Metadata cleanup is a required procedure after a forced removal of Active Directory Domain Services (AD DS). You perform metadata cleanup on a domain controller in the domain of the domain controller that you forcibly removed. Metadata cleanup removes data from AD DS that identifies a domain controller to the replication system .Metadata cleanup is a required procedure after a forced removal of Active Directory Domain Services (AD DS)
, type Ntdsutil and press ENTER Open Active Directory Users and Computers (dsa.msc). Find the domain controller whose metadata you want to clean up (Will be on Domain controllers OU) and then click Delete. In the Active Directory Domain Services dialog box, click Yes to confirm the computer object deletion For a quick overview let's have a look at Active Directory Sites and Services what DC's we have and what the name of the containers are. Open an elevated Command Prompt; Type 'ntdsutil'. ntdsutil; Type 'metadata cleanup'. metadata cleanup
Active Directory Metadata cleanup step by step. 1. Start the Ntdsutil Tool: Open a command prompt as an administrator. At the prompt, type ntdsutil and press enter. C:\Users\serveradmin>ntdsutil. 2. At the Ntdsutil prompt, select and type metadata cleanup command and press enter. ntdsutil: metadata cleanup For Windows 2000, you must use ADISEdit to remove the Computer Account and the FRS Object from Active Directory. Use ADSIEdit to delete the computer account. To do this, follow these steps: Click Start, click Run, type adsiedit.msc in the Open box, and then click OK Objekte aus dem Active Directory entfernen. Nach den Metadaten entfernt man die Objekte des Servers aus dem Active Directory: Einmal in der Management-Konsole Active Directory-Standorte und Dienste, dann in der Management-Konsole Active Directory-Benutzer und Computer unter den Domänencontrollern. Das Active Directory fordert hier mehrere Bestätigungen an, deren eine Nach dem Grund der Entfernung des DC fragt. Hier bestätigt man, dass der DC ständig offline ist und nicht mehr mittel Follow these steps to clean up the directory from a failed domain controller: 1. Open a command prompt, type ntdsutil and press Enter. 2. At the Ntdsutil prompt, type metadata cleanup and press Enter. 3. At the Metadata Cleanup prompt type connections and press Enter. 4. At the Server Connections prompt, type connect to server KTM-DC02-2K
. You may be wondering why I need to clean the metadata manually. The metadata for the demoted DC is not deleted from the surviving DCs because you forced the demotion. When you force a demotion, Active Directory basically ignores other DCs and does its own thing. Because the other DCs are not aware that you removed the demoted DC from the. Geben Sie nach dem Start von Ntdsutilden Befehl metadata cleanup Nachdem die Metadaten von Active Directory bereinigt wurden, sollten Sie noch die Einträge im DNS bereinigen. Entfernen Sie alle SRV-Records, in denen noch der alte Server steht, aus der DNS-Zone der Domäne. Gehen Sie bei der Entfernung vorsichtig vor und löschen Sie keine Daten von anderen Domänencontrollern. Entfernen. 3 Ways To Keep Active Directory Clean with PowerShell. Get rid of unused AD accounts quickly. By Adam Bertram; 04/30/2015; One of the most popular PowerShell topics I see in the community relates to finding Active Directory (AD) computers and users based on the age of the account. Many people have a need to find stale computer and user accounts that are no longer needed. Increasingly, these.
