AD Metadata Cleanup Toolkit
AD metadata cleanup after DC decommission (runbook + checklist)
Download a one-click PowerShell runbook and a printable checklist to clean AD metadata after a DC decommission—DNS SRV/CNAME, KCC, DFSR, lingering objects, RODC.
…
Managing AD metadata cleanup post-DC decommission: A Playbook
September 9, 2025
Active Directory behaves as if that DC never existed. This guide goes beyond “delete in ADUC” and covers DNS SRV/CNAME integrity, KCC recomputation, lingering objects, and RODC specifics.
Focus: metadata cleanup
Covers: ADUC/ADSS/ntdsutil
Also: DNS SRV, KCC, DFSR, RODC
Quick nav
Why this matters now
Definition & blind spots
Under the hood
Production-ready Runbook
Inherent…
SID filtering in complex AD layouts: the one-bit boundary that decides what crosses your forest
September 9, 2025
Quick definition: SID filtering is a trust-side control that removes foreign SIDs—including values in SIDHistory—from a user’s authorization data as it traverses a trust. It prevents privilege escalation by honoring only the SIDs the trusting side expects.
Answer box (at a glance)
External/domain trusts: Quarantine=Yes by default → accept only SIDs from the directly trusted…
