The Masterpiece Mom

Home » Misc » How to remove child domain from active directory domains and trusts

How to remove child domain from active directory domains and trusts


How to remove orphaned domains from Active Directory - Windows Server

Edit

Twitter LinkedIn Facebook Email

  • Article
  • 3 minutes to read

Applies to:   Windows 10, Windows Server 2012 R2
Original KB number:   230306

Summary

Typically, when the last domain controller for a domain is demoted, the administrator selects the This server is the last domain controller in the domain option in the DCPromo tool. This procedure removes the domain metadata from Active Directory. This article describes how to remove domain metadata from Active Directory if this procedure isn't used, or if all domain controllers are taken offline but not demoted first.

Caution

The administrator must verify that replication has occurred since the demotion of the last domain controller before manually removing the domain meta-data. Using the NTDSUTIL tool improperly can cause partial or complete loss of Active Directory functionality.

Removing orphaned domains from Active Directory

  1. Determine the domain controller that holds the Domain Naming Master Flexible Single Master Operations (FSMO) role. To identify the server holding this role:

    1. Start the Active Directory Domains and Trusts Microsoft Management Console (MMC) snap-in from the Administrative Tools menu.
    2. Right-click the root node in the left pane titled Active Directory Domains and Trusts, and then select Operations Master.
    3. The domain controller that currently holds this role is identified in the Current Operations Master frame.

      Note

      If it's changed recently, not all computer may have received this change yet due to replication.

    For more information about FSMO roles, see Active Directory FSMO roles in Windows.

  2. Verify that all servers for the domain have been demoted.

  3. Open a command prompt window.

  4. At the command prompt, type ntdsutil, and then press Enter.

  5. Type metadata cleanup, and then press Enter.

  6. Type connections, and then press Enter. This menu is used to connect to the specific server on which the changes will occur. If the currently logged-on user isn't a member of the Enterprise Admins group, alternate credentials can be supplied by specifying the credentials to use before making the connection. To do so, type: set creds <domainname> <username> <password>, and then press Enter. For a null password, type null for the password parameter.

  7. Type connect to server <servername>, where <servername> is the name of the domain controller that holds the Domain Naming Master FSMO Role. Then press Enter. You should receive confirmation that the connection is successfully established. If an error occurs, verify that the domain controller used in the connection is available. And verify that the credentials you supplied have administrative permissions on the server.

  8. Type quit, and then press Enter. The Metadata Cleanup menu is displayed.

  9. Type select operation target, and then press Enter.

  10. Type list domains, and then press Enter. A list of domains in the forest is displayed, each with an associated number.

  11. Type select domain <number>, and then press Enter, where number is the number associated with the domain to be removed.

  12. Type quit, and then press Enter. The Metadata Cleanup menu is displayed.

  13. Type remove selected domain, and then press Enter. You should receive confirmation that the removal was successful. If an error occurs, see the Microsoft Knowledge Base for articles on specific error messages.

  14. Type quit at each menu to quit the NTDSUTIL tool. You should receive confirmation that the connection disconnected successfully.

References

For more information about the NTDSUTIL tool, see the Support Tools documentation located in the Support\Reskit folder on the Windows 2000 CD-ROM. The Help files included with the Microsoft Windows 2000 Resource Kit contain a Books Online link. You can click the link for information that describes the NTDSUTIL tool in greater detail.

For more information about removing domain controllers from the domain that you're attempting to delete, see the following article:

216498 How to remove data in Active Directory after an unsuccessful domain controller demotion

Problem with removing a child domain in an Active Directory Forest


Active Directory Domain Demotion

  • When you try to demote the last domain controller in a child domain, it fails.
  • The server is still a domain controller after the demotion reports that it was successful.
  • The last domain controller is a Windows 2000 Server in a mixed environment which contained.
  • You observe the DCPromo log (c:\windows\debug\DCPromo.log), and find the following:

02/02 06:34:14 [INFO] Error - According to the information stored locally, this dc is the last dc in the domain, and the domain has a child domain. (8398)

02/02 06:34:14 [INFO] NtdsDemote returned 8398

02/02 06:34:14 [INFO] DsRolepDemoteDs returned 8398

02/02 06:34:14 [ERROR] Failed to demote the directory service (8398)

  • You then try using the NTDSUTIL tool from the forest root domain controller to delete the child domain and get the following error:

DsRemoveDsDomainW error 0x2015

When you promote a Windows Server 2003 server to a Domain Controller, it creates a naming context (DC=DomainDnsZones) in the application partition.