2. Remove old computer account by using Active Directory Sites and Services tool. 3. Remove old DNS and WINS records of the orphaned Domain Controller. 4. Use ADSIEdit to remove old computer records from the Active Directory: a. OU=Domain Controllers,DC=domain,DC=local. b. CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=loca Open the Active Directory Sites and Services console, expand the Sites object till you find the DC you want to delete. Here, right-click the NTDS Settings icon on the DC, and then click Delete. Confirm the deletion by pressing Yes. Confirm again while accepting the warnings by clicking the Delete button Cleaning up the metadata is required whenever you are not able to cleanly remove a domain controller from active directory. This is usually performed when a domain controller crashes and is not coming back or when demoting a domain controller fails and the force option is used where it is not cleanly removed . Metadata cleanup is a process which is required to remove a failed DC from the domain which can't be demoted gracefully. Does metadata cleanup remove all the entries from AD? The answer is NO, it doesn't remove all the records from AD When you perform metadata cleanup, you will delete all data about the failed DC from Active Directory Domain Services (AD DS). This correctly cleans replication metadata, including the objects in File Replication Service (FRS) and Distributed File System (DFS)
Step 1: Removing metadata via Active Directory Users and Computers. Log in to DC server as Domain/Enterprise administrator and navigate to Server Manager > Tools > Active Directory Users and Computers ; Expand the Domain > Domain Controllers ; Right click on the Domain Controller you need to manually remove and click Delet I have been requested to cleanup Active Directory and also DNS for some servers which were decommissions a while back (Server was not an AD or Exchange server). I have been looking into the best way to do this but cant really find anything that doesn't reference another AD server in the process... Maybe i am other thinking it. Any help would be. Type 'q' to quit and press Enter. The Metadata cleanup menu is displayed. select operation target: q metadata cleanup: Type remove selected server and press Enter. You will receive a warning message. Read it, and if you agree, press Yes. metadata cleanup: Remove selected server CN=SERVER200,CN=Servers,CN=Default-First-Site-Name
NTDSUTIL is a command line tool that allows you to perform some of the more advanced Active Directory maintenance tasks. Below are the steps needed to remove a failed or offline Domain Controller from your environment. TIP: NTDSUTIL does not require the full command to be enteredyou only have to enter enough of the command that is unique. For Example, instead of typing metadata cleanup you. The Windows Server 2008 version of Active Directory Users and Computers (ADUC) introduced a convenient one click approach to performing metadata cleanup. To take advantage of this feature, follow these steps: If you are using the Windows Server 2003 version of ADUC, skip down to the NTDSUtil version of these steps. The Windows Server 2003 version of ADUC will not perform a metadata cleanup for.
Delete orphan DCs from Active Directory The following commands should be run to cleanup orphan domains and domain controllers. At the command prompt, type ntdsutil ntdsutil: metadata cleanup Metad This manual process is known as metadata cleanup. Metadata cleanup removes all of the references to the domain controller from Active Directory so that things like replication continue to work without error. Depending on what version of Windows you're working with, this can be as simple as deleting the domain controller's computer account with AD Users and Computers, or it might require a trip to the command line to put ntdsutil to work As you navigate the Active Directory, things should begin to look a lot more familiar. As you can see in Figure 4, ADSI Edit gives you the ability to move, delete, rename, or otherwise modify. Delete orphan DCs from Active Directory The following commands should be run to cleanup orphan domains and domain controllers. At the command prompt, type ntdsutil ntdsutil: metadata cleanup Metadata cleanup: connections Server connections: connect to server yourserver.yourdomain.com (i.e. the root forest domain controller) Binding to yourserver.yourdomain.com . Connected to yourserver.yourdomain.com using credentials of locally logge Active Directory metadata contains a lot of data, not all is interesting, but with a few object manipulation and filter, you can get the useful information out. This entry was posted in ActiveDirectory and tagged ActiveDirectory, AD, Attributes, PowerShell by edemilliere. Bookmark the permalink. Leave a Reply Cancel reply. Your email address will not be published. Required fields are marked.
. Not all direct or transitive replication partners replicated in the deletion before the tombstone lifetime number of days passed. Objects that have been deleted and garbage collected from an Active Directory partition but still exist in the writable partitions of other DCs in the same domain, or read. Open Active Directory Users and Computers Right click on your top level domain being cleaned and select Properties From the Properties windows, select the Security tab When you install a version of Certificate Authority that is Active Directory-integrated (i.e. Enterprise Root or Enterprise Subordinate) the following 6 objects are created/modified in the Active Directory database: Name: <CA Common Name>. Type: certificateAuthority. LDAP Path: CN=AIA,CN=Public Key. 3. You want to go thru the Forcing the Removal of a Domain Controller procedure as specified by Microsoft. You can't just delete the old computer object and have things work properly. You can't do the dcpromo /forceremoval portion because the old computer is already gone, so just ignore that part
Follow the following steps to remove Exchange Server using ADSI Edit. Login to domain controller with administrative account. Navigate to Start -> Run -> ADSIEdit.msc and hit enter. Click on Action -> Connect to -> Select Configuration under Select a well known naming Context: If you're removing the servers themselves, then don't forget to delete the computer objects from Active Directory. Then remove them from your internal DNS and external DNS if applicable. Once you've deleted them from active directory, you may need to force a synchronization of your AD between multiple domain controllers. If you delete them and attempt to reinstall too soon before AD has synchronized, it is possible you encounter an error where when reinstalling on a new server (using. Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality. The Procedure : 1. Click Start, point to Programs, point to Accessories, and then click Command Prompt. 2. At the command prompt, type ntdsutil, and then press ENTER. 3. Type metadata cleanup, and then press ENTER. Based on the.
