Home arrow Articles arrow HOW TO: Remove domains and domain controllers
HOW TO: Remove domains and domain controllers Print E-mail

One of the most common questions asked in the Microsoft public newsgroups is how one goes about removing all traces of an Active Directory Domain Controller (DC) that has been ungracefully removed from the domain. That is, a domain controller that has been removed from the domain by any method other than graceful demotion, for example disaster, loss, forceful removal, incorrectly decommissioned, etc.

There is often, although thankfully less often, the question of how to remove a domain that was not gracefully removed, usually for one of the earlier mentioned reasons.

This article addresses both of these scenarios, as well as the correct way to remove both domain controllers and domains, and provides step-by-step, graphical instructions on how to perform the metadata cleanup and the subsequent DNS and object cleanups necessary to get the forest again running as it should be.

Graceful removal of a domain controller

The graceful removal of a domain controller is achieved through running the DCPROMO command on the domain controller that you wish to remove. When you run DCPROMO on an existing domain controller you are only given the option to demote the domain controller. You are however given an additional option for the case when this is the last domain controller in the domain.

You can run the DCPROMO wizard in either interactive or unattended modes.

Note. The msresource.net knowledgebase article "removing a domain controller" briefly discusses a number of considerations when removing a domain controller. Please refer to this article for more information on DNS and Global Catalog settings that should be considered when you remove a domain controller.

To demote a domain controller by running the DCPROMO wizard interactively, perform the following steps:
  • Logon to the domain controller as a user with appropriate permissions and rights (a member of Domain Admins if simply demoting a domain controller, or as a member of Enterprise Admins (or a suitably delegated user) to remove the last domain controller in the domain)
  • Run DCPROMO from either the command prompt or the run command (Start\ Run) and click Next at the first page of the wizard
  • If this domain controller is the last domain controller in the domain ensure you select (check) the check box "This server is the last domain controller in the domain"
  • Click Next again
  • Enter a password for the local Administrator account (you must enter this twice to confirm no typographical errors) and then click Next and Next again
  • Reboot the server when the demotion is complete

To demote a domain controller with an unattended answer file, perform the following steps:

Q. Why would you want to perform an unattended demotion of a domain controller?
A. If you wanted to demote some remote Domain Controllers at branch offices, for example, you could perform an unattended demotion remotely by remotely connecting onto the domain controller using RCONSOLE and running the command via a remote command prompt.
Note. For more information on RCONSOLE, please refer to the Resource Kit documentation.
  • Create a text file and save with an appropriate name, for example unattended.txt
  • Paste the following into the text file:
  • [DCInstall]
    IsLastDCInDomain=No
    AdministratorPassword=T3mpPa55w0rd
    RebootOnSuccess=Yes
  • Run the unattended answer file with the following command:
  • C:\support\>dcpromo -answer:unattended.txt

Graceful removal of a domain

The graceful removal of a domain is practically the same as a domain controller, however you must have previously removed all other domain controllers, and must check the box "This is the last domain controller in the domain" to decommission the domain.

In addition to the considerations noted in the article "This server is the last domain controller in the Domain" for removing a domain controller, the following should also be considered:
  • Have all user, contact, group and computer objects been moved to another domain? If not, are you sure this is what you want?

Using the GUI (DCPROMO)

To remove a domain using the GUI you simply initiate the DCPROMO wizard and perform the same steps as when removing a Domain Controller. The only difference is that you must check the option "This is the last Domain Controller in the Domain".

Using the command line (DCPROMO /answer)

To remove a domain using the command line you simply initiate the DCPROMO wizard with an answer file (an unattended setup). You perform an automated Active Directory installation/ un-installation with the command switch /answer:<filename>.

To remove a domain using an unattended answer file you must have first removed all other Domain Controllers from this domain. When there is only one Domain Controller left, you should perform the following instructions:
  • Create a text file and save with an appropriate name, for example unattended.txt
  • Paste the following into the text file:
  • [DCInstall]
    IsLastDCInDomain=Yes
    AdministratorPassword=T3mpPa55w0rd
    RebootOnSuccess=Yes
    Note. This will automatically reboot upon completion.
  • Run the unattended answer file with the following command:
  • C:\support\>dcpromo /answer:unattended.txt

Removing an ungracefully removed domain controller

There are several steps to removing an unsuccessfully or ungracefully removed domain controller.  First you have to perform a metadata cleanup. Once this is done, you need to remove the computer object and any lingering DNS records, etc.

