useful commands:
  • netdom query fsmo
  • ntdsutil

    The rest of this file was grabbed from

    Active Directory: DC and FSMO
    How do I seize FSMO roles or forcefully remove a DC?

    This document details steps to be taken to correct replication problems between Domain Controllers and also serves as a point of reference for forcefully removing a DC from the domain.

    It is important to identify which DC holds the most recent updates of AD. Check for recently created objects such as users or groups or machine accounts. When removing the DC from the domain, any objects that only exist on this server will be lost.

    As a naming convention this document will refer to ServerGood and ServerBad where ServerGood is the DC that will remain in the domain and ServerBad is the DC to be removed.

    1. Identify the bad server (ServerBad)
    2. On ServerBad stop the NTFRS service and KDC Service.
    3. On ServerBad run KerbTray resource kit utility and delete the Kerberos Certificates.
    4. On ServerGood, run Netdom Query FSMO and check for FSMO ownership. Attempt to transfer all roles to ServerGood using AD Users and Computers (right click on the domain and select operations masters).
    5. If you are unable to transfer roles, seize all 5 FSMO roles.
    Note Only seize the FSMO roles to the remaining Active Directory domain controllers if you are removing the FSMO role holder from the domain or forest.

    To seize or transfer the FSMO roles by using Ntdsutil, follow these steps:

    1. On any domain controller, click Start, click Run, type ntdsutil in the Open box, and then click OK.

      Note Microsoft recommends that you use the domain controller that is taking the FSMO roles.

    2. Type roles, and then press ENTER.
      To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER.

    3. Type connections, and then press ENTER.

    4. Type connect to server servername, where servername is the name of the server you want to use, and then press ENTER.

    5. At the server connections: prompt, type q, and then press ENTER again.

    6. Type seize role, where role is the role you want to seize. For a list of roles that you can seize, type ? at the Fsmo maintenance: prompt, and then press ENTER, or consult the list of roles at the beginning of this article. For example, to seize the RID Master role, you would type seize rid master. The one exception is for the PDC Emulator role, whose syntax would be "seize pdc" and not "seize pdc emulator".

      Note All five roles need to be in the forest. If the first domain controller is out of the forest then seize all roles. Determine which roles are to be on which remaining domain controllers so that all five roles are not on only one server.

      Microsoft recommends that you only seize all roles when the other domain controller is not returning to the domain, otherwise fix the broken domain controller with the roles.

      Note If the domain controller that formerly held any FSMO role is not present in the domain and if it has had its roles seized by the earlier steps in this article, remove it from the Active Directory by following the procedure that is outlined in the following Microsoft Knowledge Base article: For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

      216498 HOW TO: Remove Data in Active Directory After an Unsuccessful Domain Controller Demotion

      If the original domain controller with the FSMO roles is still online, transfer the roles. Type transfer role.

    7. After you seize or transfer the roles, type q, and then press ENTER until you quit the Ntdsutil tool.

    Do not put the Infrastructure Master role on the same domain controller as the global catalog.

    To check if a domain controller is also a global catalog server:

    1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
    2. Double-click Sites in the left pane, and then browse to the appropriate site or click Default-first-site-name if no other sites are available.
    3. Open the Servers folder, and then click the domain controller.
    4. In the domain controller's folder, double-click NTDS Settings.
    5. On the Action menu, click Properties.
    6. On the General tab, locate the Global Catalog check box to see if it is selected.
    7. Reboot ServerBad and verify that you can successfully log in under Active Directory Restore Mode.
    8. On ServerBad run DCPROMO /FORCEREMOVAL
      Refer to MSKB 332199 for additional details if needed.
    9. ServerBad should now be in a workgroup.
    10. On ServerGood, execute the MetaCleaner.vbs script and select the ServerBad computer name to delete it from the metabase.
      Note: if MetaCleaner.vbs is unavailable you can follow MSKB 216498.
    11. Launch the MMC and add the ADSIEdit snap-in.
      Remove ServerBad from everything

    Now that the NTDS Settings object has been deleted, you can delete the computer account, the FRS member object, the cname (or Alias) record in the _msdcs container, the A (or Host) record in DNS, the trustDomain object for a deleted child domain, and the domain controller.

