At last Netpro’s DEC in Las Vegas during my presentation about "Active Directory Disaster Recovery" (get the preso HERE) I showed a demo using a utility (written in VBS) I have written that automates the cleanup of multiple DCs within a forest/domain. I received great feedback from people after seeing the demo and they wanted to have that utility.
The main reasons I have never released this utility are that:
- It was not finished yet at that moment
- It contained some bugs I needed to take care of
- [THE REAL REASON] The script is freakin’ dangerous!!! It can wack your Active Directory Forest with a click before you can say: "ohhhhh sh!t…" A fellow MVP even called it a "screw your forest with a click" script. I’m not going to disagree with him because he is correct, especially if you do not know what you are doing.
When having some spare time I removed the bugs I had found (no guarantee the script does not have bugs anymore!) and I also updated the script to be able to work in a Windows Longhorn Server Active Directory Forest/Domain.
Before continuing, lets first throw in a DISCLAIMER for this post and this "Active Directory Metadata Cleanup Utility"
!!! DISCLAIMER/REMARKS !!!:
- The script is freeware, you are free to distribute it, but always refer to this website as the location where you got it
- This script is really really really dangerous!
- This script is furnished "as is". No warranty is expressed or implied!
- Always test first in lab environment to see if it meets your needs!
- Use this script at your own risk!
- I do not warrant this script to be fit for any purpose, use or environment
- I have tried to check everything that needed to be checked, but I do not guarantee the script does not have bugs.
- I do not guarantee the script will not damage or destroy your system(s), environment or whatever.
- I do not accept liability in any way if you screw up, use the script wrong or in any other way where damage is caused to your environment/systems!
- If you do not accept these terms do not use the script and delete it immediately!
Best use of this script:
- During Active Directory Disaster Recovery
Supported Environments:
- Windows 2000 Server AD
- Windows Server 2003 AD
- Windows Longhorn Server AD
Capabilities of this script:
- Cleanup AD Metadata of:
- A single domain controller (specified through command-line or input file)
- Multiple domain controllers (specified through input file)
- A crap load of domain controllers, except for a few domain controllers (specified through input file)
- A domain in the forest with no domain controllers (specified through command-line)
What Active Directory Metadata is cleaned (can be tuned through INI file):
- Connections Objects pointing to domain controller(s) to be removed
- Server object of domain controller(s) to be removed
- SYSVOL replica set membership subscriptions for domain controller(s) to be removed (both NTFRS and DFS-R)
- NTFRS Connection Objects pointing to domain controller(s) to be removed that participate in DFS replication through NTFRS
- Custom DFS replica set membership subscriptions replicated through NTFRS of domain controller(s) to be removed
- DFS-R Connection Objects pointing to domain controller(s) to be removed that participate in DFS replication through DFS-R
- Custom DFS replica set membership subscriptions replicated through DFS-R of domain controller(s) to be removed
- DFS root membership subscriptions (partially only, additional manual action needed) of domain controller(s) to be removed
- Computer accounts of domain controller(s) to be removed
- Reports that manual cleanup might be needed for:
Output:
Usage:
| ################################################################################
| ===>>> !!! Active Directory Metadata Cleanup Utility !!! <<<===
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
| DISCLAIMER : The script is freeware, you are free to distribute it, but always refer to this website as the location where you got it
| : This script is really really really dangerous!
| : This script is furnished ‘as is’. No warranty is expressed or implied!
| : Always test first in lab environment to see if it meets your needs!
| : Use this script at your own risk!
| : I do not warrant this script to be fit for any purpose, use or environment
| : I do not guarantee the script does not have bugs
| : I do not guarantee the script will not damage or destroy your system(s), environment or whatever.
| : I do not accept liability in any way if you screw up, use the script wrong or in any other way where damage is caused to your environment/systems!
| : If you do not accept these terms do not use the script and delete it immediately!
