Active Directory behaves as if that DC never existed. This guide goes beyond “delete in ADUC” and covers DNS SRV/CNAME integrity, KCC recomputation, lingering objects, and RODC specifics.
Opening: why metadata cleanup matters today
When a domain controller is demoted or dies, “metadata cleanup” is what removes every remaining reference to it inside AD and DNS. Skip steps and you invite
inconsistent DC locator results, replication errors, and silent authentication oddities.
NTDS Settings,replication connections, DFSR/FRS ties, and SRV/CNAME/DNS host records—so replication and DC locator converge to a healthy state.
This is even more important in modern multi-site and hybrid estates where a stray GUID CNAME under
_msdcs or an orphaned connection object can ripple into outages. For background, share these WAD refreshers with your team:
FSMO roles,
sites & services,
RODC fundamentals,
tombstones,
and cross-site redundancy.
The simple story—and where it falls short
Yes, you can delete the DC’s computer object in ADUC or remove its NTDS Settings and server objects in Active Directory Sites and Services.
Or you can run ntdsutil > metadata cleanup. Those are correct, supported entry points.
But the surface view misses three non-negotiables: DNS locator integrity, topology recomputation, and time-related hazards like
lingering objects. Modern cleanup is graph surgery, not just button-clicking.
Under the hood
- Directory consistency across partitions. Remove the DC’s computer object (usually in OU=Domain Controllers), its server object and
NTDS Settings in the Configuration partition, and stale connection objects. This is what allows the
KCC to recompute a valid spanning tree. - DNS locator is the client truth. DC locator hinges on SRV (e.g.,
_ldap._tcp.dc._msdcs) and per-DC
GUID CNAME records under_msdcs.<forest-root>. Any leftover SRV/CNAME/A will mislead clients and partners. - Temporal correctness & safety brakes. A DC offline beyond tombstone lifetime can cause lingering objects. Events like 2042/1388/1988 are stop signs,
not nags—clean before proceeding. See WAD on tombstones. - SYSVOL replication ties. Remove references in legacy FRS or modern
DFSR. If you still run FRS, prioritize migrating. - RODC specifics. Treat an RODC as a curated cache controlled by Password Replication Policy. Post-decommission,
audit cached principals and consider Kerberos KRBTGT resets if compromise is suspected.
Production-ready Runbook
Use this sequence when a DC was forcibly removed or gracefully demoted. It is safe for most environments; tailor names and confirm rights.
0) Pre-flight (10–20 min)
- Identify and rehome/seize FSMO roles if needed.
netdom query fsmo
# Example seize to a healthy DC (PowerShell)
Move-ADDirectoryServerOperationMasterRole -Identity "HealthyDC01" `
-OperationMasterRole SchemaMaster,DomainNamingMaster,PDCEmulator,RIDMaster,InfrastructureMaster -Force- Snapshot health and replication for before/after proof:
repadmin /replsummary
repadmin /showrepl * /csv > repl-before.csv
dcdiag /e /c /v > dcdiag-before.txt1) Remove the DC with a supported tool
- Preferred—ADUC/ADAC: Delete the DC’s computer object in OU=Domain Controllers. When prompted, confirm it’s offline; allow automatic metadata cleanup.
- Active Directory Sites and Services: Delete NTDS Settings first, then the server object to trigger cleanup.
- Hard-down—
ntdsutil: Precisely target the dead DC:
ntdsutil
metadata cleanup
connections
connect to server HealthyDC01
q
select operation target
list domains
select domain <#>
list sites
select site <#>
list servers in site
select server <#> # the dead DC
q
remove selected server
q
q2) Clean DNS SRV/CNAME/A for DC locator
In DNS Manager, remove the decommissioned DC’s per-DC GUID CNAME under _msdcs.<forest-root>, global and site-scoped SRVs (e.g.,
_ldap._tcp.dc._msdcs.<domain> and _ldap._tcp.<site>._sites.dc._msdcs.<domain>), and its host A/AAAA records.