active directory domain services could not transfer the remaining data in directory partition; dcpromo /forceremoval ; metadata cleanup; SBS 2011 dcpromo; cn=infrastructure,dc=forestdnszones,dc=domain,dc=int; dcpromo.log location; event id 2022; How to Fix The Directory Service Is Missing Mandatory Configuration Information. Fixing The Directory Service Is Missing Mandatory Configuration. To clean up server metadata by using Active Directory Users and Computers. Step1 : Open Run and type dsa.msc and click OK. Step2 : Select the Domain Controller whose metadata you want to clean up, and then click Delete. Step3 :Select This Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation Wizard (DCPROMO), and then. Bu makalemizde size çöken bir domain controlerın Active directory databesinden temizlenmesi işlemini (metadata cleanup ) anlatacağım. Normal prosedurde bir dc'yi kaldırmak istersek 2000-2003 dclerde dcpromo komutunu, 2008 ve 2012 dclerde ise rollerden Active Directory Domain Servisini kaldırarak DC leri kaldırabiliyoruz. İster Master DC olsun isterse Additional DC olsun bu prosedurle kaldırılır
1.1) Start the Active Directory Domains and Trusts Microsoft Management Console (MMC) snap-in from the Administrative Tools menu. 1.2) Right-click the root node in the left pane titled Active Directory Domains and Trusts, and then click Operations Master. 1.3) The domain controller that currently holds this role is identified in the Current Operations Master frame.NOTE: If this changed. Active Directory Trust Relationships. Implement an Active Directory directory service forest and domain structure. Establish trust relationships. Types of trust relationships might include external trusts, shortcut trusts, and crossforest trusts. Prospects of globalization and international commerce have increased the possibility of companies operating multiforest network enterprise structures. Metadata cleanup is required when you try to remove a domain controller from your Active Directory domain by using Dcpromo.exe and fail, or when you began to promote a member server to be a Domain Controller and failed, or you cannot demote the domain controller gracefully or DC has been failed /crashed due to hardware failure Netdom is a command line tool used to manage Active Directory domains and trusts. The Netdom tool is built into Windows Server 2003 and up. 1. On any domain controller open the command prompt. On Windows 2012 server click the start button and type cmd, windows will search and return the command prompt. Click on Command Prompt. 2. From the command prompt type netdom query fsmo and hit enter On the Remove Roles and Features Wizard, click on the Active Directory Domain Services box to remove the check box. The Remove Roles and Features dialog box Remove features that require Active Directory Domain Service pops up, select Remove Features. On the Remove Roles and Features Wizard dialog box Validation Results box will appear
Windows 2019 Active Directory Metadata Cleanup. Herkese merhaba bu yazımda Metadata Cleanup işlemini anlatmaya çalışacağım sizlere. Metadata Cleanup işlemine neden ihtiyaç duyarız diye soracak olursanız Ortamdaki Additional ya da Primary Domain Controller sunucumuz üzerinde yaşanan donanımsal ya da yazılımsal herhangi bir sorunda bu sunucu üzerindeki Domain Controller rolünü. ADSIEdit uses the ADSI application programming interfaces (APIs) to access Active Directory. The following are the required files for using this tool: · ADSIEDIT.DLL · ADSIEDIT.MSC Regarding system requirements, a connection to an Active Directory environment and Microsoft Management Console (MMC) is necessary What is NETDOM? A: NETDOM is a command-line tool that allows management of Windows. ntdsutil: metadata cleanup. metadata cleanup: connections. server connections: connect to server <DCmitFSMO> Binding to <DCmitFSMO> Connected to <DCmitFSMO> using credentials of locally logged on user. server connections: quit. metadata cleanup: select operation target. select operation target: list domains. Found 3 domain(s) 0 - DC=<localdomain>,DC=la clean up this DCs SYSVOL FRS Member Object. Also see Knowledge. Base Article: Q312862  Problem: Missing Expected Value. Base Object: CN=OLDDC,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=domainName,DC=loc. Base Object Description: SYSVOL FRS Member Object Value Object Attribute Name: serverReferenc
READ ALSO Performing Active Directory Metadata Cleanup. For example, you want to check the user attribute values for a built-in domain administrator account using the ADSIEdit. Open the adsiedit.msc console and connect to the Default naming context. In the AD hierarchy, find the user object and open its Properties. You can see the object has all the attributes that are defined in the user.
