3.6 Removing an Unsuccessfully Demoted Domain Controller
Demotion of a domain controller was unsuccessful or you are unable to bring a domain controller back online and you want to manually remove it from Active Directory.
The first step in the removal process is to run the following ntdsutil command, where <DomainControllerName> is a domain controller in the same domain as the one you want to forcibly remove:> ntdsutil "meta clean" conn "co to ser <DomainControllerName >" q "s o t" "l d" Found 2 domain(s) 0 - DC=rallencorp,DC=com 1 - DC=emea,DC=rallencorp,DC=com
Select the domain of the domain controller you want to remove. In this case, I'll select the emea.rallencorp.com domain:select operation target: sel domain 1
Now, list the sites and select the site the domain controller is in (I'll use 1 for MySite1):select operation target: list sites Found 4 site(s) 0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=rallencorp,DC=com 1 - CN=MySite1,CN=Sites,CN=Configuration,DC=rallencorp,DC=com 2 - CN=MySite2,CN=Sites,CN=Configuration,DC=rallencorp,DC=com 3 - CN=MySite3,CN=Sites,CN=Configuration,DC=rallencorp,DC=com select operation target: sel site 1
Next, select the server you want to remove; in this case, I'm choosing 0 for DC5:select operation target: list servers for domain in site Found 2 server(s) 0 - CN=DC5,CN=Servers,CN=MySite1,CN=Sites,CN=Configuration,DC=rallencorp,DC=com 1 - CN=DC9,CN=Servers,CN=MySite1,CN=Sites,CN=Configuration,DC=rallencorp,DC=com select operation target: sel server 0
Type quit to get back to the metadata cleanup menu.select operation target: quit metadata cleanup:
Finally, remove the server:metadata cleanup: remove selected server
You should receive a message stating that the removal was complete. If you get an error, check to see if the server's nTDSDSA object (e.g., CN=NTDSSettings,CN=DC5,CN=Servers,CN=MySite1,CN=Sites,CN=Configuration,DC=rallencorp,DC=com) is present. If so, dcpromo may have already removed it, and it will take time for the change to replicate. If it is still present, try the ntdsutil procedure again and if that doesn't work, manually remove that object and the parent object (e.g., CN=DC5).
You should follow these additional steps to remove all traces of the domain controller:
Forcibly removing a domain controller from a domain is not a task that should be taken lightly. If you need to replace the server quickly, consider giving it a different name just to ensure that nothing confuses the new server with the old one. If the domain controller was the last one in the domain, you'll need to manually remove the domain from the forest as well. See Recipe 2.5 for more information on removing orphaned domains.
Here are some additional issues to consider when you forcibly remove a domain controller:
If the (former) domain controller that you forcibly removed is still on the network, you should strongly consider rebuilding it to avoid potential conflicts from it trying to re-inject itself back into Active Directory. If that is not an option, you can try this option to force the server to not recognize itself as a domain controller.
Alternatively, if you are running Windows Server 2003 or Windows 2000 SP4 and later you can run dcpromo /forceremoval from a command line to forcibly remove Active Directory from a server. See MS KB 332199 for more information.
3.6.4 See Also
Recipe 2.5 for removing an orphaned domain, Recipe 3.27 for seizing FSMO roles, MS KB 216498 (HOW TO: Remove Data in Active Directory After an Unsuccessful Domain Controller Demotion), and MS KB 332199 (Using the DCPROMO /FORCEREMOVAL Command to Force the Demotion of Active Directory Domain Controllers)
best fitness watches