation target

Open in new window


13. Write q and press Enter.

select operation target: q
                      metadata cleanup:

Open in new window


14. Write remove selected server and press Enter. You will get a warning. Read it and click Yes if you agree.

metadata cleanup: Remove selected server
                      "CN=RADC,CN=Servers,CN=REMOTESITE,CN=Sites,CN=Configuration,DC=OPSMGR,DC=BCETIN" removed from server "DC.OPSMGR.BCETIN"
                      metadata cleanup:

Open in new window


Now the metadata is cleaned up, we will also manually delete some objects related to the failed DC.

15. Open Active Directory Sites and Services, expand the site where the failed DC was previously located.

16. Right click the failed DC's server object and click Delete.

17. Open Active Directory Users and Computers. Navigate to the Domain Controllers container.

18. Right click the failed DC's server object and click Delete. You will be prompted if you want to delete the server without running DCPROMO. Select "This domain controller is permanently offline ...." and click Delete.

19. Open the DNS console and delete any CNAME and HOST records for the failed server.

See you in another article.
6
8,388 Views
Batuhan CetinCIO
CERTIFIED EXPERT

Comments (4)

Kevin CrossChief Technology Officer
CERTIFIED EXPERT
Most Valuable Expert 2011

Commented:
Nice work!
voted YES above.
Premkumar YogeswaranPrincipal Infrastructure Engineer - IT
CERTIFIED EXPERT

Commented:

Nice Article
CERTIFIED EXPERT

Commented:
worked for me.  the hand holding and being able to see the expected response gave me the confidence to do this.  worked perfectly, including DCPROMO back up to a DC.
CERTIFIED EXPERT

Author

Commented:
Hi robberbaron,

Glad to hear that this article is still helping people after years :)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.