Liongard

When the AD inspector queries Active Directory for user, computer, or group objects, they may fail with the error message “The server is not operational.” This typically occurs when a domain controller (DC) has been decommissioned improperly, leaving behind stale references in Active Directory or DNS that point to the removed DC.

___________________________________________________________

Inspection logs display “The server is not operational” or similar errors when trying to retrieve AD objects.

AD queries suddenly fail after a domain controller has been removed from the environment.

- Inspection logs display “The server is not operational” or similar errors when trying to retrieve AD objects.
- AD queries suddenly fail after a domain controller has been removed from the environment.

If a domain controller was previously the main or only DC in the environment and it was not demoted correctly, references to it can remain in:

Active Directory Sites and Services (specifically under “Servers” and “NTDS Settings”)

AD metadata (replication objects referencing the old DC)

- Active Directory Sites and Services (specifically under “Servers” and “NTDS Settings”)
- DNS (stale SRV and A records)
- AD metadata (replication objects referencing the old DC)

When AD queries attempt to discover an available domain controller, they may try to communicate with the removed DC and fail.

Remove Stale References in Active Directory

- Open Active Directory Users and Computers and ensure the removed domain controller does not appear under the domain’s “Domain Controllers” container.
- In Active Directory Sites and Services, expand “Sites,” locate the old server under “Servers,” and remove it. If prompted for metadata cleanup, confirm to fully remove its references.
- Delete the associated “NTDS Settings” object for that server if it remains. ​

- In your DNS management console, remove any stale entries (A or SRV records) that reference the decommissioned DC.
- Verify zones such as <code>_msdcs.[your domain name]</code> and <code>[your domain name]</code> for leftover records. ​

- Use tools like <code>repadmin</code> (e.g., <code>repadmin /replsummary</code>, <code>repadmin /showrepl</code>) to check for replication errors.
- Confirm that all remaining domain controllers replicate successfully and that none is referencing the decommissioned DC. ​

- If possible, specify a valid domain controller or domain in your application or service configuration. This helps bypass stale references until your environment is fully cleaned up.
- Once metadata cleanup is complete, AD queries should automatically locate the appropriate, operational domain controller.

1. Remove Stale References in Active Directory
 - Open Active Directory Users and Computers and ensure the removed domain controller does not appear under the domain’s “Domain Controllers” container.
 - In Active Directory Sites and Services, expand “Sites,” locate the old server under “Servers,” and remove it. If prompted for metadata cleanup, confirm to fully remove its references.
 - Delete the associated “NTDS Settings” object for that server if it remains. ​
2. Clean Up DNS Records
 - In your DNS management console, remove any stale entries (A or SRV records) that reference the decommissioned DC.
 - Verify zones such as <code>_msdcs.[your domain name]</code> and <code>[your domain name]</code> for leftover records. ​
3. Verify Replication
 - Use tools like <code>repadmin</code> (e.g., <code>repadmin /replsummary</code>, <code>repadmin /showrepl</code>) to check for replication errors.
 - Confirm that all remaining domain controllers replicate successfully and that none is referencing the decommissioned DC. ​
4. Ensure Proper DC Discovery
 - If possible, specify a valid domain controller or domain in your application or service configuration. This helps bypass stale references until your environment is fully cleaned up.
 - Once metadata cleanup is complete, AD queries should automatically locate the appropriate, operational domain controller.

Monitor Logs: Keep an eye on event logs and application logs for any continued reference to the removed server.

Regular Maintenance: Periodically review AD Sites and Services, DNS zones, and replication health to ensure no stale data accumulates.

- Monitor Logs: Keep an eye on event logs and application logs for any continued reference to the removed server.
- Regular Maintenance: Periodically review AD Sites and Services, DNS zones, and replication health to ensure no stale data accumulates.

Microsoft Documentation on <a href="https://learn.microsoft.com/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup" rel="nofollow noopener noreferrer" target="_blank">Metadata Cleanup</a> (searchable on the Microsoft Docs site)

Microsoft Documentation on <a href="https://techcommunity.microsoft.com/blog/itopstalkblog/step-by-step-manually-removing-a-domain-controller-server/280564" rel="nofollow noopener noreferrer" target="_blank">Removing a Domain Controller from a Domain</a> (searchable on the Microsoft Docs site)

- Microsoft Documentation on <a href="https://learn.microsoft.com/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup" rel="nofollow noopener noreferrer" target="_blank">Metadata Cleanup</a> (searchable on the Microsoft Docs site)
- Microsoft Documentation on <a href="https://techcommunity.microsoft.com/blog/itopstalkblog/step-by-step-manually-removing-a-domain-controller-server/280564" rel="nofollow noopener noreferrer" target="_blank">Removing a Domain Controller from a Domain</a> (searchable on the Microsoft Docs site)

Disclaimer: Always ensure you have valid backups before making changes to Active Directory or DNS. If unsure, contact Microsoft Support or your AD administrator for assistance.

Active Directory | “The server is not operational” error when querying Users/Computers/Groups

Summary

Symptoms

Root Cause

Resolution

Additional Recommendations

Related Articles & References