Saturday, 12 April 2014

How to do Server Metadata Clean Up in Windows server 2008/R2

Understanding the concept

There are many instances that you need to forcefully remove the domain controllers in your network.  If you have performed a successful demotion of the domain controller it will automatically remove the details of that domain controller from AD as well. But during the force removal of DC it will not happen and you need to remove those server details manually from any of your active DC and this process is know as metadata cleanup. This can be done using three methods that are,

  • Metadata cleanup using GUI tools.
  • Metadata cleanup using command line
  • Metadata cleanup using script

  1. Metadata cleanup using GUI tools

This be done in two ways that are using Active directory users and computers and Active directory sites and services. 
Let us consider the scenario that I have tow servers server-1 and server-2 under the domain serverlabs.com. Here my failed domain controller is server-2 and I am removing it from server-1 which is the replication partner of server-2. So on server-1 do the following

  • Using the GUI tool Active directory users and computers

  1. On Start menu, point to Administrative Tools-> Active Directory Users and Computers.
  2. If you have identified replication partners in preparation for this procedure and if you are not connected to a replication partner of the removed domain controller whose metadata you are cleaning up, right-click Active Directory Users and Computers or you <Domain Name> and then click Change Domain Controller. Click the name of the domain controller from which you want to remove the metadata, and then click OK.
  3. Now Expand the domain of the domain controller that was forcibly removed, and then click Domain Controllers.
  4. In the details pane, right-click the computer object of the domain controller whose metadata you want to clean up, and then click Delete.


  1. Now you will have an Active Directory Domain Services dialog box which will ask for confirmation. Click Yes to confirm the computer object deletion.


  1. In the Deleting Domain Controller dialog box select the check box This Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation Wizard (DCPROMO), and then click Delete.


  1. If the domain controller is a global catalog server, in the Delete Domain Controller dialog box click Yes to continue with the deletion.


  1. If the domain controller currently holds one or more operations master roles, click OK to move the role or roles to the domain controller that is shown.
                         Note: You cannot change this domain controller. If you want to move the role to a different domain controller, you                          must move the role after you complete the server metadata cleanup procedure. If you would like to know more                              about moving the roles you can refer the link 

  • Using the GUI tool Active directory sites and services

  1. On Start menu, point to Administrative Tools-> Active Directory Users and Computers.
  2. If you have identified replication partners in preparation for this procedure and if you are not connected to a replication partner of the removed domain controller whose metadata you are cleaning up, right-click Active Directory Users and Computers or you <Domain Name> and then click Change Domain Controller. Click the name of the domain controller from which you want to remove the metadata, and then click OK.
  3. Expand the site of the domain controller that was forcibly removed, expand Servers, expand the name of the domain controller that was forcefully removed and right-click the NTDS Settings object, and then select Delete.


  1. In the Active Directory Domain Services dialog box click Yes to confirm the NTDS Settings deletion.


  1. In the Deleting Domain Controller dialog box tick the check box This Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation Wizard (DCPROMO) and then click Delete.


  1. If the domain controller is a global catalog server, in the Delete Domain Controller dialog box click Yes to continue with the deletion.


  1. If the domain controller currently holds one or more operations master roles, click OK to move the role or roles to the domain controller that is shown.
                         Note: You cannot change this domain controller. If you want to move the role to a different domain controller,                                  you must move the role after you complete the server metadata cleanup procedure. If you would like to know                                  more about moving the roles you can refer the link 
  1. Right-click the domain controller that was forcibly removed and then click Delete.


  1. In the Active Directory Domain Services dialog box, click Yes to confirm the domain controller deletion.


  1. Metadata cleanup using Command line

This can be achieved by using the enhanced version of Ntdsutil.exe. The version of Ntdsutil.exe that is included with Service Pack 1 or later service packs for Windows Server 2003 has been enhanced to make the metadata cleanup process complete. The Ntdsutil.exe version that is included with SP1 or later service packs does the following when metadata cleanup is run:
  • Removes the NTDSA or NTDS Setting subject.
  • Removes inbound AD connection objects that existing destination DCs use to replicate from the source DC being deleted .
  • Removes the computer account .
  • Removes FRS member object.
  • Removes FRS subscriber objects.
  • Tries to seize flexible single operations master roles (also known as flexible single master operations or FSMO) held by the DC that are being removed .

Caution: The administrator must also make sure that replication has occurred since the demotion before manually removing the NTDS Settings object for any server. Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.

To cleanup using metadata using Ntdsutil use the below steps:

Note: Make sure that you have logged on as a user who is an Enterprise Admin.

Let us consider the scenario that I have tow servers server-1 and server-2 under the domain serverlabs.com. Here my failed domain controller is server-2 and I am removing it from server-1 which is the replication partner of server-2. So on server-1 do the following

  1. Open command prompt, Start->Command prompt->right click and select 'Run as administrator'.
  2. Type 'ntdsutil' ENTER and at the ntdsutil prompt, type the following command
                     'Metadata cleanup' and press ENTER.
  1.  At the Metadata Cleanup prompt type connections and press ENTER.
  2. At the Server Connections prompt, type connect to server server-1
                         where server-1 is the name of an available domain controller which holds Operations Masters Roles.
  1. At the Server Connections prompt, type quit and press ENTER.
  2. Now you will be back to metadata cleanup prompt, type select operation target and press ENTER.
  3. At the Selected  Operations Target prompt, type list domains and press ENTER. This will list all the domains in the forest and each domains listed with a number associated to each.
                         As you can see I have only one domain in my forest that is Serverlabs and its ID is 0.
  1. At the Select Operations Target prompt, type select domain 0, and press ENTER. Where as the number “0” is the domain that contains the failed domain controller(server) .
  2. At the Select Operations Target prompt, type list sites and press ENTER. This lists all the sites in the forest and those are listed with a number assigned to each.
  3. At the Select Operations Target prompt, type select site 0, where number “0” is the site containing the failed domain controller, and press ENTER.
  4. At the Select Operations Target prompt, type list servers in site and press ENTER.
  5. At the Select Operations Target prompt, type select server 1, where number “1” is the failed domain controller, and press ENTER.
  6. At the Select Operations Target prompt, type quit and press ENTER. Please note that by the above steps we have connected to the domain controller that is failed.


  1. In order to start the metadata cleanup At the Metadata Cleanup prompt, type remove selected server and press ENTER.
                         You will have server remove confirmation dialog box, Click Yes to continue.


  1. Now the metadata cleanup will continue and you will have the below result after the successful cleanup.



  1. Type quit twice to exit the command prompt.

  1. Metadata cleanup using Script

                        You can refer the below link in order to achieve the script that will help you to perform metadata cleanup.

No comments:

Post a Comment