Metadata Cleanup of Domain Controllers
Note: You must try the below steps only when the Graceful demoting of the server fails from “DCPROMO”
Note: You may get a error while demoting if you have a forest with 2003 and 2008 mixed Domain Controllers.
: Some of the errors will be like: LDAP Error 0x32<50<Insufficient rights> or: Win32 error returned is 0x5<Access is Denied>
: There is a easy steps to demote if you have the error. (Will be posting it soon)
Scenario:
– Server1 should be demoted from XYZ Domain.
– ABC.XYZ.com is the primary Domain Controller in the Domain.
– We have total of 3 sites in the whole network, Site1, Site2 & Site3
– The plan is to Demote Server1 hosted in Site3
– Login to any of the Domain Controllers and follow the below steps
Note: Words marked in BLUE are the entries which should be input by you.
Open the Command Prompt from the server and run the below commands:
C:\>ntdsutil
ntdsutil: metadata cleanup
metadata cleanup: connections
server connections: connect to server ABC
Binding to ABC …
Connected to ABC using credentials of locally logged on user.
server connections: quit
metadata cleanup: select operation target
select operation target: list domain
Found 1 domain(s)
0 – DC=XYZ,DC=com
select operation target: select domain 0
No current site
Domain – DC=XYZ,DC=com
No current server
No current Naming Context
select operation target: list sites
Found 3 site(s)
0 – CN=Site1,CN=Sites,CN=Configuration,DC=XYZ,DC=com
1 – CN=Site2,CN=Sites,CN=Configuration,DC=XYZ,DC=com
2 – CN=Site3,CN=Sites,CN=Configuration,DC=XYZ,DC=com
select operation target: select site 3
Site – CN=Site3,CN=Sites,CN=Configuration,DC=XYZ,DC=com
Domain – DC=XYZ,DC=com
No current server
No current Naming Context
select operation target: list servers in site
Found 2 server(s)
0 – CN=Server1,CN=Servers,CN=Site3,CN=Sites,CN=Configuration,DC=XYZ,DC=com
1 – CN=Server2,CN=Servers,CN=Site3,CN=Sites,CN=Configuration,DC=XYZ,DC=com
select operation target: select server 0
Site – CN=Site3,CN=Sites,CN=Configuration,DC=XYZ,DC=com
Domain – DC=XYZ,DC=com
Server – CN=Server1,CN=Servers,CN=Site3,CN=Sites,CN=Configuration,DC=XYZ,DC=com
DSA object – CN=NTDS Settings,CN=Server1,CN=Servers,CN=Site3,CN=Sites,CN=Configuration,DC=XYZ,DC=com
DNS host name – Server1.XYZ.com
Computer object – CN=Server1, OU=Domain Controllers,DC=XYZ,DC=com
No current Naming Context
select operation target: quit
metadata cleanup: remove selected server
Transferring / Seizing FSMO roles off the selected server.
Removing FRS metadata for the selected server.
Searching for FRS members under “CN=Server1, OU=Domain Controllers,DC=XYZ,DC=com”.
Removing FRS member “CN=Server1,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=XYZ,DC=com”.
Deleting subtree under “CN=Server1,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=XYZ,DC=com”.
Deleting subtree under “CN=Server1, OU=Domain Controllers,DC=XYZ,DC=com”.
The attempt to remove the FRS settings on CN=Server1,CN=Servers,CN=Site3,CN=Sites,CN=Configuration,DC=XYZ,DC=com failed because “Element not found.”;
metadata cleanup is continuing.
“CN=Server1,CN=Servers,CN=Site3,CN=Sites,CN=Configuration,DC=XYZ,DC=com” removed from server “ABC”
metadata cleanup: quit
ntdsutil: quit
Disconnecting from ABC…
Now you should be able to see “ntdsutil” missing from the Active Directory Sites and Services from the particular Site.