  • If the last Domain Controller in the child domain is a Windows 2000 Server, it checks Active Directory and finds this naming context and thinks it's a child domain.
  • The child domain thinks it has another child domain, which causes DCPromo to fail.

Active Directory

Check: System Event Logs, Directory Services Event Logs, and DCPromo Log

Solution :

1. You have to remove the DomainDNSZones naming context in Active Directory by using the following steps (Make sure you are running these steps on the forest root domain controller):
"DsRemoveDsDomainW error 0x2015" error message when you use Ntdsutil to try to remove metadata for a domain controller that was removed from your network in Windows Server 2003
http://support.microsoft.com/kb/887424/

- Click Start, click Run, type ntdsutil, and then press ENTER.
- At the Ntdsutil command prompt, type domain management, and then press ENTER.
- Type connections, and then press ENTER.
- Type connect to server Domain_Controller_Name, and then press ENTER.
- After the following message appears, type quit, and then press ENTER:
- Connected to Domain_Controller_Name using credentials of locally logged on user
- At the domain management prompt, type list, and then press ENTER.
- Note the following entry:
- DC=DomainDnsZones,DC=Child_Domain, DC=extension
- For example, if the child domain is Contoso.com, note the following entry:
- DC=DomainDnsZones,DC=contoso,DC=com
- Type the following command, and then press ENTER.
- delete nc dc=domaindnszones,dc=Child_Domain,dc=extension
- Note: In this command, Child_Domain represents the name of the child domain that you want to remove. For example, if the child domain is Contoso.com, type the following command, and then press ENTER:
- delete nc dc=domaindnszones,dc=contoso,dc=com
- Quit Ntdsutil.

2. Use NTDSUTIL to delete the domain controller from the child domain.
How to remove data in Active Directory after an unsuccessful domain controller demotion
http://support.microsoft.com/kb/216498

3. Then use NTDSUTIL on the Forest Root DC to delete the child domain.
- C:\>ntdsutil
- ntdsutil: metadata cleanup
- metadata cleanup: connections
- server connections: connect to server DC01
Binding to DC01 ...
Connected to titanic using credentials of locally logged on user
- server connections: quit
- metadata cleanup: select operation target
- select operation target: list domains
Found 3 domain(s)
0 - DC=Microsoft,DC=com
1 - DC=Child1,DC=Microsoft,DC=com
2 - DC=Child2,DC=Microsoft,DC=com
- select operation target: select domain 2
Site - CN=London,CN=Sites,CN=Configuration,DC=Microsoft,DC=com
Domain - DC=Child2,DC=Microsoft,DC=com
No current server
No current Naming Context
- select operation target: quit
- metadata cleanup: remove selected domain

4. On the last domain controller (Windows 2000 Server), you can run DCPROMO /Forceremoval (Start >> Run) to remove any Active Directory information from that server.

How to prevent this from happening:

- If you have a child domain which contains mixed domain controllers (Windows 2000 Server, and Windows Server 2003), you have to demote the Windows Server 2003 domain controllers last. With new operating systems come new changes to the schema and Active Directory Partitions. Older operating systems may not understand these changes.

[{"Product":{"code":"SSYYZB","label":"IBM Support for Microsoft Applications"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Not Applicable","Platform":[{"code":"PF033","label":"Windows"}],"Version":"1.0","Edition":"Enterprise","Line of Business":{"code":"LOB28","label":"Technology Support Services"}}]

Remove orphaned domains from Active Directory - Windows Server

Twitter LinkedIn Facebook E-mail address

  • Article
  • Reading takes 2 minutes

Applies to: Windows 10 , Windows Server 2012 R2
Original KB Number: 230306

Annotation

Typically, when the last domain controller for a domain is demoted, the administrator selects this server as the last domain controller in the domain setting in the DCPromo tool. This procedure removes domain metadata from Active Directory. This article describes how to remove domain metadata from Active Directory if this procedure is not used, or if all domain controllers are offline but not demoted first.

Caution

Before manually deleting domain metadata, an administrator must verify that replication has occurred since the last domain controller was demoted. Incorrect use of the NTDSUTIL tool can result in partial or complete loss of Active Directory functionality.

