Understanding the concept
There are
many instances that you need to forcefully remove the domain controllers in
your network. If you have performed a
successful demotion of the domain controller it will automatically remove the
details of that domain controller from AD as well. But during the force removal
of DC it will not happen and you need to remove those server details manually
from any of your active DC and this process is know as metadata cleanup. This
can be done using three methods that are,
- Metadata cleanup using GUI tools.
- Metadata cleanup using command line
- Metadata cleanup using script
- Metadata cleanup using GUI tools
This be done in two
ways that are using Active directory users and
computers and Active directory sites and services.
Let us consider the scenario that I have tow servers server-1 and
server-2 under the domain serverlabs.com.
Here my failed domain controller is server-2 and I am removing it from server-1
which is the replication partner of server-2. So on server-1 do the following
- Using the GUI tool Active directory users and computers
- On Start menu, point to Administrative Tools-> Active Directory Users and Computers.
- If you have identified replication partners in preparation for this procedure and if you are not connected to a replication partner of the removed domain controller whose metadata you are cleaning up, right-click Active Directory Users and Computers or you <Domain Name> and then click Change Domain Controller. Click the name of the domain controller from which you want to remove the metadata, and then click OK.
- Now Expand the domain of the domain controller that was forcibly removed, and then click Domain Controllers.
- In the details pane, right-click the computer object of the domain controller whose metadata you want to clean up, and then click Delete.
- Now you will have an Active Directory Domain Services dialog box which will ask for confirmation. Click Yes to confirm the computer object deletion.
- In the Deleting Domain Controller dialog box select the check box This Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation Wizard (DCPROMO), and then click Delete.
- If the domain controller is a global catalog server, in the Delete Domain Controller dialog box click Yes to continue with the deletion.
- If the domain controller currently holds one or more operations master roles, click OK to move the role or roles to the domain controller that is shown.
Note: You cannot change this domain controller. If you want to move
the role to a different domain controller, you must move the role after you
complete the server metadata cleanup procedure. If you would like to know more about moving the roles you can refer the link
- Using the GUI tool Active directory sites and services
- On Start menu, point to Administrative Tools-> Active Directory Users and Computers.
- If you have identified replication partners in preparation for this procedure and if you are not connected to a replication partner of the removed domain controller whose metadata you are cleaning up, right-click Active Directory Users and Computers or you <Domain Name> and then click Change Domain Controller. Click the name of the domain controller from which you want to remove the metadata, and then click OK.
- Expand the site of the domain controller that was forcibly removed, expand Servers, expand the name of the domain controller that was forcefully removed and right-click the NTDS Settings object, and then select Delete.
- In the Active Directory Domain Services dialog box click Yes to confirm the NTDS Settings deletion.
- In the Deleting Domain Controller dialog box tick the check box This Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation Wizard (DCPROMO) and then click Delete.
- If the domain controller is a global catalog server, in the Delete Domain Controller dialog box click Yes to continue with the deletion.
- If the domain controller currently holds one or more operations master roles, click OK to move the role or roles to the domain controller that is shown.
Note: You cannot change this domain controller. If you want to move
the role to a different domain controller, you must move the role after you
complete the server metadata cleanup procedure. If you would like to know more
about moving the roles you can refer the link
- Right-click the domain controller that was forcibly removed and then click Delete.
- In the Active Directory Domain Services dialog box, click Yes to confirm the domain controller deletion.
- Metadata cleanup using Command line
This can be achieved by using the enhanced version of Ntdsutil.exe. The version of Ntdsutil.exe that
is included with Service Pack 1 or later service packs for Windows Server 2003
has been enhanced to make the metadata cleanup process complete. The
Ntdsutil.exe version that is included with SP1 or later service packs does the
following when metadata cleanup is run:
- Removes the NTDSA or NTDS Setting subject.
- Removes inbound AD connection objects that existing destination DCs use to replicate from the source DC being deleted .
- Removes the computer account .
- Removes FRS member object.
- Removes FRS subscriber objects.
- Tries to seize flexible single operations master roles (also known as flexible single master operations or FSMO) held by the DC that are being removed .
Caution: The administrator
must also make sure that replication has occurred since the demotion before
manually removing the NTDS Settings object for any server. Using the Ntdsutil
utility incorrectly may result in partial or complete loss of Active Directory
functionality.
To cleanup using metadata using Ntdsutil
use the below steps:
Note: Make sure that you have
logged on as a user who is an Enterprise Admin.
Let us consider the scenario that I have tow servers server-1 and
server-2 under the domain serverlabs.com.
Here my failed domain controller is server-2 and I am removing it from server-1
which is the replication partner of server-2. So on server-1 do the following
- Open command prompt, Start->Command prompt->right click and select 'Run as administrator'.
- Type 'ntdsutil' ENTER and at the ntdsutil prompt, type the following command
'Metadata cleanup'
and press ENTER.
- At the Metadata Cleanup prompt type connections and press ENTER.
- At the Server Connections prompt, type connect to server server-1
where server-1 is the name of
an available domain controller which holds Operations Masters Roles.
- At the Server Connections prompt, type quit and press ENTER.
- Now you will be back to metadata cleanup prompt, type select operation target and press ENTER.
- At the Selected Operations Target prompt, type list domains and press ENTER. This will list all the domains in the forest and each domains listed with a number associated to each.
As you can see I have only one domain in my forest that is Serverlabs and its ID is 0.
- At the Select Operations Target prompt, type select domain 0, and press ENTER. Where as the number “0” is the domain that contains the failed domain controller(server) .
- At the Select Operations Target prompt, type list sites and press ENTER. This lists all the sites in the forest and those are listed with a number assigned to each.
- At the Select Operations Target prompt, type select site 0, where number “0” is the site containing the failed domain controller, and press ENTER.
- At the Select Operations Target prompt, type list servers in site and press ENTER.
- At the Select Operations Target prompt, type select server 1, where number “1” is the failed domain controller, and press ENTER.
- At the Select Operations Target prompt, type quit and press ENTER. Please note that by the above steps we have connected to the domain controller that is failed.
- In order to start the metadata cleanup At the Metadata Cleanup prompt, type remove selected server and press ENTER.
You will have server remove
confirmation dialog box, Click Yes to continue.
- Now the metadata cleanup will continue and you will have the below result after the successful cleanup.
- Type quit twice to exit the command prompt.
- Metadata cleanup using Script
You can refer the below link in order to achieve the script that
will help you to perform metadata cleanup.
No comments:
Post a Comment