Membership in Domain Admins, or equivalent, is the minimum required to complete these procedures.
However, Active Directory Sites and Services removes the metadata automatically only when you first delete the NTDS Settings object below the computer account in Dssite.msc.Īs long as you are using the Windows Server 2008 or newer RSAT versions of Dsa.msc or Dssite.msc, you can clean up metadata automatically for domain controllers running earlier versions of Windows operating systems. You can also use the Active Directory Sites and Services console (Dssite.msc) to delete a domain controller's computer account, which also completes metadata cleanup automatically. Before Windows Server 2008, you had to perform a separate metadata cleanup procedure. When you use Remote Server Administration Tools (RSAT) or the Active Directory Users and Computers console (Dsa.msc) that is included with Windows Server to delete a domain controller computer account from the Domain Controllers organizational unit (OU), the cleanup of server metadata is performed automatically.
In Active Directory Users and Computers, the Object tab of an object appears if you click View and then click Advanced Features. To verify this right-click the computer object or the NTDS Settings object, click Properties, click Object, and clear the Protect object from accidental deletion check box. If you receive an "Access is denied" error when you use any of these methods to perform metadata cleanup, make sure that the computer object and the NTDS Settings object for the domain controller are not protected against accidental deletion.