AD Metadata Cleanup

The Metadata Cleanup command of NTDSUTIL allows an administrator to remove alternative domain controllers and external trusted domains when those controllers and domains no longer exist or are inoperable – for example change replication has failed for a period longer than the tombstone period (usually 60 days). Normally an administrator will use DCPROMO to remove a domain controller from the domain/site but if the server is no longer serviceable or AD errors prevent DCPROMO working its not an option and this is where NTDSUTIL shines.

Exchange versions before 2007 RTM could be backed up using NTBACKUP. But on the release of 2007 there was no backup mechanism provided by Windows. You could buy expensive 3rd party backup software or grab NTBackup and related files from, say, Windows 2003 Rx and use it. However, at some recent point the borrowed NTBackup program stopped working (the Exchange site no longer appeared as a selection option). The consequence of not being able to run a backup is that the logs keep growing because there’s no longer a backup to truncate them. Fortunately (and not before time) Exchange 2007 SP2 included a patch which allowed the Windows 2008 Server backup utility to check Exchange files and truncate the logs though only when a full backup of the host server is taken.

So the challenge was to install SP3 for Exchange 2007. I hoped it would be easy and perhaps it normally is. However the replication between our main domain controller and the backup controller (BDC) failed ages ago – certainly more than 60 days ago. As a result, the Exchange SP would not install complaining about AD replication having failed for longer than the tombstone period. So I resolved to demote the BDC thinking this would solve the problem. But no, DCPROMO failed for the exact same reason. None the less the BDC had to go so what to do?

Windows includes NTDSUTIL which is able to prune objects in AD. There’s a knowledgebase article about using NTDSUTIL to remove unwanted servers and external domain references. Messing with AD is not to be done lightly as it can render your domain controller inoperable. So I diligently backed up and tested it on a test domain controller before trying it for real.

In the event it worked like a charm and now I wish I’d tried it years ago when the replication first began to fail. After removing references to the invalid BDC the Exchange 2007 SP installed without a problem and I was able to backup the Exchange server once again which truncated the log. There’s a technet article about backing up Exchange 2007 once the SP is applied.

To see your tombstone period you can run this command from the Life of Brian blog or use ADSIEdit:

(get-adobject "cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=AdminPrep,DC=Local" -properties "tombstonelifetime").tombstonelifetime

Information and Links

Join the fray by commenting, tracking what others have to say, or linking to it from your blog.

Other Posts

Reader Comments

Sorry, comments are closed.