How to Eradicate Orphaned Domains From Active Directory

I work in a large organization, and sometimes when a domain gets decommissioned, they don’t always get properly removed from the domain forest. I was doing some early spring cleaning today, and I figured I’d write down the process I went through. These old remnants of domains can keep showing up and become a problem. Not only do your existing DC’s need to try and replicate trusts between the old domains still, but they will continue to do so until they time out over and over again.

Make sure you only follow these steps if you are sure that these domains are not in use any longer and all of the DC’s for them are also offline. We will complete this in two phases.

Phase 1

  1. Click Start, click Run, type ntdsutil, and then press ENTER.
  2. At the Ntdsutil command prompt, type domain management, and then press ENTER.
  3. Type connections, and then press ENTER.
  4. Type connect to server Domain_Controller_Name, and then press ENTER. (You should connect to the forest root DC that holds the Domain Naming Master FSMO role.)
  5. After the following message appears, type quit, and then press ENTER: Connected to Domain_Controller_Name using credentials of locally logged on user
  6. At the domain management prompt, type list, and then press ENTER.
  7. Note the following entry: DC=DomainDnsZones,DC=Child_Domain, DC=extension
    For example, if the child domain is Contoso.com, note the following entry: DC=DomainDnsZones,DC=contoso,DC=com
  8. Type the following command, and then press ENTER. delete nc dc=domaindnszones,dc=Child_Domain,dc=extension
    Note In this command, Child_Domain represents the name of the child domain that you want to remove. For example, if the child domain is company.com, type the following command, and then press ENTER: delete nc dc=domaindnszones,dc=company,dc=com
  9. Quit Ntdsutil.

 

Phase 2

  1. At the command prompt, type: ntdsutil.
  2. Type: metadata cleanup, and then press ENTER.
  3. Type: connections, and then press ENTER. This menu is used to connect to the specific server on which the changes will occur. If the currently logged-on user is not a member of the Enterprise Admins group, alternate credentials can be supplied by specifying the credentials to use before making the connection. To do so, type: set creds domainname username password , and then press ENTER. For a null password, type: null for the password parameter.
  4. Type: connect to server servername (where servername is the name of the domain controller holding the Domain Naming Master FSMO Role), and then press ENTER. You should receive confirmation that the connection is successfully established. If an error occurs, verify that the domain controller being used in the connection is available and that the credentials you supplied have administrative permissions on the server.
  5. Type: quit, and then press ENTER. The Metadata Cleanup menu is displayed.
  6. Type: select operation target, and then press ENTER.
  7. Type: list domains, and then press ENTER. A list of domains in the forest is displayed, each with an associated number.
  8. Type: select domain number, and then press ENTER, where number is the number associated with the domain to be removed.
  9. Type: quit, and then press ENTER. The Metadata Cleanup menu is displayed.
  10. Type: remove selected domain, and then press ENTER. You should receive confirmation that the removal was successful. If an error occurs, please refer to the Microsoft Knowledge Base for articles on specific error messages.
  11. Type: quit at each menu to quit the NTDSUTIL tool. You should receive confirmation that the connection disconnected successfully.

You should now be able to  open Active Directory Domains and Trusts and remove the old tombstone trust relationships.

One Response

Leave a Reply


*