In this article we will find out how to do away with the data in the Active Directory after ineffective domain controller demotion.

Windows Server 2003 Service Pack 1 or other service packs – Improved edition of Ntdsutil.exe

This Ntdsutil.exe edition that is incorporated with SP1 or further service packs performs the following functions when you run metadata cleanup :

  1. Deletes the NTDS or NTDSA Setting subject.
  2. Deletes the inbound AD connection objects.
  3. Deletes computer account.
  4. Deletes member object of FRS.
  5. Deletes subscriber objects of FRS.
  6. Seizes the flexible single operation master roles held by DC that are eliminated.

Procedure to eliminate data in Active Directory after unsuccessful domain controller demotion

Procedure 1: For Windows 2003 SP1 or subsequent service packs only

  1. First click on Start, then Programs, then Accessories, and click Command quick.
  2. Type ntdutil and press Enter.
  3. Type the instructions to clean up metadata, and then press Enter.
  4. Then type connections and then press Enter.
  5. Type the word “link” in order to join to server servername, and then press enter.
  6. Then type quit, and press Enter. Then the Metadata Cleanup list of options appears.
  7. After that type select the target of operation and press Enter.
  8. Then type list of domains and press enter.
  9. Type select domain number and press Enter.
  10. Type the sites list and press Enter.
  11. Type the selected number of sites and press Enter.
  12. Type the list servers in site and press Enter.
  13. Type the selected server No., and choose the server you want to eliminate.
  14. Type quit and press Enter. You see the Metadata clean up options.
  15. Type eliminate the chosen server and then press Enter.
  16. Type the command quit, and then press Enter at every menu quit Ntdsutil utility.
  17. Then eliminate the cname evidence.
  18. Use DNS MMC to eliminate the A record in DNS.
  19. Click on the domain Forward Lookup Zones; take out this server from the Name Servers tab.
  20. Use ADSIEdit to delete the trust Domain object.
  21. For removing the domain controller, use Active Directory Sites.
  22. When you are using DFS Replication in Server 2008 and later versions of Ntdutil.exe it will not clean DFS Replication objects. You can use Adsiedit.msc to correct DFS Replication objects.

Procedure 2: Windows 2000 (all versions) and Windows Server 2003 RTM

  1. First click Start, then Programs, then Accessories, and click Command Prompt.
  2. Type ntdutil and press Enter.
  3. Type metadata cleanup, and then press Enter.
  4. Then type connections and then press Enter.
  5. Type “connect to server name”, and then Enter it.
  6. Then type quit, and press Enter. Then the menu for Metadata Cleanup emerges.
  7. After that type select operation target and press Enter.
  8. Then type list of domains and press enter.
  9. Type select domain number and press Enter.
  10. Type list sites and press Enter.
  11. Type select site number and press Enter.
  12. Type list servers in site and press Enter
  13. Type the selected server number, and select the server you want to eliminate.
  14. Types quit and press Enter. Metadata Cleanup menu appears.
  15. Type “eliminate selected server” and press Enter.
  16. Type “quit”, and then press Enter at every menu quit Ntdsutil utility.
  17. Eradicate the cname record.

It is best if you eliminate the hostname and other DNS records. If it remains on DHCP (Dynamic Host Configuration Protocol) address given to offline servers then the other client can get the IP of the troubled DC.