<

[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x

Removing Failed DC Data From Active Directory

Published on
15,999 Points
6,899 Views
6 Endorsements
Last Modified:
by Batuhan Cetin

In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment.

These steps are not necessary in a Windows Server 2008 environment as described in this article. In Windows Server 2008 and Windows Server 2008 R2, removing a failed DC computer account from the Active Directory Users and Computers console will automatically cleanup the server metadata.

DCPROMO is the tool provided by Microsoft to promote a server to the domain controller role or demote a domain controller to a member server. It creates the necessary records in AD when promoting and deletes them when demoting. However, if you have a failed DC you cannot gracefully demote from AD, or you try to remove a DC from a domain and fail or promoting a server to DC and fail, you will find this article helpful. The data left over in AD will cause some serious problems. You will continuously get replication errors, you will not be able to setup another DC with the same name... and so on.

What motivated me to write this article is a replication problem I encountered for one of my clients. Let me tell you the story and start then. I was going to setup a test environment for one of my client's System Center Configuration Manager (SCCM) deployment scenario. They have two DCs in their environment, one of which holds the FSMO roles such as PDC Emulator. I converted their production environment to a virtual ESX test environment. I turned on the virtual PDC Emulator and the new virtual server I created for SCCM. Everything went fine until I tried to extend the AD schema. I had an error that the extension cannot continue. I figured out from the replication logs that the schema extend tool was failing because the extended AD schema could not be replicated to the other Domain Controller. Then I realized the mistake I made. I had not converted the second Domain Controller to the ESX test environment! It is just like the scenario where you have a crashed DC and could not be brought back. So, I used the below method to remove that server from the test environment to stop any replication attempts and documented it for future use.

Note that I reproduced the problem in my test environment to write this article. All server names are from my test environment, not my client's environment.

Now let's begin.

Before we begin I must warn you that the wrong usage of NTDSUTIL may cause irreversible damage to your AD and may result in partial or complete loss of AD functionality. The article is written based on my field experience and I do not accept any responsibility for any damage. However, if you have problems regarding this, I will gladly try to help you in EE forums.

1. Open a command prompt. Write ntdsutil and press Enter.

C:\WINDOWS>ntdsutil
ntdsutil:

Open in new window


2. Write metadata cleanup and press Enter.

ntdsutil: metadata cleanup
metadata cleanup:

Open in new window


3. Write connections and press Enter.

metadata cleanup: connections
server connections:

Open in new window


4. Write connect to server <servername> and press Enter. Here, you need to provide the name of an active, online Domain Controller on which the metadata for the failed DC can be removed.

server connections: connect to server DC.OPSMGR.BCETIN
Binding to DC.OPSMGR.BCETIN ...
Connected to DC.OPSMGR.BCETIN using credentials of locally logged on user.
server connections:

Open in new window


5. Write q (quit) and press Enter.

server connections: q
metadata cleanup:

Open in new window


6. Write select operation target and press Enter.

metadata cleanup: Select operation target
select operation target:

Open in new window


7. Write list domains and press Enter.

select operation target: list domains
Found 1 domain(s)
0 - DC=OPSMGR,DC=BCETIN
1 - DC=UNTRUSTED,DC=BCETIN
select operation target:

Open in new window


8. Write select domain <n> and press Enter. n is the number which corresponds to the domain that includes the failed DC.

select operation target: Select domain 0
No current site
Domain - DC=OPSMGR,DC=BCETIN
No current server
No current Naming Context
select operation target:

Open in new window


9. Write list sites and press Enter.

select operation target: List sites
Found 2 site(s)
0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=OPSMGR,DC=BCETIN
1 - CN=REMOTESITE,CN=Sites,CN=Configuration,DC=OPSMGR,DC=BCETIN
select operation target:

Open in new window


10. Write select site <n> and press Enter. n is the number which corresponds to the site where the failed DC was located.

select operation target: Select site 1
Site - CN=REMOTESITE,CN=Sites,CN=Configuration,DC=OPSMGR,DC=BCETIN
Domain - DC=OPSMGR,DC=BCETIN
No current server
No current Naming Context
select operation target:

Open in new window


11. Write list servers in site and press Enter.

select operation target: List servers in site
Found 2 server(s)
0 - CN=RDC1,CN=Servers,CN=REMOTESITE,CN=Sites,CN=Configuration,DC=OPSMGR,DC=BCETIN
1 - CN=RADC,CN=Servers,CN=REMOTESITE,CN=Sites,CN=Configuration,DC=OPSMGR,DC=BCETIN
select operation target:

Open in new window


12. Write select server <n> and press Enter. n is the number which corresponds to the failed DC.

select operation target: Select server 1
Site - CN=REMOTESITE,CN=Sites,CN=Configuration,DC=OPSMGR,DC=BCETIN
Domain - DC=OPSMGR,DC=BCETIN
Server - CN=RADC,CN=Servers,CN=REMOTESITE,CN=Sites,CN=Configuration,DC=OPSMGR,DC=BCETIN
 DSA object - CN=NTDS Settings,CN=RADC,CN=Servers,CN=REMOTESITE,CN=Sites,CN=Configuration,DC=OPSMGR,DC=BCETIN
 DNS host name - RADC.OPSMGR.BCETIN
 Computer object - CN=RADC,OU=Domain Controllers,DC=OPSMGR,DC=BCETIN
No current Naming Context
select operation target

Open in new window


13. Write q and press Enter.

select operation target: q
metadata cleanup:

Open in new window


14. Write remove selected server and press Enter. You will get a warning. Read it and click Yes if you agree.

metadata cleanup: Remove selected server
"CN=RADC,CN=Servers,CN=REMOTESITE,CN=Sites,CN=Configuration,DC=OPSMGR,DC=BCETIN" removed from server "DC.OPSMGR.BCETIN"
metadata cleanup:

Open in new window


Now the metadata is cleaned up, we will also manually delete some objects related to the failed DC.

15. Open Active Directory Sites and Services, expand the site where the failed DC was previously located.

16. Right click the failed DC's server object and click Delete.

17. Open Active Directory Users and Computers. Navigate to the Domain Controllers container.

18. Right click the failed DC's server object and click Delete. You will be prompted if you want to delete the server without running DCPROMO. Select "This domain controller is permanently offline ...." and click Delete.

19. Open the DNS console and delete any CNAME and HOST records for the failed server.

See you in another article.
6
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 60

Expert Comment

by:Kevin Cross
Nice work!
voted YES above.
0
 
LVL 17

Expert Comment

by:Premkumar Yogeswaran

Nice Article
0
 
LVL 32

Expert Comment

by:Robberbaron (robr)
worked for me.  the hand holding and being able to see the expected response gave me the confidence to do this.  worked perfectly, including DCPROMO back up to a DC.
0
 
LVL 11

Author Comment

by:Batuhan Cetin
Hi robberbaron,

Glad to hear that this article is still helping people after years :)
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Join & Write a Comment

In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month