There could be a circumstance when you have to clean up your domain controller object from active directory. This could be due to the following scenarios-

• When you try to remove ADDS role from domain controller by using dcpromo.exe and it fails.

• When you try to promote a member domain controller in existing setup and it fails.

 

The scope of this article is NOT to cover the reason of failure in both cases but the DCs object which will be left in active directory. When you perform a successful DC demotion process the dcpromo removes the

domain controller data from active directory but failure of demotion of domain controller can leave few objects in active directory and will create several issues including replication. Also, there will not be created the

same computer’s name to promote as a domain controller because old server object will refuse to re-create the same name.

In this situation when NTDS settings object is not cleared successfully, we can use NTDSUTIL.EXE utility to remove the NTDS settings object manually.

There are two options to perform this action to cleanup failed domain controllers. A- command based B- Graphic based.

As of now, we are going to cover only command based NTDSUTIL.EXE utility tool here. The same can be performed by selecting the graphic mode successfully. Here are few points we need to cover under this activity-

Ntdsutil.exe, DNS, Active Directory Sites and Services and Active Directory Users and Computers.

In order to perform this tool, make sure that you use an account that is the member of Enterprise Admins universal group.

Note: Performing Ntdsutil utility tool incorrectly may cause in partial or complete loss of Active Directory functionality.

Here are the step by step guide plan to run this tool-

1. At the elevated command line, type Ntdsutil and press ENTER.

​               C:\WINDOWS>ntdsutil

ntdsutil:

1. At the Ntdsutil: prompt, type metadata cleanup and press Enter.

              ntdsutil: metadata cleanup

metadata cleanup:

1. At the metadata cleanup: prompt, type connections and press Enter.          

  metadata cleanup: connections

server connections:

1. At the server connections: prompt, type connect to server <servername>, where <servername> is the domain controller (any functional domain controller in the same domain) from which you plan to clean up the metadata of the failed domain controller. Press Enter.

​              server connections: connect to server GOODDCSERVER01

Binding to GOODDCSERVER01 ...

Connected to GOODDCSERVER01 using credentials of locally logged on user.

server connections:

1. Type quit and press Enter to return you to the metadata cleanup: prompt.

​              server connections: q

metadata cleanup:

1. Type select operation target and press Enter.

​              metadata cleanup: Select operation target

select operation target:

1. Type list domains and press Enter. This lists all domains in the forest with a number associated with each.

​               select operation target: list domains

Found 1 domain(s)

0 - DC=nocagile,DC=net

select operation target:

1. Type select domain <number>, where <number> is the number corresponding to the domain in which the failed server was located. Press Enter.

​               select operation target: Select domain 0

No current site

Domain - DC=nocagile,DC=net

No current server

No current Naming Context

select operation target:

1. Type list sites and press Enter.

​               select operation target: List sites

Found 1 site(s)

0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nocagile,DC=net

select operation target:

1. Type select site <number>, where <number> refers to the number of the site in which the domain controller was a member. Press Enter.

​               select operation target: Select site 0

Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nocagile,DC=net

Domain - DC=nocagile,DC=net

No current server

No current Naming Context

select operation target:

1. Type list servers in site and press Enter. This will list all servers in that site with a corresponding number.

​               select operation target: List servers in site

Found 2 server(s)

0 - CN=BADDCSERVER02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nocagile,DC=net

1 - CN=GOODDCSERVER01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nocagile,DC=net

select operation target:

1. Type select server <number> and press Enter, where <number> refers to the domain controller to be removed.

​               select operation target: Select server 0

Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nocagile,DC=net

Domain - DC=nocagile,DC=net

Server - CN= BADDCSERVER02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nocagile,DC=net

DSA object - CN=NTDS Settings,CN= BADDCSERVER02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nocagile,DC=net

               DNS host name - BADDCSERVER02.nocagile.net

               Computer object - CN= BADDCSERVER02,OU=Domain Controllers,DC=nocagile,DC=net

No current Naming Context

select operation target:

1. Type quit and press Enter. The Metadata cleanup menu is displayed.

​               select operation target: q

metadata cleanup:

1. Type remove selected server and press Enter.

You will receive a warning message. Read it, and if you agree, press Yes.

​               metadata cleanup: Remove selected server

"CN= BADDCSERVER02,CN=Servers,CN=Default-First-Site Name,CN=Sites,CN=Configuration,DC=nocagile,DC=net" removed from server "GOODDCSERVER01"

metadata cleanup:

At this point, Active Directory confirms that the domain controller was removed successfully. If you receive an error that the object could not be found, Active Directory might have already removed from the domain

controller.

1. Type quit, and press Enter until you return to the command prompt.

To remove the failed server object from the sites

1. In Active Directory Sites and Services, expand the appropriate site.

1. Delete the server object associated with the failed domain controller.

To remove the failed server object from the domain controllers container

1. In Active Directory Users and Computers, expand the domain controllers container.

1. Delete the computer object associated with the failed domain controller.

1. Windows Server 2003 AD might display a new type of question window, asking you if you want to delete the server object without performing a DCPROMO operation (which, of course, you cannot perform, otherwise you wouldn’t be reading this article, would you…) Select “This DC is permanently offline…” and click on the Delete button.

1. AD will display another confirmation window. If you’re sure that you want to delete the failed object, click Yes.

To remove the failed server object from DNS

1. In the DNS snap-in, expand the zone that is related to the domain from where the server has been removed.

1. Remove the CNAME record in the _msdcs.root domain of forest zone in DNS. You should also delete the HOSTNAME and other DNS records.

1. If you have reverse lookup zones, also remove the server from these zones.

Here are few more points we need to consider-

If the problematic DC was a Flexible Single Master Operation (FSMO) role holder, seize those roles to a live DC.

If the problematic DC was a DNS server, update the DNS client configuration on all member workstations, member servers, and other DCs that might have used this DNS server for name resolution. If it is required, modify the DHCP scope to replicate the removal of the DNS server and update the live DC.

If the problematic DC was a DNS server, update the Forwarder settings and the Delegation settings on any other DNS servers that might have pointed to the problematic DC for name resolution.