This entry was posted in Active Directory, Active Directory Domain Services, AD Forest, DCPromo, Domain Controller, DSRM, Flexible Single Master Operations, FSMO, NTDSUtil, Windows Server 2008 R2, Windows Server 2008 R2 Backup, Windows Server 2012, Windows Server 2012 R2 and tagged Active Directory, DNS, Domain controller, Flexible Single Master Operations, FSMO, metadata cleanup, ntdsutil Just like any software, your Exchange Server can also get beyond repair and recovery for a host of reasons. In such a case, it is best you remove that dead exchange server from active directory Como parte del proceso de degradación el asistente quita de Active Directory los datos de configuración del Controlador de Dominio. Estos datos toman la forma de objeto de configuración NTDS que existe como elemento secundario del Objeto de Servidor en Sitios y Servicios del Directorio Activo. La información está en la ubicación siguiente en el Directorio Activo: CN=NTDS Settings,CN. Clean up AD metadata; Clean up DNS; Power down the SBS server for good; Step 1. Backup the Certificate Authority role and remove it . Certificate Services is installed by default in SBS 2008/2011, and it is unlikely to be required moving forward. 99% of the time, you can safely remove this role with no ill effects. If there are no active certificates or pending requests, you should be good to. When you promote the server to domain controller and failed, you are still left with its metadata inside Active Directory Domain. Because of this, you may face some of the following issues: When you again promote the same server with same NetBIOS name, you will fail because of the same objects reside in active directory; You won't be able to promote a new server to domain controller because.
Exchange 2013: How to completely remove all settings from Active Directory If you want to completely wipe all traces of Exchange Server 2013 from your Active Directory then follow this simple instructions. This has worked thus far for me but perhaps I missed something so feel free to provide any. Important tools in Active Directory Adsiedit.msc: Used to add, move and delete objects; and to change or delete object attributes. Dcdiag.exe: Used to determine the state of domain controllers in the forest/enterprise. Netdom.exe: Can be used to manage domains and trust relationships. Repadmin.exe: Used to monitor, diagnose, and manage replication issues. Esentutil.exe: This is to repair ntds. Directory Service by Eric Jansen on Dec 2013 . Are Your DNS Application Partitions Corrupt? Hello all, Eric here again. Just recently I was at a customer site in Japan for a few weeks and they had a number of interesting issues, so while I have some time here in the Naha airport, I thought I'd write about a couple of them. One issue that we encountered across a number of their domains was.
Removing dead Exchagne 2003 servers from the Exchange System Manager and Active Directory please follow below mentioned steps 1. Open Exchange system Manager 2. Expand Adminstrative group until you reach the required server 3. Right click on the server -> All Tasks -> Remove Server 4. Confirm the same by clicking yes. If this did not hel This Post will help you clean those aftermath in your domain controller without having to reinstall your entire Infrastructure. Removing AD Configuration . The list of Exchange servers on the domain is stored in the Active Directory configuration. Following steps below to remove the obsolete server: 1. Log on to the Domain Controller. 2. From the Start menu select Run and enter adsiedit.msc. The KB article to manually cleanup the metadata is 216498. The TechNet script to clean up the metadata is linked here addmvb04. Once you have cleaned things up you still have to go into Active Directory Sites and Services and remove the lost DC from the site in which it belonged. This is a requirement even if you had a successful demotion. The. The Active Directory Installation Wizard (Dcpromo.exe) is used for promoting a server to a domain controller and for demoting a domain controller to a member server (or to a stand-alone server in a workgroup if the domain controller is the last in the domain). As part of the demotion process, the wizard removes the configuration data for the domain controller from Active Directory. This data.