| SUPPORTS ACTIVE DIRECTORY RUNNING ON:
| : Windows 2000 Server
| : Windows Server 2003
| : Windows Server 2007 Codename ‘Longhorn’
| USAGE: CSCRIPT AD-Metadata-CleanUp-Util.vbs <arguments>
| <arguments> : /GENERATEINI /TARGETDC /MODE /REMOVEDC /REMOVEDOMAIN /FORCE /USER /PWD
| /GENERATEINI : OPTIONAL, this generates the default INI file
| The name of the INI file is specified in the ‘cIniFile’ constant (AD-Metadata-CleanUp-Util.ini)
| : example /GENERATEINI
| /TARGETDC : OPTIONAL, this defines the DC the script is run against
| : If not specified localhost is assumed!
| : example /TARGETDC:TARGETDC.DOMAIN.COM
| /MODE : MANDATORY, this defines the mode that will be used
| : Modes available: CLEANUPDC or RECOVERY or CLEANUPDOMAIN
| : example /MODE:CLEANUPDC
| : example /MODE:RECOVERY
| : example /MODE:CLEANUPDOMAIN
| /REMOVEDC : OPTIONAL, this defines a SINGLE DC to clean the AD metadata
| : Only used with /MODE:CLEANUPDC
| : If not used, the key ‘DCsINclude’ in the INI file must be specified
| : to clean the AD metadata of the DCs specified in ‘DCsINclude’!
| : If not used, the key ‘DCsEXclude’ in the INI file must be specified
| : to clean the AD metadata of ALL DCs except the ones specified in
| : ‘DCsEXclude’! Only available with /MODE:RECOVERY
| : example /REMOVEDC:REMOVEDC.DOMAIN.COM
| /REMOVEDOMAIN : OPTIONAL, this defines a SINGLE DOMAIN to clean the AD metadata
| : Only used with /MODE:CLEANUPDOMAIN
| : example /REMOVEDOMAIN:DOMAIN.COM
| /FORCE : OPTIONAL, this distinguishes between a test run or for real
| : Options available: YES or NO or nothing
| : If /FORCE is NOT specified -> test run
| : If /FORCE is specified -> test run
| : If /FORCE:NO is specified -> test run
| : If /FORCE:YES is specified -> AD metadata WILL be cleaned!
| : example /FORCE:YES
| : example /FORCE:NO
| : example /FORCE
| /USER : OPTIONAL, this defines the username and its domain to run the script with
| : If not specified current username is assumed!
| : example /USER:DOMAINJORGE
| /PWD : OPTIONAL, this defines the password that belongs to the username
| : If not specified current password is assumed!
| : Mandat
ory if /USER is specified!
| : example /PWD:verystrongpassword
| EXAMPLES : CSCRIPT AD-Metadata-CleanUp-Util.vbs /TARGETDC:TARGETDC.DOMAIN.COM /MODE:CLEANUPDC /REMOVEDC:REMOVEDC.DOMAIN.COM /FORCE:NO
| : CSCRIPT AD-Metadata-CleanUp-Util.vbs /TARGETDC:TARGETDC.DOMAIN.COM /MODE:CLEANUPDC /REMOVEDC:REMOVEDC.DOMAIN.COM /FORCE:YES
| : CSCRIPT AD-Metadata-CleanUp-Util.vbs /TARGETDC:TARGETDC.DOMAIN.COM /MODE:CLEANUPDC /FORCE:NO
| : CSCRIPT AD-Metadata-CleanUp-Util.vbs /TARGETDC:TARGETDC.DOMAIN.COM /MODE:CLEANUPDC /FORCE:YES /USER:DOMAINJORGE /PWD:mypassword
| : CSCRIPT AD-Metadata-CleanUp-Util.vbs /TARGETDC:TARGETDC.DOMAIN.COM /MODE:RECOVERY /FORCE:NO
| : CSCRIPT AD-Metadata-CleanUp-Util.vbs /TARGETDC:TARGETDC.DOMAIN.COM /MODE:RECOVERY /FORCE:YES
| : CSCRIPT AD-Metadata-CleanUp-Util.vbs /TARGETDC:TARGETDC.DOMAIN.COM /MODE:CLEANUPDOMAIN /REMOVEDOMAIN:DOMAIN.COM /FORCE:NO
| : CSCRIPT AD-Metadata-CleanUp-Util.vbs /TARGETDC:TARGETDC.DOMAIN.COM /MODE:CLEANUPDOMAIN /REMOVEDOMAIN:DOMAIN.COM /FORCE:YES
| REMARKS : For readability, the usage is also available in ‘AD-Metadata-CleanUp-Util.log’
| ################################################################################
REMARKS:
- The script requires the usage of the INI file
- Before the script will run you MUST execute: CSCRIPT AD-Metadata-CleanUp-Util.vbs /GENERATEINI
- In the INI file ALL metadata cleanup is disabled by default!!! (<OPTION>=NO)
- To enable the cleanup of a certain option it must be enabled!!! (<OPTION>=YES)
- Be aware that the cleanup of certain metadata depends on the cleanup of other metadata. For example: if you want to cleanup the server of a domain controller you must enabled the cleanup of server objects AND connection objects!!! There is no check for this, it just runs, but it (might) fail
- Although the INI file specifies to cleanup AD metadata, the argument /FORCE:YES must be specified to cleanup for real. If not specified the script will do a test run
- The script requires two confirmations before continuing!
