Home > AD, Tips&Tricks, Windows 2008 R2, Windows Server 2008 > Remove failed DC from AD manually… Never been easier

Remove failed DC from AD manually… Never been easier

You perform metadata cleanup on a domain controller in the domain of the domain controller that you forcibly removed. Metadata cleanup removes data from AD DS that identifies a domain controller to the replication system. Metadata cleanup also removes File Replication Service (FRS) and Distributed File System (DFS) Replication connections and attempts to transfer or seize any operations master (also known as flexible single master operations or FSMO) roles that the retired domain controller holds.. Removing failed DC manual was hard process that need some level of professionalism as I used to do it with Ntdsutil command-line tool.

Please check “How to remove data in Active Directory after an unsuccessful domain controller demotion”

http://support.microsoft.com/kb/216498

How to remove orphaned domains from Active Directory

http://support.microsoft.com/default.aspx?scid=kb;en-us;230306

Clean up server metadata

http://technet.microsoft.com/en-us/library/cc736378%28WS.10%29.aspx

I used to use it since Windows 2000, 2003. But I was suprized to discover that Windows 2008, 2008 R2 has new GUI. Really easy and efficient one.

http://technet.microsoft.com/en-us/library/cc816907%28WS.10%29.aspx

Clean up server metadata by using GUI tools

When you use Remote Server Administration Tools (RSAT) or the Active Directory Users and Computers console (Dsa.msc) that is included with Windows Server 2008 or Windows Server 2008 R2 to delete a domain controller computer account from the Domain Controllers organizational unit (OU), the cleanup of server metadata is performed automatically. Previously, you had to perform a separate metadata cleanup procedure.

You can also use the Active Directory Sites and Services console (Dssite.msc) to delete a domain controller’s computer account, which also completes metadata cleanup automatically. However, Active Directory Sites and Services removes the metadata automatically only when you first delete the NTDS Settings object below the computer account in Dssite.msc.

As long as you are using the Windows Server 2008, Windows Server 2008 R2, or RSAT versions of Dsa.msc or Dssite.msc, you can clean up metadata automatically for domain controllers running earlier versions of Windows operating systems.

Membership in Domain Admins, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To clean up server metadata by using Active Directory Users and Computers

  1. Open Active Directory Users and Computers: On the Start menu, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. If you have identified replication partners in preparation for this procedure and if you are not connected to a replication partner of the removed domain controller whose metadata you are cleaning up, right-click Active Directory Users and Computers <DomainControllerName>, and then click Change Domain Controller. Click the name of the domain controller from which you want to remove the metadata, and then click OK.
  3. Expand the domain of the domain controller that was forcibly removed, and then click Domain Controllers.
  4. In the details pane, right-click the computer object of the domain controller whose metadata you want to clean up, and then click Delete.Metadata Cleanup in ADUC
  5. In the Active Directory Domain Services dialog box, click Yes to confirm the computer object deletion.
  6. In the Deleting Domain Controller dialog box, select This Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation Wizard (DCPROMO), and then click Delete.DC offline in AD Users and Computers
  7. If the domain controller is a global catalog server, in the Delete Domain Controller dialog box, click Yes to continue with the deletion.
  8. If the domain controller currently holds one or more operations master roles, click OK to move the role or roles to the domain controller that is shown.You cannot change this domain controller. If you want to move the role to a different domain controller, you must move the role after you complete the server metadata cleanup procedure.

To clean up server metadata by using Active Directory Sites and Services

  1. Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services.
  2. If you have identified replication partners in preparation for this procedure and if you are not connected to a replication partner of the removed domain controller whose metadata you are cleaning up, right-click Active Directory Users and Computers <DomainControllerName>, and then click Change Domain Controller. Click the name of the domain controller from which you want to remove the metadata, and then click OK.
  3. Expand the site of the domain controller that was forcibly removed, expand Servers, expand the name of the domain controller, right-click the NTDS Settings object, and then click Delete.Metadata Cleanup in AD Sites and Services
  4. In the Active Directory Domain Services dialog box, click Yes to confirm the NTDS Settings deletion.
  5. In the Deleting Domain Controller dialog box, select This Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation Wizard (DCPROMO), and then click Delete.DC offline in AD Users and Computers
  6. If the domain controller is a global catalog server, in the Delete Domain Controller dialog box, click Yes to continue with the deletion.
  7. If the domain controller currently holds one or more operations master roles, click OK to move the role or roles to the domain controller that is shown.
  8. Right-click the domain controller that was forcibly removed, and then click Delete.DC Deletion in AD Sites and Services
  9. In the Active Directory Domain Services dialog box, click Yes to confirm the domain controller deletion.
Advertisements
  1. Simon Tam
    July 27, 2011 at 10:19 pm

    Why are we bouncing for DC2- DC3? Which one is being removed

  2. July 28, 2011 at 3:08 pm

    Hey, very nice site. I came across this on Google, and I am stoked that I did. I will definately be coming back here more often. Wish I could add to the conversation and bring a bit more to the table, but am just taking in as much info as I can at the moment.

    iso 9000

  3. Armando
    November 11, 2011 at 2:39 pm

    Thanks, was really helpful and clear

  4. William Little
    July 19, 2012 at 4:24 am

    Really good walk through, nice and clear and simple. Glad we’re now in 2008

  5. Mohammad Rizwan
    January 11, 2013 at 12:16 pm

    Bundle of thanks

  6. am
    January 17, 2013 at 5:54 am

    if you do this in mixed forest comprising of 2088r2 DCs and 2003 DCs in an alternate site, will deleting the DC from the OU on my 2008r2 DCs replicate over to my 2003 DCs or will I have to do the manual meta data cleanup on my 2003 DCs? Will greatly appreciate any help.

  7. Sakthi
    August 1, 2014 at 6:10 am

    Hi,
    While I have tried to delete the Domain controller from Active Directory Sites and Service it’s shows the error which is I mentioned below. Even I have tried from “NTDSUTIL” comment also no luck for me.

    Let me know how can I fix this error.

    —————————
    Active Directory Domain Services
    —————————
    Windows cannot delete object LDAP://*****.com/CN=NTDS Settings,CN=Server01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=****,DC=com because:

    Access is denied.

    —————————
    OK
    —————————

    Thanks in Advance.

  8. Uknowit
    July 13, 2015 at 9:30 am

    You must uncheck the security box in object property. It protect again deletion

  9. ndp
    March 3, 2016 at 12:04 am

    still had to remove a lot of stuff after this. DNS. ADSS. Still working at it.

  1. May 15, 2011 at 6:49 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: