Active Directory, General, Troubleshooting

When AD Cries for Help: A Real-World NTDSUTIL Rescue

by Murali Palla

When My Domain Controller Refused to Die: Reviving AD with NTDSUTIL

Let me set the scene.

I was called into a mess—not a hypothetical “lab” issue, but a live fire. One of our domain controllers, let’s call it DC04, went belly-up after a botched firmware update. Blue screen. No heartbeat. And yes, it was never properly removed from Active Directory.

Admins started noticing replication errors. Sites and Services showed DC04 still lingering like a ghost from a horror movie. DNS was polluted with stale entries. But worst of all—Active Directory Sites and Services still thought DC04 was alive.

We couldn’t demote it using dcpromo (because, well… the server was already dead). That’s when NTDSUTIL entered the picture.

The Solution: NTDSUTIL to the Rescue

This is how I cleaned it up, step-by-step.

Step 1: Fire up NTDSUTIL

ntdsutil

Step 2: Enter Metadata Cleanup Mode

metadata cleanup

Step 3: Connect to a Live Domain Controller

connections
connect to server DC01
quit

Step 4: Select the Domain and Site

select operation target
list domains
select domain <number>
list sites
select site <number>
list servers in site
select server <number>
quit

Step 5: Remove the Ghost DC

remove selected server

Pro Tip

After cleanup, I still ran:

repadmin /syncall /AdeP

…to make sure all my healthy DCs were syncing properly.

And just to be paranoid, I checked with:

repadmin /showrepl

Common Pitfalls (and How I Recovered or Would Have)

Pitfall 1: Forgetting to Clean DNS

NTDSUTIL removes AD metadata—but leaves DNS records untouched.

Recovery: I fired up dnsmgmt.msc, searched for A and CNAME records related to DC04, and manually deleted them. In enterprise setups, I also double-check reverse lookup zones.

Pitfall 2: NTDSUTIL Can’t Connect to Another DC

If the live DC you’re trying to connect to isn’t reachable, NTDSUTIL will stall.

Recovery: I always test the connection first:

nltest /dsgetdc:muralipalla.local

Pitfall 3: AD Replication Remains Broken

Removing metadata doesn’t fix deeper replication rot.

Recovery: Check with:

repadmin /replsummary

If FSMO roles were affected:

ntdsutil
roles
connections
connect to server DC01
seize <role>

Pitfall 4: Orphaned NTDS Settings Object

Even after remove selected server, sometimes NTDS Settings object stays.

Recovery: Open AD Sites and Services, enable “Show Services Node”, and manually delete the NTDS Settings object.

Pitfall 5: Accidentally Cleaning Up the Wrong DC

Yeah, don’t laugh—it almost happened.

Recovery: Triple-check with:

netdom query dc

Lessons I Learned

  • Always cleanly demote DCs.
  • Don’t forget DNS cleanup.
  • Replication health is your canary.
  • Document which DCs hold FSMO roles.

Dead domain controllers don’t just rest in peace. NTDSUTIL helps you clean the mess they leave behind—quick, surgical, and battle-tested.

Loading