    1. Use ADSIEdit to delete the computer account. To do this, follow these steps:
      • Start ADSIEdit.
      • Expand the Domain NC container.
      • Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET.
      • Expand OU=Domain Controllers.
      • Right-click CN=domain controller name, and then click Delete.

      Note: you may need to expand the object and manually delete child objects to delete the computer account if you receive a message that you have insufficient rights to delete the computer account..

      If you receive the "DSA object cannot be deleted" error when you try to delete the object, change the UserAccountControl value. To change the UserAccountControl value, right-click the domain controller in ADSIEdit, and then click Properties. Under Select a property to view, click UserAccountControl. Click Clear, change the value to 4096, and then click Set. You can now delete the object.

      Note The FRS subscriber object is deleted when the computer object is deleted because it is a child of the computer account.

    2. Use ADSIEdit to delete the FRS member object. To do this, follow these steps:
      • Start ADSIEdit.
      • Expand the Domain NC container.
      • Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET.
      • Expand CN=System.
      • Expand CN=File Replication Service.
      • Expand CN=Domain System Volume (SYSVOL share).
      • Right-click the domain controller you are removing, and then click Delete.

    3. In the DNS console, use the DNS MMC to delete the A record in DNS. The A record is also known as the Host record. To delete the A record, right-click the A record, and then click Delete. Also delete the cname (also known as the Alias) record in the _msdcs container. To do so, expand the _msdcs container, right-click the cname, and then click Delete.

      Important If this was a DNS server, remove the reference to this DC under the Name Servers tab. To do this, in the DNS console, click the domain name under Forward Lookup Zones, and then remove this server from the Name Servers tab.

      Note If you have reverse lookup zones, also remove the server from these zones.

    4. If the deleted computer was the last domain controller in a child domain and the child domain was also deleted, use ADSIEdit to delete the trustDomain object for the child. To do this, follow these steps:
      • Start ADSIEdit.
      • Expand the Domain NC container.
      • Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET.
      • Expand CN=System.
      • Right-click the Trust Domain object, and then click Delete.

    5. Use Active Directory Sites and Services to remove the domain controller. To do this, follow these steps:
      • Start Active Directory Sites and Services.
      • Expand Sites.
      • Expand the server's site. The default site is Default-First-Site-Name.
      • Expand Server.
      • Right-click the domain controller, and then click Delete.

    6. Remove all references to ServerBad in DNS forward and reverse lookup zones.

    7. Verify that ServerBad does not exist in AD Users and Computers.

    8. It is now safe to have ServerBad rejoin the domain and use DCPROMO to make it a DC again if needed.

    Copy all of the following text to a text file. Name the file MetaCleaner.vbs.