The following sections discuss what is required.

Performing the metadata cleanup

The following instructions detail how to remove an ungracefully removed domain controller. These commands should be run on a working domain controller in the same forest. If this domain controller is the last domain controller in the domain, you will also need to remove the domain. The following sections of this article discuss the removal of an orphaned domain controller.

Windows 2000 Server and Windows Server 2003 RTM

  • Open a command prompt (Start\ Run\ cmd) and type NTDSUTIL
  • Type METADATA CLEANUP to enter the metadata cleanup section of NTDSUTIL.
  • Type CONNECTIONS and then CONNECT TO <DC name> where < DC name> is the hostname of a working domain controller.
  • Type QUIT to return to the Metadata cleanup section
  • Type SELECT OPERATIONS TARGET to enter said sub-menu and then type LIST DOMAINS to see a list of all domains
  • Type SELECT DOMAIN <domain ID> where <domain ID> is the number associated with the domain that you wish to remove the DC from and then type LIST SITES.
  • Type SELECT SITE <site ID> where <site ID> is the number associated with the site in which the domain controller that you wish to remove resides and then type LIST SERVERS IN SITE.
  • Type SELECT SERVER <server ID> where <server ID> is the number associated with the domain controller that you wish to remove and then type quit to return to the Metadata Cleanup section.
  • Type REMOVE SELECTED SERVER to perform the metadata cleanup. You'll be prompted with a dialog unless you turned off popup's. Click Yes to proceed.

Windows Server 2003 Service Pack 1

Windows Server 2003 Service Pack 1 added some new options to NTDSUTIL to make it easier to script this operation. The new options are:
  1. Remove selected server %s
  2. Remove selected server %s on %s

The former uses the local domain controller whereas the latter allows you to specify which server to perform the cleanup on (which server should the originating deletion occur on). In both cases, the argument is the DN of the server object for the domain controller, e.g. CN=R2-FS-01, CN=Servers, CN=Lab-01, CN=Sites, CN=Configuration, DC=r2, DC=test-lab, DC=com.

The following is an example of performing the cleanup using the second option.
C:\>ntdsutil
ntdsutil: meta clean
metadata cleanup: rem sel ser "CN=R2-FS-01,CN=Servers,CN=Lab-01,CN=Sites,CN=Configuration,DC=r2,DC=test-lab,DC=com" on r2-dc-01
Binding to r2-dc-01 ...
Connected to r2-dc-01 using credentials of locally logged on user.
Transferring / Seizing FSMO roles off the selected server.
Removing FRS metadata for the selected server.
Searching for FRS members under "CN=R2-FS-01,OU=Domain Controllers,DC=r2,DC=test-lab,DC=com".
Deleting subtree under "CN=R2-FS-01,OU=Domain Controllers,DC=r2,DC=test-lab,DC=com".
The attempt to remove the FRS settings on CN=R2-FS-01,CN=Servers,CN=Lab-01,CN=Sites,CN=Configuration,DC=r2,DC=test-lab,DC=com failed because "Element not found.";
metadata cleanup is continuing.
"CN=R2-FS-01,CN=Servers,CN=Lab-01,CN=Sites,CN=Configuration,DC=r2,DC=test-lab,DC=com" removed from server "r2-dc-01"
metadata cleanup: q
ntdsutil: q
Disconnecting from r2-dc-01... C:\>
Note. Even though there was an error reported, the operation was successful. The error reported is misleading as the object in question was deleted by NTDSUTIL.
Note also that the process attempted to transfer, and then seize FSMO roles. Using this new option removes the need to perform the File Replication Service object(s) cleanup (additional steps, below) and means you only need to perform the DNS cleanup section (below).

