We have a server 2003 R2 AD set up that was replicated between two sites. The sites have decided to go their own way and the network link between the two sites was cut, stopping replication. To expedite the separation rather than create a new AD set up for one site the FSMO roles were seized and the replication links removed from AD Sites and Services and name servers removed from DNS.

The problem now is that because the sites were removed from AD Sites and Services the disconnected servers do not appear when using ntdsutil metadata cleanup. However the disconnected DCs still exist in AD Users and Computers.

Could anyone advise how to safely remove any metadata from AD in this scenario?

In addition to this can I simply delete disconnected reverse lookup zones in DNS?

Thanks

• Edited by Kipster75 16 hours 20 minutes ago

A plethora of info is available for metadata cleanup. Though it is relatively safe procedure, do a good backup before you use ntdsutil function. Here are some official and unofficial info

https://support.microsoft.com/en-us/kb/216498
https://technet.microsoft.com/en-us/library/jj679892.aspx
https://sandeshdubey.wordpress.com/2011/10/12/metadata-cleanup-of-a-domain-controller/

HTH

Milos

Hi

 You can use ntdsutil for safety remove this broken dc from domain

Check for metadata cleanup

https://technet.microsoft.com/en-us/library/cc736378(v=ws.10).aspx?f=255&mspperror=-2147217396

Also make sure AD DS,DNS,DFS,AD Site and services records updated after metadata cleanup.

Hi,

Assuming that you are not able to see the old domain controller while doing Ntdsutil metadata cleanup I will suggest you to first take backup of System State.

You can then manually delete the Computer object for the failed DC from ADUC domain controllers OU. Check each/every folder in DNS to remove the records related with the failed domain controller.

Or you can use Adsiedit to remove the objects related to old DC. Please refer:
http://www.howtonetworking.com/domain/adsiedit1.htm

https://support.microsoft.com/en-us/kb/555846

• Edited by Gauresh Sakhalkar 16 hours 14 minutes ago addition of KB

Thanks and this is the process I've tried to use but...

list sites - only shows the local site as the disconencted site was removed from AD Sites and Services before doing metadata cleanup.

Therefore the only site you can connect to is the local site and when you get to "list servers in site" the only servers listed are the remaining active DCs which need to stay active.

As this is the case I presume I will just need to delete the disconnected DCs from ADUC and use ADSI Edit (very carefully) to remove any entries left over?

Thanks again

Hi,

Yes you can remove the Decommission DC from AD. First run the following command see is there any FSMO roles resides on that DC. If yes kindly Transfer or Seized the role.

Net dom Query Fsmo

Once you have done the above steps then download the script from below link for metadata clean-up.

https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3

Copy the code in notepad and save as metadatacleanup.vbs and then open the command prompt run as administrator on one of DC and go to the path where you have copied the script and then run the command cscript metadatacleanup.vbs

It will ask for Domain controller name which you want to remove just type Decommission DC name and then script will remove automatically. Once this is done you have to remove Decommission DC from DNS manually as given below.

Manual Steps

Dnsmgmt.msc [Dns Management]
 A.Expand the forward lookup zones\_msdcs folder
 i. Make sure only the actual domain controllers are listed, delete wrong Alias recordsremove wrong name server records
 ii. Select the container [forward lookup zones\_msdcs.domain.com\dc\_sites_\sitename\_tcp] > delete incorrect _ldap and _kerberos records are listed.
 iii. Select the container [forward lookup zones\_msdcs.domain.com\dc\_tcp] and delete incorrect _ldap and _kerberos records
 iv. Expand the [forward lookup zones\_msdcs.domain.com\domains\guid\_tcp] and delete incorrect _ldap entries
 v. Select [forward lookup zones\_msdcs.domain.com\gc] delete incorrect HostA records
 vi. Expand the [forward lookup zones\_msdcs.domain.com\gc\_sites\sitename\_tcp] delete incorrect _ldap entries
 vii.Select the [forward lookup zones\_msdcs.domain.com\gc\_tcp] delete incorrect _ldap entries
 viii. Select the [forward lookup zones\_msdcs.domain.com\pdc\_tcp] delete incorrect _ldap entries
  
 B.Expand the forward lookup zones\domain.com folder
 i.Delete Host(A) records of dcs which are non-existant.
 ii.Correct the NameServer (NS) records
 iii. Follow steps similar to A ii >> A viii
 
Dssite.msc [Sites and Services]
 A.Expand the [Sites\Sitename\Servers] delete incorrect servers
 B.Delete incorrect subnet configurations [Sites\Subnets]
 C.Delete incorrect site links [Sites\IP]
  
  Make sure the domain controllers are pointing to the correct dns servers in tcp\ip settings.
  Force replication repadmin /syncall

As this is the case I presume I will just need to delete the disconnected DCs from ADUC and use ADSI Edit (very carefully) to remove any entries left over?

Thanks again

Yes, in "Active Directory Users and Computers", just right-click the computer object of the domain controller whose metadata you want to clean up, and then click "Delete".
 

Regards,

Eth