    REM    ==========================================================
    REM                GUI Metadata Cleanup Utility
    REM             Written By Clay Perrine -
    REM                          Version 2.5
    REM    ==========================================================
    REM     This tool is furnished "AS IS". NO warranty is expressed or Implied.
    on error resume next
    dim objRoot,oDC,sPath,outval,oDCSelect,objConfiguration,objContainer,errval,ODCPath,ckdcPath,myObj,comparename
    rem =======This gets the name of the computer that the script is run on ======
    Set sh = CreateObject("WScript.Shell")
    computerName = sh.RegRead(key & "\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName\ComputerName")
    rem === Get the default naming context of the domain====
    set objRoot=GetObject("LDAP://RootDSE")
    sPath = "LDAP://OU=Domain Controllers," & objRoot.Get("defaultNamingContext")
    rem === Get the list of domain controllers====
    Set objConfiguration = GetObject(sPath)
    For Each objContainer in objConfiguration
    outval = outval & vbtab &  objContainer.Name & VBCRLF
    outval = Replace(outval, "CN=", "")
    rem ==Retrieve the name of the broken DC from the user and verify it's not this DC.===
    oDCSelect= InputBox (outval,"Type the Name of the Problem Domain Controller","")
    comparename = UCase(oDCSelect)
    if comparename = computerName then
    msgbox "The Domain Controller you entered is the machine that is running this script." & vbcrlf & "You cannot clean up the metadata for the machine that is running the script!",,"Metadata Cleanup Utility Error."
    End If
    sPath = "LDAP://OU=Domain Controllers," & objRoot.Get("defaultNamingContext")
    Set objConfiguration = GetObject(sPath)
    For Each objContainer in objConfiguration
    ckdcPath = "LDAP://" & "CN=" & oDCSelect & ",OU=Domain Controllers," & objRoot.Get("defaultNamingContext")
    set myObj=GetObject(ckdcPath)
    If err.number <>0 Then
    errval= 1
    End If
    If errval = 1 then
    msgbox "The Domain Controller you entered was not found in the Active Directory",,"Metadata Cleanup Utility Error."
    End If
    abort = msgbox ("You are about to remove all metadata for the server " & oDCSelect & "! Are you sure?",4404,"WARNING!!")
    if abort <> 6 then
    msgbox "Metadata Cleanup Aborted.",,"Metadata Cleanup Utility Error."
    end if
    oDCSelect = "CN=" & oDCSelect
    ODCPath ="LDAP://" & oDCselect & ",OU=Domain Controllers," & objRoot.Get("defaultNamingContext")
    sSitelist = "LDAP://CN=Sites,CN=Configuration," & objRoot.Get("defaultNamingContext")
    Set objConfiguration = GetObject(sSitelist)
    For Each objContainer in objConfiguration
    sitePath = "LDAP://" & oDCSelect & ",CN=Servers," &  objContainer.Name & ",CN=Sites,CN=Configuration," & objRoot.Get("defaultNamingContext")
    set myObj=GetObject(sitePath)
    If err.number = 0 Then
    siteval = sitePath
    End If    
    sFRSSysvolList = "LDAP://CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System," & objRoot.Get("defaultNamingContext")
    Set objConfiguration = GetObject(sFRSSysvolList)
    For Each objContainer in objConfiguration
    SYSVOLPath = "LDAP://" & oDCSelect & ",CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System," & objRoot.Get("defaultNamingContext")
    set myObj=GetObject(SYSVOLPath)
    If err.number = 0 Then
    SYSVOLval = SYSVOLPath
    End If
    SiteList = Replace(sSitelist, "LDAP://", "")
    VarSitelist = "LDAP://CN=Sites,CN=Configuration," & objRoot.Get("defaultNamingContext")
    Set SiteConfiguration = GetObject(VarSitelist)
    For Each SiteContainer in SiteConfiguration
    Sitevar = SiteContainer.Name
    VarPath ="LDAP://OU=Domain Controllers," & objRoot.Get("defaultNamingContext")
    Set DCConfiguration = GetObject(VarPath)
        For Each DomContainer in DCConfiguration
        DCVar = DomContainer.Name
        strFromServer = ""
        NTDSPATH =  DCVar & ",CN=Servers," & SiteVar & "," & SiteList
        GuidPath = "LDAP://CN=NTDS Settings,"& NTDSPATH 
        Set objCheck = GetObject(NTDSPATH)
            For Each CheckContainer in objCheck
    rem ====check for valid site paths =======================
            ldapntdspath = "LDAP://" & NTDSPATH
            set exists=GetObject(ldapntdspath)
                If err.number = 0 Then
                    Set oGuidGet = GetObject(GuidPath)
                    For Each objContainer in oGuidGet
                    oGuid = objContainer.Name
                    oGuidPath = "LDAP://" & oGuid & ",CN=NTDS Settings," & NTDSPATH  
                    Set objSitelink = GetObject(oGuidPath)
                    strFromServer = objSiteLink.Get("fromServer")
                    ispresent = Instr(1,strFromServer,oDCSelect,1)
                        if ispresent <> 0 then
                        Set objReplLinkVal = GetObject(oGuidPath)
                        end if
                    sitedelval = "CN=" & comparename & ",CN=Servers," & SiteVar & "," & SiteList
                    if sitedelval = ntdspath then
                        Set objguidpath = GetObject(guidpath)
                        Set objntdspath = GetObject(ldapntdspath)
                    end if
                End If
    Set AccountObject = GetObject(ckdcPath)
    temp=Accountobject.Get ("userAccountControl")
    AccountObject.Put "userAccountControl", "4096"
    Set objFRSSysvol = GetObject(SYSVOLval)
    Set objComputer = GetObject(ckdcPath)
    Set objConfig = GetObject(siteval)
    oDCSelect = Replace(oDCSelect, "CN=", "")
    msgval = "Metadata Cleanup Completed for " & oDCSelect
    msgbox  msgval,,"Notice."