Cleaning up DNS

If the DCPROMO process wasn't completed gracefully, the DNS SRV RRs for this domain controller will not have been removed. Therefore, the following steps are necessary to remove all traces of the domain controller from DNS:

Using the GUI (DNSMGMT.MSC)

Cleaning up the DNS records using the GUI is a laborious process. You have to expand many sub-domains and delete the individual records within each. To delete the records using the GUI you simply locate the record, right-click on it and choose delete. The following is a list of all the records that you need to delete:
_ldap._tcp.dc._msdcs.domain-name.com
_kerberos._tcp.dc._msdcs.domain-name.com
_ldap._tcp.<site name>._sites.dc._msdcs.domain-name.com
_kerberos._tcp.<site name>._sites.dc._msdcs.domain-name.com

Using the command line (DNSCMD)

To delete all SRV records for a given host you would use the following command:
dnscmd <server name> /recorddelete <zone name> <node> <type> /f

For example, to delete the SRV records for a host called r2-dc-03, you would use:
dnscmd r2-dc-01 /recorddelete test-lab.com r2-dc-03 srv /f

Additional Steps

The following additional steps are also necessary after performing the metadata cleanup and cleaning up DNS:

Delete the FRS objects from the directory

Domain Controllers each hold (and replicate) a special instance of a domain-based DFS root in the form of the SYSVOL. Because of this, each domain controller computer object is a [grand] parent object of an FRS Subscription object (nTFRSSubscriber), and is therefore also a File Replication Service (FRS) member with an associated member object. Both of these objects need to be deleted. The FRS Subscription object should be deleted when you delete the computer object, as it is a child of the computer object, therefore you don't need to delete that separately. However, you must delete the FRS Member object (nTFRSMember) from the Domain System Volume (SYSVOL) Replica set. To do this, you must delete the FRS Member object for this domain controller from the DN:
CN=<domain controller>, CN=Domain System Volume (SYSVOL share), CN=File Replication Service, CN=System, DC=<domain DN>

Where <domain controller> is the name of the ungracefully removed domain controller, and <domain DN> is the DN of the domain that holds the domain controller that is being removed. This task can be achieved in a number of ways - GUI, command line, LDIFDE, script, code. We will discuss two different ways here (the following section will discuss two other ways of deleting an object; these other ways can also, obviously, be applied to the deletion of this object).

To delete this object, perform the following instructions:

Deleting the NTFRS Member object using the GUI

  • To delete the member object using Active Directory Users and Computers (DSA.MSC), open the snap-in and select Advanced Features from the View Menu.
  • Expand System, File Replication Service and then Domain System Volume (SYSVOL share)
  • In the right hand pane select the domain controller that is to be removed, right-click on it and choose Delete.
Note. The same process can be achieved using ADSIEdit.msc, although there is no advanced view in ADSI Edit as it is an advanced tool.

Deleting the NTFRS Member object using LDIFDE

  • Create an .LDF file with the following contents, changing the domain controller and domain name to your configuration
  • dn: cn=dc-01,cn=Domain System Volume (SYSVOL share),cn=File Replication Service,cn=System,dc=winnet-solutions,dc=com
    changetype: delete


    Note. The line dn: is one line; the only spaces are between words.

  • Save the file as <file name>.ldf
  • Then, from a command prompt run:
  • C:\dev\ad\ldif\>ldifde -i -f del-ntfrssubscriberobj.ldf

Example: Deleting an nTFRSMember object with LDIFDE

The following is the output from running the above command:
C:\>ldifde -i -f del-ntfrssubscriberobj.ldf
Connecting to "r2-dc-01.r2.test-lab.com"
Logging in as current user using SSPI
Importing directory from file " del-ntfrssubscriberobj.ldf"
Loading entries..
1 entry modified successfully. The command has completed successfully C:\>

Removing the computer object from the directory

The computer object for this domain controller will still reside in the OU=Domain Controllers,DC=<domain-name> organisational unit. This needs to be deleted. Delete using Active Directory Users and Computers, DS Remove (DSRM.EXE), LDIFDE, script or code.

Note. Under some circumstances Active Directory Users and Computers will fail to delete the computer object from the directory. This is usually because of the child objects in the form of an NTFRS subscriptions container and its NTFRS subscriber child object. To work around this issue, delete using ADSIEdit.msc or one of the following alternate methods.