You should see it was incremented by 100,000. ADSIEdit would also show you the same information in the Constructed edit view. AD Database Maintenance: Now in Server 2008 - 2012 you can go into services.msc and stop Active Directory Domain Services service to bring AD offline. This will allow you to perform your maintenance to AD while it is. Why Metadata Cleanup ? When a domain controller crashes or removed from network. Active Directory assumes that the Domain Controller is alive and you will see replication problems. This affects Microsoft Exchange Server and other mission critical applications which are dependent on AD. DcDiag and NetDiag will help us understand if there is any replication problems. Permission Requisites. The.
How to remove data in Active Directory after an unsuccessful domain controller demotion SUMMARY . This article describes how to remove data in Active Directory after an unsuccessful domain controller demotion. Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause. In Windows Server 2008, and Windows Server 2008 R2, the administrator can remove the metadata for a server object by removing the server object in the Active Directory Users and Computers snap-in. In Windows Server 2003 and Windows 2000 Server, the administrator can use the Ntdsutil.exe utility to manually remove the NTDS Settings object Start ADSIEdit. Expand the Domain NC container. Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET. Expand CN=System. Right-click the Trust Domain object, and then click Delete. Use Active Directory Sites and Services to remove the domain controller. To do this, follow these steps: Start Active Directory Sites and Services. Expand Sites
Active directory Delete a Failed Domain To clean up metadata. At the command line, type Ntdsutil and press ENTER. C:\WINDOWS>ntdsutil ntdsutil: At the Ntdsutil: prompt, type metadata cleanup and press Enter. ntdsutil: metadata cleanup metadata cleanup: At the metadata cleanup: prompt, type connections and press Enter. metadata cleanup: connections server connections: At the server connections. When Active Directory objects are deleted, they are placed in the Deleted Objects container or also known as the AD recycle bin. By default, this container is not displayed to an administrator and it must be enabled manually either using a script or the LDP.exe utility. Following the enabling of the active directory recycle bin, there are several native methods to restore deleted accounts in a. Wenn ich metadata cleanup anwende, bekomme ich die Meldung, dass die Domain nicht verwaltet wird! Bitte um Hilfestellung! timo . Timo Schmitt 2003-11-18 14:19:49 UTC. Permalink. Also ich habe jetzt noch mal versucht mit metadate cleanup meine alte Domain zu löschen! Bekomme dann aber die Meldung: DsRemoveDsDomainW-Fehler 0x2162(Die angeforderte Domäne konnte nicht gelöscht werden, da.
Find answers to Any possible damage from metadata cleanup from the expert community at Experts Exchange Active Directory; Windows Server 2003; Windows Server 2008; 5 Comments. 2 Solutions. 707 Views. Last Modified: 2012-05-09 . We recently had a domain controller at a remote site that fell off the network and past the tombstone period. We attempted to gracefully remove the DC using DCPROMO. Um die Metadaten von Active Directory zu bereinigen, startet man Ntdsutil in der Eingabeaufforderung von Active Directory. Folgende Schritte sind zu erledigen: 1.) Nach dem Start von Ntdsutil den Befehl metadata cleanup ein. 2.) I m Anschluss daran connections ein. 3.) Befehl connect to server <Domänencontroller> ein. 4.) Befehl quit ein, um wieder zum Menü metadata cleanup zurückzukehren. For information, modern Active Directory Best Practices can help you avoid having trouble with certificate errors in Exchange. Go here to see some information about modern AD Domain Naming best practices. If you follow that best practice when creating your AD environment, you won't have to worry so much about certificate errors in Exchange, as long as the Certificate you use has the Exchange. Step 1: Removing metadata via Active Directory Users and Computers. Log in to DC server as Domain/Enterprise administrator and navigate to Server Manager > Tools > Active Directory Users and Computers. Expand the Domain > Domain Controllers. Right click on the Domain Controller you need to manually remove and click Delete. 22 Related Question Answers Found How do I clean up metadata? The.
