Active Directory Metadata Cleanup
When you use Remote Server Administration Tools (RSAT) or the Active Directory Users and Computers console (Dsa.msc) to delete a failed domain controller computer account from the Domain Controllers organizational unit (OU), the cleanup of server metadata is performed automatically. Previously, you had to perform a separate metadata cleanup procedure.
Active Directory Metadata Cleanup
Note: Windows Server 2003 Service Pack 1 eliminates the need for the above step.Type quit and press Enter to return you to the metadata cleanup: prompt.server connections: qmetadata cleanup:Type select operation target and press Enter.metadata cleanup: Select operation targetselect operation target:Type list domains and press Enter. This lists all domains in the forest with a number associated with each.select operation target: list domainsFound 1 domain(s)0 - DC=Domain_Name,DC=comselect operation target:Type select domain , where is the number corresponding to the domain in which the failed server was located. Press Enter.select operation target: Select domain 0No current siteDomain - DC=Domain_name,DC=comNo current serverNo current Naming Contextselect operation target:Type list sites and press Enter.select operation target: List sitesFound 1 site(s)0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain_name,DC=comselect operation target:Type select site , where refers to the number of the site in which the domain controller was a member. Press Enter.select operation target: Select site 0Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain_name,DC=comDomain - DC=Domain_name,DC=comNo current serverNo current Naming Contextselect operation target:Type list servers in site and press Enter. This will list all servers in that site with a corresponding number.select operation target: List servers in siteFound 2 server(s)0 - CN=SERVERA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain_name,DC=com1 - CN=SERVERB,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain_name,DC=comselect operation target:Type select server and press Enter, where refers to the domain controller to be removed.select operation target: Select server 1Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain_name,DC=comDomain - DC=Domain_name,DC=comServer - CN=SERVERB,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain_name,DC=comDSA object - CN=NTDS Settings,CN=SERVERB,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain_name,DC=comDNS host name - serverB.Domain_Name.comComputer object - CN=SERVERB,OU=Domain Controllers,DC=Domain_name,DC=comNo current Naming Contextselect operation target:Type quit and press Enter. The Metadata cleanup menu is displayed.select operation target: qmetadata cleanup:Type remove selected server and press Enter.You will receive a warning message. Read it, and if you agree, press Yes.
Metadata cleanup is a required procedure after a forced removal of Active Directory Domain Services (AD DS). You perform metadata cleanup on a domain controller in the domain of the domain controller that you forcibly removed. Metadata cleanup removes data from AD DS that identifies a domain controller to the replication system. Metadata cleanup also removes File Replication Service (FRS) and Distributed File System (DFS) Replication connections and attempts to transfer or seize any operations master (also known as flexible single master operations or FSMO) roles that the retired domain controller holds.
If you receive an "Access is denied" error when you use any of these methods to perform metadata cleanup, make sure that the computer object and the NTDS Settings object for the domain controller are not protected against accidental deletion. To verify this right-click the computer object or the NTDS Settings object, click Properties, click Object, and clear the Protect object from accidental deletion check box. In Active Directory Users and Computers, the Object tab of an object appears if you click View and then click Advanced Features.
When you use Remote Server Administration Tools (RSAT) or the Active Directory Users and Computers console (Dsa.msc) that is included with Windows Server to delete a domain controller computer account from the Domain Controllers organizational unit (OU), the cleanup of server metadata is performed automatically. Before Windows Server 2008, you had to perform a separate metadata cleanup procedure.
You can also use the Active Directory Sites and Services console (Dssite.msc) to delete a domain controller's computer account, which also completes metadata cleanup automatically. However, Active Directory Sites and Services removes the metadata automatically only when you first delete the NTDS Settings object below the computer account in Dssite.msc.
Note: Metadata cleanup is automated with windows server 2008. We just need to delete the computer object from the Domain Controllers OU using ADUC from a Windows Server 2008 machine and the metadata cleanup process occurs automatically.
After removing a Domain Controller or any AD DS forcibly, metadata cleanup is generally required. It is because metadata constitutes the data that identifies a server as as domain controller to the replication system. So, any data pointing a DC to the replication system should be removed. The decommissioned or retired domain controller may also hold File Replication Service (FRS) and Distributed File System (DFS) data or connections to Flexible Single Master Operations (FSMO) roles. The cleanup process makes sure these data also be removed.
The Minimum requirement for a user to perform automatic cleanup is a membership in the domain Admins group. Windows Server 2008 or newer versions of RSAT performs cleanup of metadata automatically. Remote Server Administration Tools (RSAT) or AD Users and Computers console (Dsa.msc) or AD Sites and Services console (Dssite.msc) performs automatic metadata cleanup. But, while using Dssite.msc, it should be made sure that the NTDS Settings object under the computer account is deleted first.
Regular metadata cleanup in Active Directory is crucial to helping ensure your Active Directory environment is functioning efficiently. Typically, metadata cleanup involves pulling up Active Directory account activity, seeking out obsolete domain controller and computer accounts, and removing outdated accounts and all related domain controller objects. It can also involve removing historical data and retooling configurations that may impact performance.
Finding and removing disabled and inactive accounts can be done by writing scripts and commands. But writing scripts at regular intervals can be a tiresome and time-consuming process. Instead, you can more easily accomplish both tasks by using AD cleanup tools.
In addition to disabled and inactive accounts, cleanup administrators should look for Active Directory user accounts and passwords that have expired. Administrators typically set passwords and accounts to expire after a given period to safeguard information. But user accounts and passwords often expire without admins being alerted about them and must therefore be cleaned up.
Like individual accounts, you can find Active Directory groups manually by writing separate scripts for each command. Alternatively, any AD cleanup software will come with automated scripts that can check for inactive and empty groups at predesignated intervals.
Occasionally, Active Directory groups will contain only a single user. Like empty or inactive groups, single-user groups likely serve no purpose and make the organization vulnerable to external attacks. Groups with one user may not be visible at first, but administrators can isolate them by using a command script organizing groups by numbers of persons or by using AD cleanup software. These groups should also be deleted or consolidated to save space and help reduce vulnerabilities.
Especially as organizations grow, the number of active users (both internal and external) may expand at an alarming rate. The number of user accounts in Active Directory can quickly reach beyond what administrative employees can manually accommodate. If the organization relies on writing scripts to handle routine tasks, obsolete objects will likely accumulate at a rapid clip. In larger organizations and enterprises, IT departments will need to rely on automated Active Directory maintenance to avoid writing custom scripts every time. Process automation accelerates the cleanup process, minimizes human error, and helps ensure adherence to best practices.
Metadata cleanup is about removing the old Primary domain controller entries from Active Directory user and computers and from Active directory Sites and Services. In our case we need to remove domain controller named DC from the AD.
Type ntdsutil and press Enter.Type metadata cleanup and press Enter.Type connections and press Enter.Type connect to server and press Enter. Where , is the name of a working DC in the same domain.Type quit and press Enter.Type select operation target and press Enter.Type list domains and press Enter.Type select domain and press Enter. Where , the corresponding number to the domain that the non-functional DC member was a member of.Type list sites and press Enter.Type select site and press Enter. Where , the number that corresponds to the site that the non-functional DC member was a member of.Type list servers in site and press Enter.Type select server and press Enter. Where , the number that corresponds to the DC you want to remove.Type quit and press Enter.Type remove selected server and press Enter. 350c69d7ab