- For the objects deleted the script exports information to a LDF files before the actual deletion. This information might still be needed later for some reason if a DC contains additional roles (e.g. RIS stores additional information below the computer account of the domain controller)
- The script does not check if (a) domain controller(s) specified is/are alive or not, it just executes
- The script does not check if the objects of (a) domain controller(s) exist or not, it just executes
- TIP: always check the LOG file!!!!!!!!!!!!
Example 1: cleaning ALL the metadata of ONE DC
See attachment: Ex-1_AD-Metadata-CleanUp-Util_ONE-DC.log
Explanation:
- Script running on and against ROOTDC001.ADCORP.LAN
- Cleanup AD metadata of DC: CHLDDC001.CHILD.ADCORP.LAN
Example 2: cleaning ALL the metadata of ONE DOMAIN
See attachment: Ex-2_AD-Metadata-CleanUp-Util_ONE-DOMAIN.log
Explanation:
- Script running on and against ROOTDC001.ADCORP.LAN
- Cleanup AD metadata of DOMAIN: CHILD.ADCORP.LAN
Example 3: cleaning ALL the metadata of MULTIPLE DCs
See attachment: Ex-3_AD-Metadata-CleanUp-Util_MULTIPLE-DCs.log
Explanation:
- Script running on and against ROOTDC001.ADCORP.LAN
- Cleanup AD metadata of DC: ROOTDC018.CHILD.ADCORP.LAN, ROOTDC019.CHILD.ADCORP.LAN, ROOTDC020.CHILD.ADCORP.LAN
Example 4: cleaning ALL the metadata of ALL DCs EXCEPT ONE OR MORE
See attachment: Ex-4_AD-Metadata-CleanUp-Util_ALL-DCs-EXCEPT-ONE-OR-MORE.log
Explanation:
- Script running on and against ROOTDC001.ADCORP.LAN
- Cleanup AD metadata of DC: ALL DCs in the forest except ROOTDC001.ADCORP.LAN
- During a DR scenario as mentioned in Microsoft’s Disaster Recovery whitepaper you can specify here EACH domain controller in EACH domain that must remain. All others will be cleaned and needed therefore to be re-promoted. If a domain controller is not specified as excluded from cleanup it will be removed, no matter what domain it belongs to!
REMARKS:
- All the log files contain the command line used and all the information needed for these actions and all the actions that occured!
!!!!!!!!!!! ENJOY, BUT PLEASE BE VERY CAREFUL !!!!!!!!!!!
If you use this script and you find something that might need to be changed or even added, feel free to contact me through this blog site!
UPDATE: Because this script is SOOOOOOOOO dangerous, I decided to NOT release it!
Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————
!!! DISCLAIMER/REMARKS !!!:
- The script is freeware, you are free to distribute it, but always refer to this website as the location where you got it
- This script is really really really dangerous!
- This script is furnished "as is". No warranty is expressed or implied!
- Always test first in lab environment to see if it meets your needs!
- Use this script at your own risk!
- I do not warrant this script to be fit for any purpose, use or environment
- I have tried to check everything that needed to be checked, but I do not guarantee the script does not have bugs.
- I do not guarantee the script will not damage or destroy your system(s), environment or whatever.
- I do not accept liability in any way if you screw up, use the script wrong or in any other way where damage is caused to your environment/systems!
- If you do not accept these terms do not use the script and delete it immediately!