# Validate with nslookup
nslookup -type=SRV _ldap._tcp.dc._msdcs.<domain>
nslookup -type=SRV _ldap._tcp.<site>._sites.dc._msdcs.<domain>
nslookup -type=CNAME <DSA-GUID>._msdcs.<forest-root>DNS delegation architectures for multi-forest for broader patterns.
3) Recompute topology & verify convergence
repadmin /kcc *
repadmin /replsummary
repadmin /showrepl * /csv > repl-after.csvConfirm there are no references to the removed DC. Compare repl-before.csv vs repl-after.csv for objective proof.
4) SYSVOL replication references (DFSR / legacy FRS)
dfsrmig /getglobalstate # Expect DFSR in modern domains
# If legacy FRS still present, plan migration; during cleanup, remove old memberships/subscriptions that referenced the dead DC.5) Lingering object detection (if the DC was stale)
If the DC was offline beyond tombstone lifetime, assume lingering objects. Prefer Lingering Object Liquidator or targeted repadmin:
repadmin /removelingeringobjects <TargetDC> <SourceDCGUID> <NC> /advisory_mode
# Remove /advisory_mode to act after review6) RODC-specific post-actions
- Review Password Replication Policy (PRP) and cached principals (
msDS-RevealedList,msDS-AuthenticatedToAccountList). - If theft/compromise is suspected, follow the two-stage KRBTGT reset guidance.
repadmin /prp view <RODCName> reveals
repadmin /prp view <RODCName> auth27) Final health proof
nltest /dsgetdc:<domain>
nltest /dclist:<domain>
dcdiag /e /c /v > dcdiag-final.txtInherent tendencies & constraints
- DNS is the discovery source of truth. Scavenging isn’t a substitute for explicit SRV/CNAME cleanup.
- KCC heals only if edges are gone. Delete the node and its connection objects to allow recomputation.
- Time gates exist for safety. 2042/1388/1988 events are protection mechanisms—resolve lingering objects first.
- RODCs narrow blast radius. But you still must audit PRP and invalidate cached secrets when appropriate.
Some mental models for you
- Graph surgery. Think nodes (servers) and edges (connections) across Directory + DNS. Cleanup means remove the node and all edges.
- Hierarchy of truth. Directory objects → DNS records → telemetry (repadmin/dcdiag). Validate in that order.
- Temporal safety rails. Tombstone lifetime governs what’s safe to merge. Respect it.
- RODC as cache. Treat each RODC as a curated, policy-bound cache of secrets.
Subtle mistakes we still see
- Wrong deletion order in ADSS. Delete NTDS Settings first, then the server object—this triggers auto-cleanup.
- Forgetting the per-DC GUID CNAME under
_msdcs. Clients will still seek the old DC by GUID. - Cleaning only global SRVs. Also remove site-scoped SRVs under
_sites. - Ignoring DFSR/FRS references. Validate SYSVOL memberships/subscriptions.
- Skipping lingering object checks. If the DC was offline too long, assume they exist—verify and remove.
- RODC deletions without PRP review. Always audit cached accounts; consider KRBTGT resets if risk exists.
Essentials checklist
- Delete via ADUC (or ADSS with NTDS Settings → server order) or
ntdsutil. - Purge SRV/CNAME/A in DNS (global and site-scoped); validate with
nslookup. - Run
repadmin /kccand verify no edges to the dead DC remain. - Confirm DFSR/FRS references are gone; plan FRS migration if present.
- Screen for lingering objects; remediate before normal ops.
- For RODC, review PRP/cached secrets; perform KRBTGT resets if appropriate.
What’s next?
FSMO placement in hybrid,
RODC site design,
and evolution of AD.
For broader DNS hygiene across forests, align with your
delegation model
and include SRV monitoring. If you’re auditing performance, see WAD’s
indexing mechanisms for faster queries.