Usually, old user and computer accounts have to be deleted in order to clean up Active Directory and eliminate potential security threats, but occasionally a functional user/computer account can get deleted, which can obstruct the normal functionality of the IT environment. So, can you see why it is important to keep track of all account deletions in your Active Directory? In this article, I. Some time ago I had the unfortunate job to do some manual cleaning of an old and since long disconnected (and not decommissioned) Exchange Server in Active Directory using adsiedit.msc and this is not something one want to do I can promise you. Anyway during the testing phase I had to make sure that certain keys and values in adsiedit.msc were safe to be deleted and to accomplish this I. Active Directory, also known as NT Directory Services (NTDS,) uses Extensible Storage Engine (ESE) technology as its underlying database. One component of all ESE database instances is known as the version store. The version store is an in-memory temporary storage location where ESE stores snapshots of the database during open transactions. This allows the database to roll back transactions. Das Attribut tombstoneLifetime im Active Directory bestimmt, wie lange ein gelöschtes Objekt in der Active-Directory-Datenbank bestehen bleibt (Tombstone = Grabstein), bis es von dem Garbage Collection Prozess auf einem DC endgültig gelöscht bzw. entfernt wird. Seit Windows 2000 lag die Tomstone Lifetime bei 60 Tagen; mit dem Service Pack 1 für Windows Server 2003 wurde sie auf.
Die altgedienten Tools ADSIEdit und NTDSUTIL sind heute noch im Einsatz. Seit Windows Server 2008 gibt es allerdings sehr viel einfachere Methoden. Den Metadaten-Cleanup kann man z.B. bequem von seinem Client durchführen. Dazu benötigt man nur die RSAT Tools auf dem Admin-Rechner. Man führt das dsa.msc als Administrator aus und schon kann man den nächsten Schritten folgen. Analog kann man. Has anyone done this and not have to go back to clean any metadata up? The document doesn't list what functional level is required. I'm assuming it's just dependent on the OS? windows-server-2008 active-directory metadata. Share. Improve this question. Follow edited Aug 3 '11 at 19:39. Nixphoe. asked Aug 3 '11 at 19:18. Nixphoe Nixphoe. 4,456 7 7 gold badges 30 30 silver badges 49 49 bronze. In Active Directory when you change something, it's replicated to other Domain Controllers regularly. It's a standard procedure that happens automatically in the background for you. It's a handy feature because you can have multiple DC's all over the world and have your users data in sync. You can change almost anything on DC nearest to you and be sure it will be the same value all over the. Cleanup Active Directory (at least once a month) Over time, Active Directory will have obsolete users, computers and group accounts. To keep Active Directory secure and tidy you need to find these obsolete accounts and remove them. There are plenty of scripts and GUI tools available that help with finding and removing old accounts. I have some cleanup tools available on my tools and resource.
ManageEngine ADManager Plus is a unified web-based solution for all your Active Directory (AD), Exchange, Skype for Business, G Suite, and Office 365 management needs. It also offers more than 150 predefined reports, including reports on AD, Office 365, and NTFS permissions, a custom workflow structure to streamline AD operations, and automation for routine tasks such as AD cleanup. The need to remove a (legacy) Exchange server using ADSIEdit could have several reasons. The method using ADSIEdit to remove an Exchange server should only be used carefully. The most common reasons are listed below: The deinstallation didn't finish properly and left attributes or entries in Active Directory The Exchange server is permanent offline Exchang The current role holder is operational and can be accessed on the network by the new FSMO owner. You are gracefully demoting a domain controller that currently owns FSMO roles that you want to assign to a specific domain controller in your Active Directory forest.; The domain controller that currently owns FSMO roles is being taken offline for scheduled maintenance and you need specific FSMO. This step-by-step guide takes you through 7 steps with things to include in an Active Directory Health Check (ADHC.) It is roughly ordered by what is most important/should be done first, and proceeds in order to obtain more and more information as and when the time permits. Note: To make life easier, there are software packages out there like Quest's Spotlight on Active Directory (latest. Active Directory Domain Services could not transfer the remaining data in directory partition FIX! 4/3/2015. Get this error? I feel your pain. The guide below worked for me and I think it will work for you too! Locate and copy the DN for the infrastructure master. Run Adsiedit.msc; Connect to the server which hold the infrastructure Role (netdom query fsmo if you're not sure) Connect to CN.