Deleting using DS Remove command line tool

The following is the command line syntax for DSRM:
C:\support\>dsrm "<object DN>"

To remove the computer object, perform the following after replacing dc-01 with the name of your domain controller and domain-name.com with the name of your domain:
C:\support\>dsrm "cn=dc-01,ou=domain controllers,dc=domain-name,dc=com"

Deleting using VB Script

  • Create an .VBS file with the following contents:
  • sDn=inputBox("Please enter the DN of the object to delete","Enter DN to delete")
    set oObjectToDelete=getObject("LDAP://"&sDn)
    oObjectToDelete.deleteObject(0)

    Note. The above script has no error handling or secondary verification. It simply deletes the DN that you enter. This is provided as an example of how to delete an object more than as a tool to use.
  • Save the file as <file name>.vbs
  • Then, from a command prompt (or simply double-click if WScript is preferred) run:
  • C:\dev\ad\vbs\>cscript removeDeadDc.vbs 

DCPROMO /FORCEREMOVAL

In some cases, the domain controller might be in a bootable state, for example if the DC hasn't replicated within the tombstone period. In these cases, in addition to cleaning the domain, the active directory software needs to be uninstalled from the server if the server isn't being rebuilt. To do this, there's a switch (/FORCEREMOVAL) that can be used post Windows 2000 Server Service Pack 2. Running DCPROMO with this switch is similar to running it without, but with the following two screens:

Force the removal of Active Directory

DCPROMO /FORCEREMOVAL Option 1

Confirm options

DCPROMO /FORCEREMOVAL Option 2

Removing an orphaned domain

There are several steps to removing and orphaned domain. The most important step is removing the domain object (and therefore its entire child objects) and the cross reference object for this domain. Another important step is to remove the DNS RRs for this domain (and its domain controllers). WINS will also need to be cleaned up if there are static records, etc. or you do not wish to wait for the WINS garbage collection process to run. The first part of this process is achieved through what is known as the metadata cleanup. The metadata cleanup is an automated process carried out by a tool called NTDSUTIL. NTDSUTIL is a command line tool that is used to perform a number of low-level operations against the directory, including offline defragmentation, authorative restore of objects, seizing FSMO roles, and the metadata cleanup to name but a few.

Note. For more information on NTDSUTIL please refer to the Windows Server Resource Kit documentation. Online copies of which can be located on Microsoft's website. At the time of writing, the NTDSUTIL documentation was available at the following URL:

Performing the domain metadata cleanup

The following instructions detail how to remove an orphaned domain. These commands should be run against the domain controller that holds the domain naming master FSMO role, as that role holder is responsible for the creation and removal of directory naming contexts.

Note. For more information on the domain naming master operations master role and any of the other operations master roles, please refer to the following msresource.net knowledgebase article:

Note. The following example assumes you are logged on as a user with the appropriate administrative permissions (Enterprise Admins or a suitably delegated user - that is, a user with adequate full control permissions over the configuration naming context).

  • Open a command prompt (Start\ Run\ cmd) and type NTDSUTIL
  • Type METADATA CLEANUP to enter the metadata cleanup section of NTDSUTIL
  • Set the focus of NTDSUTIL against the Domain Naming master by typing SELECT OPERATIONS TARGET, CONNECTIONS and then CONNECT TO <OM role holder DC name> where <OM role holder DC name> is the hostname of the domain controller that holds the Domain Naming Operations Master role.
  • Type QUIT to return to the Select Operations Target section
  • Type LIST DOMAINS to see all domains
  • Type SELECT DOMAIN <domain ID> where <domain ID> is the number associated with the domain that you wish to remove
  • Type QUIT to return to the metadata cleanup section and then type REMOVE SELECTED DOMAIN to perform the deletion of the domainDNS object (the domain NC) and the cross reference (crossRef) object for this domain
  • Type QUIT and then QUIT again to exit NTDSUTIL

Cleaning up DNS

Any secondary DNS zones and DNS zone delegations need to be removed from DNS. All Domain Controller SRV RRs should have been removed by the preceding tasks (removing an ungracefully removed domain controller).

Further information/ reading

Web links

Microsoft knowledgebase articles for the removal of domains, domain controllers

Books
  • Microsoft Windows 2000 Server Resource Kit - Distributed Systems Guide, 0-7356-1795-3
  • Inside Active Directory - A system administrator's guide, Kouti and Seitsonen, 0-201-61621-1
  • Active Directory Cookbook, Robbie Allen, 0-596-00464-8

Document information

Author: Paul Williams
Date: 09-06-2005
Version: 2.0
Last updated: 01-08-2007
Last updated by: Paul Williams




Del.icio.us!Technorati!StumbleUpon!Furl!
 
< Prev   Next >