Remove Active Directory Domain Controller Metadata Script: A Step-by-Step Guide

Metadata cleanup is a required procedure after a forced removal of Active Directory Domain Services (AD DS). You perform metadata cleanup on a domain controller in the domain of the domain controller that you forcibly removed. Metadata cleanup removes data from AD DS that identifies a domain controller to the replication system. Metadata cleanup also removes File Replication Service (FRS) and Distributed File System (DFS) Replication connections and attempts to transfer or seize any operations master (also known as flexible single master operations or FSMO) roles that the retired domain controller holds.

Remove Active Directory Domain Controller Metadata script

Download: https://urluso.com/2vISiO

If you receive an "Access is denied" error when you use any of these methods to perform metadata cleanup, make sure that the computer object and the NTDS Settings object for the domain controller are not protected against accidental deletion. To verify this right-click the computer object or the NTDS Settings object, click

When you use Remote Server Administration Tools (RSAT) or the Active Directory Users and Computers console (Dsa.msc) that is included with Windows Server to delete a domain controller computer account from the Domain Controllers organizational unit (OU), the cleanup of server metadata is performed automatically. Before Windows Server 2008, you had to perform a separate metadata cleanup procedure.

You can also use the Active Directory Sites and Services console (Dssite.msc) to delete a domain controller's computer account, which also completes metadata cleanup automatically. However, Active Directory Sites and Services removes the metadata automatically only when you first delete the NTDS Settings object below the computer account in Dssite.msc.

As long as you are using the Windows Server 2008 or newer RSAT versions of Dsa.msc or Dssite.msc, you can clean up metadata automatically for domain controllers running earlier versions of Windows operating systems.

As an alternative, you can clean up metadata by using ntdsutil.exe, a command-line tool that is installed automatically on all domain controllers and servers that have Active Directory Lightweight Directory Services (AD LDS) installed. ntdsutil.exe is also available on computers that have RSAT installed. To clean up server metadata by using ntdsutil do the following:

At this point, Ntdsutil confirms that the domain controller was removed successfully. If you receive an error message that indicates that the object cannot be found, the domain controller might have been removed earlier.

Open Active Directory Users and Computers. In the domain of the removed domain controller, click

Open Active Directory Sites and Services. Navigate to the

Taken from here, this script is fantastic! You can run this from any domain member computer while logged in as a domain administrator. This script will clean up all metadata left over from a forced removal of a domain controller, e.g. DNS and Sites & Services information.

Metadata cleanup is a performed when a DC is forcefully removed from Active Directory Domain Services (AD DS) either due to permanent hardware failure of the server that cannot be fixed leading to decommissioning of the server or if the server cannot be gracefully demoted. Metadata cleanup removes stale data and entries from ADDS that are identified as a domain controller to the replication system. It also transfer or seize any flexible single master operations (FSMO) roles that the retired domain controller holds.

When you use Remote Server Administration Tools (RSAT) or the Active Directory Users and Computers console (Dsa.msc) to delete a failed domain controller computer account from the Domain Controllers organizational unit (OU), the cleanup of server metadata is performed automatically. Previously, you had to perform a separate metadata cleanup procedure.

As long as you are using the Windows Server 2008, Windows Server 2008 R2, or RSAT versions of Dsa.msc or Dssite.msc, you can clean up metadata automatically for domain controllers running earlier versions of Windows operating systems.

D) If the domain controller currently holds one or more operations master roles, click

1. Right click a Zone in DNS console and go to properties, Under Name server tab delete the entries that are related to decommissioned DC.

2. Open DNS Console (dnsmgmt.msc) and expand the zone that is related to the domain from where the server has been removed, Remove the CNAME record in the _msdcs.root domain of forest zone in DNS. You should also delete the HOSTNAME and other DNS records. If you have reverse lookup zones, also remove the PTR record of the server from these zones.

3. Remove the IP of the decommissioned DC that might be present on the network adapter(ncpa.cpl) primary or secondary DNS.Run Dcdiag to verify all the stale entries related to failed DC has been removed successfully.

You can clean up metadata by using Ntdsutil.exe, a command-line tool that is installed automatically on all domain controllers and servers that have Active Directory Lightweight Directory Services (AD LDS) installed.Note: Windows Server 2003 Service Pack 1 eliminates the need for the above step.Type quit and press Enter to return you to the metadata cleanup: prompt.server connections: qmetadata cleanup:Type select operation target and press Enter.metadata cleanup: Select operation targetselect operation target:Type list domains and press Enter. This lists all domains in the forest with a number associated with each.select operation target: list domainsFound 1 domain(s)0 - DC=Domain_Name,DC=comselect operation target:Type select domain , where is the number corresponding to the domain in which the failed server was located. Press Enter.select operation target: Select domain 0No current siteDomain - DC=Domain_name,DC=comNo current serverNo current Naming Contextselect operation target:Type list sites and press Enter.select operation target: List sitesFound 1 site(s)0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain_name,DC=comselect operation target:Type select site , where refers to the number of the site in which the domain controller was a member. Press Enter.select operation target: Select site 0Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain_name,DC=comDomain - DC=Domain_name,DC=comNo current serverNo current Naming Contextselect operation target:Type list servers in site and press Enter. This will list all servers in that site with a corresponding number.select operation target: List servers in siteFound 2 server(s)0 - CN=SERVERA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain_name,DC=com1 - CN=SERVERB,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain_name,DC=comselect operation target:Type select server and press Enter, where refers to the domain controller to be removed.select operation target: Select server 1Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain_name,DC=comDomain - DC=Domain_name,DC=comServer - CN=SERVERB,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain_name,DC=comDSA object - CN=NTDS Settings,CN=SERVERB,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain_name,DC=comDNS host name - serverB.Domain_Name.comComputer object - CN=SERVERB,OU=Domain Controllers,DC=Domain_name,DC=comNo current Naming Contextselect operation target:</l