Metadata cleanup in Active Directory

blog.payperitem.com,

Performing metadata cleanup in Active Directory is necessary when a domain controller (DC) has been forcefully removed or decommissioned incorrectly, leaving stale references in AD. This can cause replication issues and other problems.

Here’s a step-by-step guide for performing metadata cleanup in Windows Server (applies to Server 2012 and later, including 2019/2022):

1. Use Active Directory Users and Computers to Remove the DC (if still visible)

Before using command-line tools, try this:

  1. Open Active Directory Users and Computers (dsa.msc).
  2. Navigate to Domain Controllers OU.
  3. If the stale DC is listed, right-click > Delete.
  4. Confirm the deletion and choose “This domain controller is permanently offline” if prompted.

2. Use ntdsutil for Full Metadata Cleanup

a. Launch ntdsutil:

ntdsutil

b. Enter metadata cleanup:

ntdsutil

metadata cleanup

c. Connect to the correct server:

ntdsutil:

connect to server <YourLiveDCName>

d. Select the domain:

ntdsutil:
select operation target
list domains
select domain <number>

e. Select the site:

ntdsutil:
list sites
select site <number>

f. Select the failed server:

ntdsutil:
list servers in site
select server <number>

g. Remove the selected server:

ntdsutil:quit
remove selected server

h. Quit:

ntdsutil quit
quit

3. Clean up DNS

Manually remove:

  • A and CNAME records of the old DC.
  • SRV records under zones like:
    • _msdcs.domain.com
    • _sites
    • _tcp
    • _udp

Use DNS Manager (dnsmgmt.msc) to find and delete any leftover records.

4. Clean up Sites and Services

Open Active Directory Sites and Services (dssite.msc):

  • Expand the site the server belonged to.
  • Expand Servers.
  • If the old server still exists, delete it.
  • Also remove associated NTDS Settings if still present.

5. Optional – Use PowerShell for Detection

To find orphaned DC metadata:

Get-ADDomainController -Filter * | Select-Object Name,IsGlobalCatalog,IPv4Address,Site

🚨 Things to Watch Out For

  • Never do metadata cleanup on a live/healthy DC.
  • Always verify replication is healthy after: cmdCopyEditrepadmin /replsummary repadmin /showrepl *
  • Backup AD before performing metadata cleanup.

Active Directory Security Server 2025 Windows

Related Posts

User Unable to Log In to Domain

Situation: A user reports they are unable to log in to their workstation, receiving an error that states, “The user name or password is incorrect.” Step 1: Verify User Credentials Step 2: Check Username and Domain Name Step 3: Account Status Step 4: Network Connectivity Step 5: DNS Configuration Step…

Read More