ProComp Group

• home
• services
  • comprehensive IT
  • expert consulting
• about
  • company
  • team
  • community
• news
• library
• contact

• Client Center »
• Techs' Center »

Street Address

1306 NW Hoyt Street
Suite 300
Portland, OR 97209
Map it

Mailing Address

PO Box 12152
Portland, OR 97212

Phone

503-287-3332

.(JavaScript must be enabled to view this email address)

How-To:  Demote a DC or manually remove a DC

July 13 2010

Caution: Using the ntdsutil or adsiedit incorrectly may result in partial or complete loss of Active Directory functionality!

Pre-demotion check list

1. Verify that the DC is not the only GC (global catalog) server and does not hold a FSMO (operations master role)
2. Verify that the DC is not the only DC in the domain
3. Verify proper replication is happening
4. Check event logs for errors and trouble shoot accordingly

Demote DC – CLEAN

1. Run dcpromo and follow the wizard
2. Let some AD replicate then check AD and DNS to confirm DC was properly removed (see “FORCED” removal for areas to check

Demote DC – FORCED (W2K3SP1 or later – assuming the clean method has failed for some reason)

1. Force demote by running “dcpromo /forceremoval” – this will remove the DC without contacting the other domain controllers – it will also put the DC into workgroup mode (will remove it from the domain)
2. Run the MetaCleaner.vbs script (not detailed here)
3. Clean up AD
   1. From a good DC, run ntdsutil
   2. Type metadata cleanup
   3. Type connections
   4. Type connect to server <servername>
   5. Type q
   6. Type select operation target
   7. Type list domains
   8. Type select domain <number>
   9. Type list sites
   10. Type select site <number>
   11. Type list servers in site
   12. Type select server
   13. Type q
   14. Type remove selected server (if you get error 8419 “the dsa object could not be found”, the object was already removed)
   15. Type q until exited
4. Delete the computer account
   1. Delete the computer object in AD
   2. Check ADSIEdit to confirm removal
   1. Run ADSIEdit.
   2. Expand the Domain NC container
   3. Expand DC=<domain>, DC=<name>
   4. Expand OU=Domain Controllers.
   5. Right-click CN= then click delete (you may have to delete child objects to remove the server object)
5. FRS member object (FRS subscriber object should already be deleted with computer object)
   1. Check ADSIEdit to confirm removal
   1. Run ADSIEdit.
   2. Expand the Domain NC container
   3. Expand DC=<domain>, DC=<name>
   4. Expand CN=System
   5. Expand CN=File Replication Service
   6. Expand CN=Domain System Volume (SYSVOL share)
   7. Right-click the domain controller you are removing then click delete
6. Clean up DNS
1. Remove the cname record in the _msdcs.root domain of forest zone in DNS
2. Delete the host name and other DNS records associated with the server (include reverse pointer records)
3. If this was also a DNS server, remove the reference to this DC under the DNS servers Name Servers tab
7. If the deleted computer is the last domain controller in a child domain, and the child domain was also deleted, use ADSIEdit to delete the trustDomain object for the child (not detailed here)
8. Delete the DC from Active Directory Sites and Services > Sites

← Back to main Library page