Recipe 3.6 Removing an Unsuccessfully Demoted Domain Controller

3.6.1 Problem

Demotion of a domain controller was unsuccessful or you are unable to bring a domain controller back online and you want to manually remove it from Active Directory.

3.6.2 Solution

The first step in the removal process is to run the following ntdsutil command, where <DomainControllerName> is a domain controller in the same domain as the one you want to forcibly remove:

> ntdsutil "meta clean" conn "co to ser <DomainControllerName
>" q "s o t" "l d"
Found 2 domain(s)
0 - DC=rallencorp,DC=com
1 - DC=emea,DC=rallencorp,DC=com

Select the domain of the domain controller you want to remove. In this case, I'll select the domain:

select operation target: sel domain 1

Now, list the sites and select the site the domain controller is in (I'll use 1 for MySite1):

select operation target: list sites
Found 4 site(s)
0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=rallencorp,DC=com
1 - CN=MySite1,CN=Sites,CN=Configuration,DC=rallencorp,DC=com
2 - CN=MySite2,CN=Sites,CN=Configuration,DC=rallencorp,DC=com
3 - CN=MySite3,CN=Sites,CN=Configuration,DC=rallencorp,DC=com
select operation target: sel site 1

Next, select the server you want to remove; in this case, I'm choosing 0 for DC5:

select operation target: list servers for domain in site
Found 2 server(s)
0 - CN=DC5,CN=Servers,CN=MySite1,CN=Sites,CN=Configuration,DC=rallencorp,DC=com
1 - CN=DC9,CN=Servers,CN=MySite1,CN=Sites,CN=Configuration,DC=rallencorp,DC=com
select operation target: sel server 0

Type quit to get back to the metadata cleanup menu.

select operation target: quit
metadata cleanup:

Finally, remove the server:

metadata cleanup: remove selected server

You should receive a message stating that the removal was complete. If you get an error, check to see if the server's nTDSDSA object (e.g., CN=NTDSSettings,CN=DC5,CN=Servers,CN=MySite1,CN=Sites,CN=Configuration,DC=rallencorp,DC=com) is present. If so, dcpromo may have already removed it, and it will take time for the change to replicate. If it is still present, try the ntdsutil procedure again and if that doesn't work, manually remove that object and the parent object (e.g., CN=DC5).

You should follow these additional steps to remove all traces of the domain controller:

  1. Delete the CNAME record from DNS for <GUID>._msdcs.<RootDomainDNSName>, where <GUID> is the objectGUID for the server's nTDSDSA object. If scavenging is not enabled, you'll need to manually delete all associated SRV records. Delete any A and PTR records that exist for the server. When using Microsoft DNS, you can use the DNS MMC snap-in to accomplish these tasks.

  2. Delete the computer object for the server under OU=DomainControllers,<DomainDN>. This can be done using the Active Directory Users and Computers snap-in.

  3. Delete the FRS Member object for the computer contained under CN=DomainSystemVolume (SYSVOL share),CN=file replication service,CN=system,<DomainDN>. This can be done using the Active Directory Users and Computers snap-in when "Advanced Features" has been selected from the View menu (so the System container will be displayed).

3.6.3 Discussion

Forcibly removing a domain controller from a domain is not a task that should be taken lightly. If you need to replace the server quickly, consider giving it a different name just to ensure that nothing confuses the new server with the old one. If the domain controller was the last one in the domain, you'll need to manually remove the domain from the forest as well. See Recipe 2.5 for more information on removing orphaned domains.

Here are some additional issues to consider when you forcibly remove a domain controller:

  • Seize any FSMO roles the DC may have had.

  • If the DC was a global catalog server, ensure there is another global catalog server in the site.

  • If the DC was a DNS server, ensure there is another DNS server that can handle the load.

  • If the DC was the RID FSMO master, check to make sure duplicate SIDs have not been issued (see Recipe 2.24).

  • Check to see if the DC hosted any application partitions and if so, consider making another server a replica server for those application partitions (see Recipe 17.5).

If the (former) domain controller that you forcibly removed is still on the network, you should strongly consider rebuilding it to avoid potential conflicts from it trying to re-inject itself back into Active Directory. If that is not an option, you can try this option to force the server to not recognize itself as a domain controller.

  1. Change the ProductOptions value under the HKLM\System\CurrentControlSet\Control key from LanmanNT to ServerNT.

  2. Reboot the server.

  3. Delete the NTDS folder.

Alternatively, if you are running Windows Server 2003 or Windows 2000 SP4 and later you can run dcpromo /forceremoval from a command line to forcibly remove Active Directory from a server. See MS KB 332199 for more information.

3.6.4 See Also

Recipe 2.5 for removing an orphaned domain, Recipe 3.27 for seizing FSMO roles, MS KB 216498 (HOW TO: Remove Data in Active Directory After an Unsuccessful Domain Controller Demotion), and MS KB 332199 (Using the DCPROMO /FORCEREMOVAL Command to Force the Demotion of Active Directory Domain Controllers)

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List