Remove orphaned domains from Active Directory

  1. Identify the domain controller that holds the Domain Naming Master Flexible Operations (FSMO) role. To define a server with this role:

    1. Launch the Active Directory Domains and Trusts Microsoft Management Console (MMC) snap-in from the Administrative Tools menu.
    2. Right-click the root node in the pane on the left called " Active Directory Domains and Trusts " and then select "Main operation node" .
    3. The domain controller that currently holds this role is identified in the current Operations Master frame.

      Note.

      If it was changed recently, not all computers may have received the change due to replication.

    For more information about FSMO roles, see Active Directory FSMO Roles on Windows.

  2. Verify that all servers for the domain are downgraded.

  3. Open a command prompt window.

  4. At the command prompt, type ntdsutil , and then press Enter.

  5. Type metadata cleanup and then press Enter.

  6. Type connections , and then press Enter. This menu is used to connect to a specific server where changes will be made. If the currently logged on user is not a member of the Enterprise Admins group, you can specify alternative credentials by specifying the credentials to use before connecting. To do this, enter and set creds press ENTER. For a null password, enter the null value for the password parameter.

  7. Type connect to server , where is the name of the domain controller that holds the domain naming master FSMO role. Then press Enter. You should see confirmation that the connection was successfully established. If an error occurs, verify that the domain controller used in the connection is available. Make sure the credentials provided have administrative permissions on the server.

  8. Type quit and then press Enter. Menu clear metadata is displayed.

  9. Type select operation target and then press Enter.

  10. Type list domains and then press Enter. A list of domains in the forest is displayed, each with a corresponding number.

  11. Type select domain and press ENTER, where is the number associated with the area to be deleted.

  12. Type quit and then press Enter. Menu clear metadata is displayed.

  13. Type remove selected domain and then press Enter. A confirmation that the deletion was successful should appear. If an error occurs, see the Microsoft Knowledge Base article for specific error messages.

  14. Type quit at each menu to exit the NTDSUTIL tool. You should see confirmation that the connection was successfully disconnected.

References

For more information about the NTDSUTIL tool, see the Support Tools documentation located in the Support\Reskit folder on the Windows 2000 CD. . You can click the link for more information about the NTDSUTIL tool.

For more information about removing domain controllers from the domain you are trying to remove, see the following article: 9

0003

216498 How to delete data in Active Directory after an unsuccessful domain controller demotion

Clean up AD DS server metadata

Twitter LinkedIn Facebook E-mail address

  • Article
  • Reading takes 5 minutes

Applies to: Windows Server 2022, Windows Server 2019, Windows Server

Metadata cleanup is a required procedure after a forced removal of Active Directory Domain Services (AD DS). Metadata cleanup is performed on a domain controller in the domain of the domain controller that was force-deleted. Metadata cleanup removes data from AD DS that identifies a domain controller in the replication system. Metadata cleanup also removes File Replication Connections (FRS) and Distributed File System (DFS) and attempts to transfer or take over the operations master roles (also known as flexible single master operations or FSMOs) that the legacy domain controller holds.

There are two options for clearing server metadata.

  • Purge server metadata using GUI tools.
  • Cleaning up server metadata using the command line.

Note

If you receive an "access denied" error when you use any of these methods to clean up metadata, make sure that the computer object and the NTDS Settings object for the domain controller are not protected from accidental deletion. to check this, right-click the computer object or the NTDS Settings object, select property , click object and uncheck protect object from accidental deletion . In Active Directory Users and Computers, the Object Object tab opens when you click View and then Additional Features .

Cleaning server metadata by using GUI tools

When you use the Remote Server Administration Tool (RSAT) or the Active Directory Users and Computers Console (Dsa.msc) that is included with Windows Server to remove the domain controller computer account from the Domain Controllers OU (OU), server metadata cleanup is performed automatically. prior to Windows Server 2008, you had to perform a separate metadata cleanup procedure.

You can also use the Active Directory Sites and Services Console (Dssite.msc) to remove the domain controller computer account, which also automatically completes metadata cleanup. however, Active Directory Sites and Services only removes metadata automatically the first time the NTDS Settings object is deleted under a computer account in Dssite. msc.

if you are using Windows Server 2008 or later versions of RSAT (Dsa. msc) or Dssite. msc, metadata can be automatically cleared for domain controllers running earlier versions of Windows operating systems.

