To clean up metadata

Metadata can get left over if a DC had to be removed forcibly from the domain, which can occur if the DC stops communicating correctly with other DCs, perhaps because of Active Directory corruption or hardware failure. The metadata is information about the failed DC that stays in the Active Directory database on the remaining DCs in the domain. Metadata might also have to be cleaned up if an attempt to install a new DC in the domain fails after a partial installation.

Metadata that’s not cleaned up can have varying and unpredictable effects on the domain— some unnoticeable and some that cause replication and other functions to malfunction. In ad- dition, any attempts to install a DC with the same name as the failed one will be unsuccessful until the metadata is cleaned up.

Type 1 clean the server metadata

  1. At the command line, type Ntdsutil and press ENTER.
  2. At the Ntdsutil: prompt, type metadata cleanup and press Enter.
  3. At the metadata cleanup: prompt, type connections and press Enter.
  4. At the server connections: prompt, type connect to server <servername>, where <servername> is the domain controller (any functional domain controller in the same domain) from which you plan to clean up the metadata of the failed domain controller. Press Enter.
  5. Type quit and press Enter to return you to the metadata cleanup: prompt.
  6. Type select operation target and press Enter.
  7. Type list domains and press Enter. This lists all domains in the forest with a number associated with each.
  8. Type select domain <number>, where <number> is the number corresponding to the domain in which the failed server was located. Press Enter.
  9. Type list sites and press Enter.
  10. Type select site <number>, where <number> refers to the number of the site in which the domain controller was a member. Press Enter.
  1. Type list servers in site and press Enter. This will list all servers in that site with a corresponding number.
  1. Type select server <number> and press Enter, where <number> refers to the domain controller to be removed.
  1. Type quit and press Enter. The Metadata cleanup menu is displayed.
  1. Type remove selected server and press Enter.
  1. Type quit, and press Enter until you return to the command prompt.

Type 2 Clean the domain metadata

If you demoted an last Domain controller in a tree domain, and selected the “force the demotion of the domain controller”.

  • Verify that all servers for the domain have been demoted.
  • At the command prompt, type: ntdsutil.
  • Type: metadata cleanup, and then press ENTER.
  • Type: connections, and then press ENTER. This menu is used to connect to the specific server on which the changes will occur. If the currently logged-on user is not a member of the Enterprise Admins group, alternate credentials can be supplied by specifying the credentials to use before making the connection. To do so, type: set creds domainname username password , and then press ENTER. For a null password, type: null for the password parameter.
  • Type: connect to server servername (where servername is the name of the domain controller holding the Domain Naming Master FSMO Role), and then press ENTER. You should receive confirmation that the connection is successfully established. If an error occurs, verify that the domain controller being used in the connection is available and that the credentials you supplied have administrative permissions on the server.
  • Type: quit, and then press ENTER. The Metadata Cleanup menu is displayed.
  • Type: select operation target, and then press ENTER.
  • Type: list domains, and then press ENTER. A list of domains in the forest is displayed, each with an associated number.
  • Type: select domain number, and then press ENTER, where number is the number associated with the domain to be removed.
  • Type: quit, and then press ENTER. The Metadata Cleanup menu is displayed.
  • Type: remove selected domain, and then press ENTER. You should receive confirmation that the removal was successful. If an error occurs, please refer to the Microsoft Knowledge Base for articles on specific error messages.
  • Type: quit at each menu to quit the NTDSUTIL tool. You should receive confirmation that the connection disconnected successfully.

 

Work with Active Directory Snapshots

An Active Directory snapshot is just what it sounds like: an exact replica of the Active Directory database at a specific moment. It’s similar to a snapshot (or “checkpoint,” as it’s called in Hyper-V) of a virtual machine. You can browse through Active Directory snapshots to view Active Directory’s state at different times. You can also export Active Directory objects from a snapshot and import them with ldifde.

The basic procedure for working with snap- shots is as follows:
1. Create and mount the snapshot with ntdsutil.

2. Activate the snapshot with dsamain.

3. Browse the snapshot with Active Directory Users and Computers or another LDAP tool.

4. Dismount the snapshot.

Creating and Mounting Snapshots

To use a snapshot, create one first and then mount it with ntdsutil, using the following procedure:
1. Open a command prompt window, and type ntdsutil and press Enter.

2. Type snapshot and press Enter.

3. Type activate instance ntds and press Enter.

4. Type create and press Enter.

5. Ntdsutil names the snapshot by using a GUID. You need the GUID, so instead of having to type it, right-click it and click Mark. Use your mouse to highlight the number between the braces and press Enter.

6. Type mount and press the spacebar. Right-click at the cursor and click Paste, and then press Enter.

7. Copy the part of the output starting with C:\$SNAP and ending with VOLUMEC$\ because you need it in the command in the following section. It’s the path to the snapshot, which includes a timestamp. If you open File Explorer, you see a volume mounted in the root of the C drive with that name.

8. Type quit and press Enter twice to exit ntdsutil.

Activating a Snapshot

After you’ve created a snapshot, you need to let the Active Directory service know about it by using the following steps:

1. At a command prompt, type dsamain /dbpath SnapshotPath\windows\ntds\ ntds.dit    /ldapport    20000 and press Enter. The SnapshotPath is the output you copied in the previous section, and ldapport is the port number you use when browsing the snapshot.

2. When you see the line beginning with EVENTLOG and ending with 1000, the process is done. Leave the command prompt window open.

3. To browse the snapshot, open Active Directory Users and Computers, and then right-click the domain object and click Change Domain Controller. In the Change Directory Server dialog box, click “<Type a Directory Server name[:port] here>,” type DCName:20000 , and press Enter (replacing DC name with the name of the domain controller). click OK

Exporting a Snapshot

You can export Active Directory objects from the snapshot by using ldifde and import these objects into another instance of Active Directory. To export the users in the TestOU1 OU to the testOU1users.txt file, enter the following command at a command prompt:

ldifde -t 20000 -f testOU1users.txt –d "ou=TestOU1,dc=411Dom1,dc=local" -r (ObjectClass=user)

Unmounting and Deleting a Snapshot When you use dsamain to activate a snapshot, you leave the command prompt window open until you’re finished with the snapshot. To stop dsamain and unmount the snapshot, use the following steps:

1. In the command prompt window where dsamain is running, press Ctrl+C.

2.Type the following commands, pressing Enter after each:

ntdsutil

snapshot

unmount

SnapshotGUID

quit

quit

In these commands, SnapshotGUID is the GUID that was generated when you mounted the snapshot. If you need to see the GUID, type list all in ntdsutil while in snapshot mode. Unmounting the snapshot doesn’t delete it. To delete the snapshot, type delete SnapshotGUID after you enter snapshot mode.

Pages: 1 2