We have all witnessed domain controllers crashing due to hardware failure or a database issue, where it becomes mandatory to remove the DC either using graceful or forceful demotion. This article presents methods to demote a
DC either gracefully or forcefully.
Consider, a DC which was serving as a PDC crashed. What did you do? You seized the FSMO role on the healthy DC and then transferred all other AD services like DNS/GC/DHCP/etc to it. You thought you were done, but you have skipped
an important step to remove/clean the crashed DC objects & its references from AD to tell others DC's that this DC is no more.
There is two types of demotion of a DC. One is normal demotion using DCPROMO, the other is forceful removal using DCPROMO /FORCEREMOVAL. (Keep in mind, your first option should be always to try for graceful demotion, if it doesn’t
work then only use force removal.) Using DCPROMO /FORCEREMOVAL requires additional steps of metadata cleanup. If the server has crashed then there is no possibility of graceful demotion, because graceful demotion can only be used when you can run dcpromo on
a DC to remove AD. If the DC has already crashed, then metadata cleanup is the only remaining option.
Metadata cleanup is a process which is required to remove a failed DC from the domain which can’t be demoted gracefully.
Does metadata cleanup remove all the entries from AD? The answer is NO, it doesn't remove all the records from AD. There are a few places manual cleaning of those objects is required, one being DNS server.
But, why doesn't it remove all the records when I perform metadata cleanup following the steps? The reason is there is a different aging/scavenging configuration defined on DNS to remove the entries from DNS when they become stale.
When a system/DC is removed, the computer object is removed from AD (as seen in AD Users and Computers) but not from the AD database. It is later deleted according to TSL(Tombstone Lifetime). In DNS each record has an attribute named Dnstombstoned which can
be either True or False. When a host record is removed, its actually not removed but its Dnstombstoned attribute is set to true for later deletion using again/scavenging per the configured interval.
The places to look after either using normal demotion or force demotion of a DC are below.
-Each & every sub folder inside _msdcs folder in DNS
-Name server tab in DNS
-Host records in DNS (including those with name "(same as parent)")
-Server object under NTDS setting in AD sites & services.
-Open ADSIEDIT.MSC, connect to configuration partition
--CN=Configuration, DC=domain, DC=com > CN=Sites > locate DC to be removed from the sites.
Note: ADSIEDIT is a powerful tool to edit AD database objects & modification made is permanent, so if you are unsure what you are doing it, take System state backup & then modify from there as anything deleted from there will
require system state backup to restore the deleted objects.
If using NTFRS-based SYSVOL replication, using ADSIEDIT, in Domain Naming Context (DC=domain,DC=com), follow CN=System > CN=File Replication Service > CN=Domain System Volume (SYSVOL share) and delete CN=<DC hostname>
If using DFSR-based SYSVOL replication, using ADSIEDIT, in Default Naming Context (DC=domain,DC=com), follow CN=System > CN=DFSR-GlobalSettings > CN=Domain System Volume > CN=Topology, and delete CN=<DC hostname>
Metadata cleanup is made simple in windows 2008, which provides GUI interface, so if you got any DC running on windows 2008, you can use metadata cleanup from that DC, but it doesn't matter which DC you choose the cleanup failed DC records.
Note: Once you perform the metadata cleanup of DC, don’t immediately reuse the same Hostname/IP of failed DC to configure it back to a new DC, because you have to allow changes to be replicated to all other domain
controllers in the forest by allowing & waiting for at least one replication cycle to complete. But if you got few DC’s & good bandwidth, you can force the replication using repadmin /syncall /Aped
E switch will force the replication between all the dc’s in the forest & there might be extra traffic generation during business hours, so use it at COB(Close of Business) hours.
-Is it required to do metadata cleanup on all the DCs or from particular DC?
The answer is No & NO.
-Does metatdata cleanup remove all the records from AD?
The answer is no & never. There is no such tool from Microsoft which removes all the records of failed DC.
-Is metadata cleanup also required after normal (non-forceful) demotion of DC?
The answer is no, as it's only used for removing a failed domain controller which has been demoted using DCPROMO /FORCEREMOVAL.
-Is metadata cleanup required for removing member server?
The answer is no, it's only required for Domain controllers.
Related link for
Metadata cleanup in windows 2008