Recipe 2.4 Removing a Domain

2.4.1 Problem

You want to remove a domain from a forest. You may need to remove a domain during test scenarios or if you are collapsing or reducing the number of domains in a forest.

2.4.2 Solution

Removing a domain consists of demoting each domain controller in the domain, which is accomplished by running dcpromo on the domain controllers and following the steps to remove them. For the last domain controller in the domain, be sure to select "This server is the last domain controller in the domain" in the dcpromo wizard so that the objects associated with the domain get removed. If you do not select that option for the last domain controller in the domain, take a look at Recipe 2.5 for how to remove an orphaned domain.

If the domain you want to remove has subdomains, you have to remove the subdomains before proceeding.

After all domain controllers have been demoted and depending on how your environment is configured, you may need to remove WINS and DNS entries that were associated with the domain controllers and domain unless they were automatically removed via WINS deregistration and DDNS during the demotion process. The following commands can help determine if all entries have been removed:

> netsh wins server \\<WINSServerName> show name <DomainDNSName> 1c
> nslookup <DomainControllerName>
> nslookup -type=SRV _ldap._tcp.dc._msdcs.<DomainDNSName>
> nslookup <DomainDNSName>

You will also want to remove any trusts that have been established for the domain (see Recipe 2.22 for more details). For more information on how to demote a domain controller, see Recipe 3.3.

2.4.3 Discussion

The "brute force" method for removing a forest as described in the Discussion for Recipe 2.2 is not a good method for removing a domain. Doing so will leave all of the domain controller and server objects, along with the domain object and associated domain naming context hanging around in the forest. If you used that approach, you would eventually see a bunch of replication and file replication service (FRS) errors in the event log from failed replication events.

2.4.4 See Also

Recipe 2.19 for viewing the trusts for a domain, Recipe 2.22 for removing a trust, Recipe 3.3 for demoting a domain controller, MS KB 238369 (HOW TO: Promote and Demote Domain Controllers in Windows 2000), and MS KB 255229 (Dcpromo Demotion of Last Domain Controller in Child Domain Does Not Succeed)

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List