Metadata cleanup in Active Directory

blog.payperitem.com,

Performing metadata cleanup in Active Directory is necessary when a domain controller (DC) has been forcefully removed or decommissioned incorrectly, leaving stale references in AD. This can cause replication issues and other problems.

Here’s a step-by-step guide for performing metadata cleanup in Windows Server (applies to Server 2012 and later, including 2019/2022):

1. Use Active Directory Users and Computers to Remove the DC (if still visible)

Before using command-line tools, try this:

  1. Open Active Directory Users and Computers (dsa.msc).
  2. Navigate to Domain Controllers OU.
  3. If the stale DC is listed, right-click > Delete.
  4. Confirm the deletion and choose “This domain controller is permanently offline” if prompted.

2. Use ntdsutil for Full Metadata Cleanup

a. Launch ntdsutil:

ntdsutil

b. Enter metadata cleanup:

ntdsutil

metadata cleanup

c. Connect to the correct server:

ntdsutil:

connect to server <YourLiveDCName>

d. Select the domain:

ntdsutil:
select operation target
list domains
select domain <number>

e. Select the site:

ntdsutil:
list sites
select site <number>

f. Select the failed server:

ntdsutil:
list servers in site
select server <number>

g. Remove the selected server:

ntdsutil:quit
remove selected server

h. Quit:

ntdsutil quit
quit

3. Clean up DNS

Manually remove:

  • A and CNAME records of the old DC.
  • SRV records under zones like:
    • _msdcs.domain.com
    • _sites
    • _tcp
    • _udp

Use DNS Manager (dnsmgmt.msc) to find and delete any leftover records.

4. Clean up Sites and Services

Open Active Directory Sites and Services (dssite.msc):

  • Expand the site the server belonged to.
  • Expand Servers.
  • If the old server still exists, delete it.
  • Also remove associated NTDS Settings if still present.

5. Optional – Use PowerShell for Detection

To find orphaned DC metadata:

Get-ADDomainController -Filter * | Select-Object Name,IsGlobalCatalog,IPv4Address,Site

🚨 Things to Watch Out For

  • Never do metadata cleanup on a live/healthy DC.
  • Always verify replication is healthy after: cmdCopyEditrepadmin /replsummary repadmin /showrepl *
  • Backup AD before performing metadata cleanup.

Active Directory Security Server 2025 Windows

Related Posts

Active Directory and Server hardening

Active Directory Hardening (Highest Security Level) 1. Tiered Administration Model (Red Forest or ESAE Model) Enforce logon restrictions—Tier 0 accounts must not log in to lower tiers. 2. Secure Domain Controllers 3. Kerberos & NTLM Hardening 4. Admin Account Protection 5. Group Policy (GPO) Hardening 6. Auditing & Monitoring 🖥️…

Read More

Windows update done through script

You can update Windows locally using a PowerShell script. Here’s a script that automates the update process, including checking for updates, installing them, and restarting the system if necessary. PowerShell Script for Local Windows Update powershell# Run as administrator$ErrorActionPreference = “Stop”# Check if running as Administratorfunction Test-Admin { $currentUser =…

Read More