Metadata Cleanup Removing Defunct Domains or Domain Controllers
Normally, the process of demoting a DC involves deleting the computer account and cleaning up all metadata related to that DC from Active Directory. When the last DC in a domain is deleted, all cross-references (and other information about that domain) are also removed. There are, however, situations when a domain controller is decommissioned incorrectly (or failed and destroyed), and orphaned metadata remains in the directory. In such a case, you can remove information about the retired DC and/or domains by using NTDSutil. (You must not delete any information for existing domains and DCs!) In general, the procedure requires the following steps:
1. Connect to a working DC that holds the information about orphaned metadata.
2. Select an operation target (site, naming context, domain, and server). You may select one or more of these targets.
3. Remove the necessary metadata.
The following dialog illustrates how you can remove a retired domain controller (NETDC2) and a child domain (subdom.net.dom) from the forest (net.dom). (In this example, the shortened command syntax is used; comments are in bold square brackets. You can also learn how to select an operation target, which is used in many commands.)
C:\>ntdsutil ntdsutil: m c metadata cleanup: c
[First, we must be connected to a DC:]
server connections: co t s netdc1
Binding to netdc1 ...
Connected to netdc1 using credentials of locally logged on user.
server connections: q metadata cleanup: s o t
[Second, we must select an object to delete:]
select operation target: l si
0 - CN=NET-Site, CN=Sites, CN=Configuration, DC=net, DC=dom select operation target: s si 0
Site - CN=NET-Site, CN=Sites, CN=Configuration, DC=net, DC=dom
No current domain
No current server
No current Naming Context select operation target: l d
Found 3 domain (s)
2 - DC=dotnet, DC=dom select operation target: s d l
Site - CN=NET-Site, CN=Sites, CN=Configuration, DC=net, DC=dom
Domain - DC=subdom, DC=net, DC=dom
No current server
No current Naming Context select operation target: l se f d i s
Found 1 server (s)
0 - CN=NETDC2, CN=Servers, CN=NET-Site, CN=Sites, CN=Configuration, DC=net, DC=dom select operation target: s se 0
Site - CN=NET-Site, CN=Sites, CN=Configuration, DC=net, DC=dom Domain - DC=subdom, DC=net, DC=dom
Server - CN=NETDC2, CN=Servers, CN=NET-Site, CN=Sites, CN=Configuration, DC=net, DC=dom DSA object - CN=NTDS Settings, CN=NETDC2, CN=Servers, CN=NET-Site, CN=Sites, CN=Configuration, DC=net, DC=dom DNS host name - netdc2.subdom.net.dom Computer object - CN=NETDC2, OU=Domain Controllers, DC=subdom, DC=net, DC=dom No current Naming Context
[Now, we have selected the NETDC2 server from the subdm.net.dom domain for subsequent operations:] select operation target: q metadata cleanup: r s s
[The following Server Remove Confirmation Dialog may appear - you must click Yes.]
"CN=NETDC2, CN=Servers, CN=NET-Site, CN=Sites, CN=Configuration, DC=net, DC=dom" removed from server "netdc1" [Now, we will delete the entire child domain:] metadata cleanup: r s d
[The Domain Remove Confirmation Dialog will appear - you must click Yes.]
£tc you sue vcu ^atto remiYC tl"e to-a*-! it)«: "K-SLbdon-^DC-nrt.DO-darif . f J ^Lwi" vffiy +»v rtvr^ "iV: na rfh^r ft'-wi hrW rn \ wri^Hf! rnp^ of h«
rfcitMn If thane ere-., ihh r^^lnn hr 'ftoiwraH. If hhrrr h J" -server Ihnr off-Inn hlvf hrJr-; fiiVtli-n "irr l,h*i wwar rrhB-rrf in ■wvtrr, fhh jw*tiKn w.11 hr rnvtr/wH. I Hrrvi nli^u itt frr ."I hddKrv ri l+n rrimin i"n nsnrwe l+«r Tfuni '-rnrlx«] flm+w -hmflir w M Mr -finnc; rwra. ri-;"* -Iv*-«: rtwt l+r- rln-rti I"« nrif n rnmfTlelTilw i^Tii-'^edcri t?d"i set1*» b^ ccnsjirng ±p? s>ent kq l" Hg
"DC=subdom, DC=net, DC=dom" removed from server "netdc1"
[Verifying that the operation has been done correctly:]
metadata cleanup: s o t select operation target: l d
Found 1 domain (s)
[Terminating NTDSutil]
select operation target: q metadata cleanup: q ntdsutil: q
Disconnecting from netdc1 ...
Now the subdom.net.dom domain has been deleted, and you can verify this by using the Event Viewer snap-in. There are many information messages (from NTDS KCC and NTDS Replication sources: ID 1123, 1104, 1270, 1658, 1746, etc.) that appear in the Directory Service log (the source is NTDS KCC) and accompany removing domain controllers, naming contexts, and replication connections. There is no need to explain them specifically.
To verify that the operation was carried off successfully, you may also check the domain configuration by using the following tools: Active Directory Domains and Trusts, ADSI Edit (the Configuration container: the Partitions and Sites | Servers nodes), and Active Directory Sites and Services snap-ins. You may also run DCdiag.exe (as well as repadmin /showreps) to ensure that there are no replication problems.
Attention When deleting child domains, you must also manually delete the corresponding entries from the DNS server.
Related posts
- Verifying Secure Channels Domains Windows Server 2003
- Registry Settings TcpipClientSupport Domains Windows Server 2003
- Semantic Database Analysis Domains Windows Server 2003
- The following command performs the fullcontent comparison as well as detects both a changed albeit nonreplicated directory object a GPO and an attribute name versionNumber notice that the tFALSE parameter is used Domains Windows Server 2003
-
Disabling the Knowledge Consistency Checker KCC Domains Windows Server 2003
Post a comment