Membership in Domain Admins or equivalent is the minimum requirement to complete these procedures.

Cleaning up server metadata using Active Directory Users and Computers

  1. Open the Active Directory Users and Computers snap-in .
  2. If you identified replication partners in preparation for this procedure, and if you are not connected to the remote domain controller's replication partner whose metadata is being removed, right-click node Active Directory Users and Computers and select change domain controller . Click the name of the domain controller from which you want to remove the metadata, and then click the OK button.
  3. Expand the domain of the domain controller that was forcibly removed and select domain controllers.
  4. In the details pane, right-click the domain controller computer object whose metadata you want to clear, and then select Delete .
  5. In the Active Directory Domain Service dialog box, verify that the name of the domain controller you want to remove is displayed, and then click Yes to confirm the removal of the computer object.
  6. In the Remove Domain Controller dialog box, select This domain controller is permanently offline and cannot be demoted using the Active Directory Domain Services Installation Wizard (Dcpromo) and then press the button Delete .
  7. If the domain controller is a global catalog server, in the Delete Domain Controller dialog box, click Yes to proceed with the removal.
  8. If the domain controller currently contains one or more operations master roles, click OK to move the role or roles to the displayed domain controller. This domain controller cannot be changed. If you want to move the role to a different domain controller, you must move the role after the server metadata cleanup is complete.

Using Active Directory Sites and Services to clean up server metadata

  1. Open the Active Directory Sites and Services snap-in.
  2. If you identified replication partners in preparation for this procedure, and if you are not connected to a remote domain controller replication partner whose metadata is being removed, right-click Active Directory Sites and Services , and then select Change Domain Controller. Click the name of the domain controller from which you want to remove metadata, and then click the 9 button0040 OK .
  3. Expand the domain controller that was forcibly removed, expand servers , expand the name of the domain controller, right-click the NTDS Settings object, and select remove .
  4. In the Active Directory Sites and Services dialog box, click Yes to confirm the removal of the NTDS settings.
  5. In the Remove Domain Controller dialog box, select This domain controller is permanently offline and cannot be demoted using the Active Directory Domain Services Installation Wizard (Dcpromo) and then click Remove .
  6. If the domain controller is a global catalog server, in the Delete Domain Controller dialog box, click Yes to proceed with the removal.
  7. If the domain controller currently contains one or more operations master roles, click OK to move the role or roles to the mapped domain controller.
  8. Right-click a domain controller that was forcibly removed and select Remove.
  9. In the Active Directory Domain Service dialog box, click Yes to confirm the removal of the domain controller.

Command line cleanup of server metadata

Alternatively, you can clean up server metadata using ntdsutil.exe, a command-line tool that is automatically installed on all domain controllers and servers that have Active Directory Lightweight Directory Services (AD LDS) installed. ). ntdsutil.exe is also available on computers with RSAT installed. To clear server metadata using Ntdsutil, follow these steps:

  1. Open a command prompt as administrator: From the Start menu , right-click Command Prompt and select Run as administrator . If the User Account Control dialog box is displayed, provide Enterprise administrator credentials if required, and then click the Continue button.

  2. At the command prompt, type the following command and then press the 9 key0040 Input :

    ntdsutil

  3. ntdsutil: At the command prompt, type the following command, and then press ntdsutil: :

    metadata cleanup

  4. metadata cleanup: At the command prompt, type the following command and press the key metadata cleanup: :

    remove selected server

  5. In the Server 9 Uninstall Configuration dialog box0041 Review the details and warning, and then click Yes to remove the server object and metadata.

    At this point, Ntdsutil confirms that the domain controller was successfully removed. If you receive an error message indicating that the object was not found, the domain controller may have been deleted earlier.

  6. metadata cleanup: ntdsutil: At the prompt Type quit and press metadata cleanup: .

  7. To confirm the removal of a domain controller, follow these steps.

    Open the Active Directory Users and Computers snap-in. In the remote domain controller's domain, click domain controllers. The details pane should not display the object for the domain controller being removed.

    Open the Active Directory Sites and Services snap-in. Navigate to container Servers and verify that the server object for the domain controller you removed does not contain an NTDS Settings object. If no child objects appear below the server object, you can delete the server object.

    Learn more