Decommision Domain Controller – Complete Removal – Manually

Pre-demotion check list

  1. Verify that the DC is not the only GC (global catalog) server and does not hold a FSMO (operations master role)
  2. Verify that the DC is not the only DC in the domain
  3. Verify proper replication is happening
  4. Check event logs for errors and trouble shoot accordingly

Demote DC – CLEAN

  1. Run dcpromo and follow the wizard
  2. Let some AD replicate then check AD and DNS to confirm DC was properly removed (see “FORCED” removal for areas to check

Demote DC – FORCED (W2K3SP1 or later – assuming the clean method has failed for some reason)

  1. Force demote by running “dcpromo /forceremoval” – this will remove the DC without contacting the other domain controllers – it will also put the DC into workgroup mode (will remove it from the domain)
  2. Run the MetaCleaner.vbs script (not detailed here)
  3. Clean up AD
    1. From a good DC, run ntdsutil
    2. Type metadata cleanup
    3. Type connections
    4. Type connect to server <servername>
    5. Type q
    6. Type select operation target
    7. Type list domains
    8. Type select domain <number>
    9. Type list sites
    10. Type select site <number>
    11. Type list servers in site
    12. Type select server
    13. Type q
    14. Type remove selected server (if you get error 8419 “the dsa object could not be found”, the object was already removed)
    15. Type q until exited
  4. Delete the computer account
    1. Delete the computer object in AD
    2. Check ADSIEdit to confirm removal
      1. Run ADSIEdit.
      2. Expand the Domain NC container
      3. Expand DC=<domain>, DC=<name>
      4. Expand OU=Domain Controllers.
      5. Right-click CN= then click delete (you may have to delete child objects to remove the server object)
  5. FRS member object (FRS subscriber object should already be deleted with computer object)
    1. Check ADSIEdit to confirm removal
      1. Run ADSIEdit.
      2. Expand the Domain NC container
      3. Expand DC=<domain>, DC=<name>
      4. Expand CN=System
      5. Expand CN=File Replication Service
      6. Expand CN=Domain System Volume (SYSVOL share)
      7. Right-click the domain controller you are removing then click delete
  6. Clean up DNS
    1. Remove the cname record in the _msdcs.root domain of forest zone in DNS
    2. Delete the host name and other DNS records associated with the server (include reverse pointer records)
    3. If this was also a DNS server, remove the reference to this DC under the DNS servers Name Servers tab
  7. If the deleted computer is the last domain controller in a child domain, and the child domain was also deleted, use ADSIEdit to delete the trustDomain object for the child (not detailed here)

Delete the DC from Active Directory Sites and Services > Sites

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s