What does the ntdsutil do when cleaning up metadata from a failed Domain Controller?

Hello Experts,

About 6 years ago the company I work for had a remote location, with a domain controller. One day there was a fire on the floor above that office and subsequently, that office was flooded and the domain controller was never to be heard from again.

The computer account was deleted and so was the entry in sites and services. Actually, that whole site was deleted. Here I am 6 years later upgrading our 2003 servers to 2008 R2. When I run dcdiag that old DC pops up in an error

Problem: Missing Expected Value
Base Object:
CN=SERVERNAME,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=MYDOMAIN,DC=com
Base Object Description: "SYSVOL FRS Member Object"
Value Object Attribute Name: frsComputerReference
Value Object Description: "DC Account Object"
Recommended Action: Check if this server is deleted, and if so clean up this DCs SYSVOL FRS Member Object
Also see Knowledge Base Article:  Q312862

There are tons of articles on EE that point to this link to manually remove a failed DC:

Unfortunately the site and computer account still have to exist for that walk through to work.

I used adsiedit to browse to the location in the error and sure enough, there is still an entry for that DC.

Does anyone know what is changed in the metadata cleanup process? Can it be done manually with adsiedit? Is it as simple as deleting the object that the error points to?

Thanks for you help
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Glen KnightCommented:
They shouldn't need to exist.
If you want I can walk you through the steps?

From a command prompt type:

then type metadata cleanup

type connections
type connect to server LIVEDCNAME

type q
type select operation target
type list domains
type select domain 0 (where 0 is the number listed next to your domain name)
type list sites

and then provide me with the list that is shown along with an explenation of what each entry is
Glen KnightCommented:
LIVEDCNAME above is any LIVE Domain Controller in your network.
Here is the complete proceedure. Go slow, stop and ask questions if you are unsure of how to proceed.

Full text removed, copy from the Procedure 1: Windows Server 2003 SP1 or later service packs only section of http://support.microsoft.com/kb/216498
Experts Exchange Zone Advisor
Acronis Data Cloud 7.8 Enhances Cyber Protection

A closer look at five essential enhancements that benefit end-users and help MSPs take their cloud data protection business further.

Will do. I actually copied it from notes I keep. Not an MS article. Probably originally got it form MS so will not post it here again. Thanks.
beapitAuthor Commented:
Like I said in my original post, those instructions do not work.

When I get to the point of typing in "list sites" it only lists the current sites in AD, not the site that was deleted that would have had this failed DC in it.

I've even gone through and selected each site and typed "list servers in site" and the failed DC does not show up in any of those sites, just my current DCs.

That's why I am trying to figure out what exactly happens when the "remove selected server" command is run.
Glen KnightCommented:

OK, can you start ADSI Edit, right click on the top of the tree where it says ADSI Edit and select connect.

In the select well known naming contect pull down the box and select Configuration.
Click OK

Expand Configuration in the tree and Expand Sites, what do you see listed here?
Glen KnightCommented:
Also check in Active Directory Sites and Services, expand your current domain controller, highlight NTDS Settings and check to see if the Domain Controller still appears under here as a replication partner.
Glen KnightCommented:
Also as another thought (sorry got to give you them as they come to me)

Again in ADSI Edit, right click on ADSI Edit select connect  Select Default Naming Contect from the drop down click OK.

Expand Default Naming Context > Domain name > System > File Replication Serice
Highlight Domain System Volume (SYSVOL Share), does your old server appear here?


Sorr for the caps but it's is VERY important.
beapitAuthor Commented:
In adsi edit, Configuration\Sites shows my current sites and two other entries, "Inter-Site Transports" and "Subnets" (just like what you see in sites and services)

I checked the NTDS Settings for all my DCs in Sites and Services and the failed DC does not show up as a replication partner.
beapitAuthor Commented:
It does appear in the "Domain System Volume (SYSVOL share)". That's also the same location that the dcdiag command is complaining about.
Glen KnightCommented:
OK, please remove it from this location.
Be VERY careful and right click on the server object that should not be there and select delete.

Do not edit any other attributes or values.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
beapitAuthor Commented:
Done. The dcdiag command does not show an error anymore. Is that all the ntdsutil command "remove selected server" does (besides deleting the computer account and removing it from Sites and Services)? I'm just worried about leftover garbage that the dcdiag command is not checking for.
Glen KnightCommented:
That settings was a File Replication  Service, this is quite different from removing entries from sites and services.

This can be left behind and does sometimes require manual removal.

So your good to go.  Well done.
beapitAuthor Commented:
Thanks for your help. I'll award the points but I'd still really like to know if the ntdsutil does anything different than the four steps listed below.

Just to let everyone else know, these were the steps that were done to cleanup a failed DC that had been removed by not using a MS supported approach. Use at your own risk!

1. Remove computer account from AD Users and Computers
2. Remove all entries for that server in AD Sites and Services
3. Remove DNS records
4. Delete the server entry from "Domain System Volume (SYSVOL share)\File Replication Service\System\DOMAIN" in ADSI edit
Glen KnightCommented:
The steps the METADATA cleanup takes are listed here: http://support.microsoft.com/kb/216498

under the section headed: Windows Server 2003 Service Pack 1 (SP1) or later service packs – Enhanced version of Ntdsutil.exe
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.