IgNiTeD SoUL

Metadata Cleanup of Domain Controllers

 

Note: You must try the below steps only when the Graceful demoting of the server fails from “DCPROMO”

Note: You may get a error while demoting if you have a forest with 2003 and 2008 mixed Domain Controllers.

          : Some of the errors will be like: LDAP Error 0x32<50<Insufficient rights> or: Win32 error returned is 0x5<Access is Denied>

          : There is a easy steps to demote if you have the error. (Will be posting it soon)

Scenario:

–          Server1 should be demoted from XYZ Domain.

–          ABC.XYZ.com is the primary Domain Controller in the Domain.

–          We have total of 3 sites in the whole network, Site1, Site2 & Site3

–          The plan is to Demote Server1 hosted in Site3

–          Login to any of the Domain Controllers and follow the below steps

Note: Words marked in BLUE are the entries which should be input by you.

Open the Command Prompt from the server and run the below commands:

C:\>ntdsutil

ntdsutil: metadata cleanup

metadata cleanup: connections

server connections: connect to server ABC

Binding to ABC …

Connected to ABC using credentials of locally logged on user.

server connections: quit

metadata cleanup: select operation target

select operation target: list domain

Found 1 domain(s)

0 – DC=XYZ,DC=com

select operation target: select domain 0

No current site

Domain – DC=XYZ,DC=com

No current server

No current Naming Context

select operation target: list sites

Found 3 site(s)

0 – CN=Site1,CN=Sites,CN=Configuration,DC=XYZ,DC=com

1 – CN=Site2,CN=Sites,CN=Configuration,DC=XYZ,DC=com

2 – CN=Site3,CN=Sites,CN=Configuration,DC=XYZ,DC=com

select operation target: select site 3

Site – CN=Site3,CN=Sites,CN=Configuration,DC=XYZ,DC=com

Domain – DC=XYZ,DC=com

No current server

No current Naming Context

select operation target: list servers in site

Found 2 server(s)

0 – CN=Server1,CN=Servers,CN=Site3,CN=Sites,CN=Configuration,DC=XYZ,DC=com

1 – CN=Server2,CN=Servers,CN=Site3,CN=Sites,CN=Configuration,DC=XYZ,DC=com

select operation target: select server 0

Site – CN=Site3,CN=Sites,CN=Configuration,DC=XYZ,DC=com

Domain – DC=XYZ,DC=com

Server – CN=Server1,CN=Servers,CN=Site3,CN=Sites,CN=Configuration,DC=XYZ,DC=com

DSA object – CN=NTDS Settings,CN=Server1,CN=Servers,CN=Site3,CN=Sites,CN=Configuration,DC=XYZ,DC=com

DNS host name – Server1.XYZ.com

Computer object – CN=Server1, OU=Domain Controllers,DC=XYZ,DC=com

No current Naming Context

select operation target: quit

metadata cleanup: remove selected server

Transferring / Seizing FSMO roles off the selected server.

Removing FRS metadata for the selected server.

Searching for FRS members under “CN=Server1, OU=Domain Controllers,DC=XYZ,DC=com”.

Removing FRS member “CN=Server1,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=XYZ,DC=com”.

Deleting subtree under “CN=Server1,CN=Domain System Volume (SYSVOL share),CN=File

Replication Service,CN=System,DC=XYZ,DC=com”.

Deleting subtree under “CN=Server1, OU=Domain Controllers,DC=XYZ,DC=com”.

The attempt to remove the FRS settings on CN=Server1,CN=Servers,CN=Site3,CN=Sites,CN=Configuration,DC=XYZ,DC=com failed because “Element not found.”;

metadata cleanup is continuing.

“CN=Server1,CN=Servers,CN=Site3,CN=Sites,CN=Configuration,DC=XYZ,DC=com” removed from server “ABC”

metadata cleanup: quit

ntdsutil: quit

Disconnecting from ABC…

Now you should be able to see “ntdsutil” missing from the Active Directory Sites and Services from the particular Site.