• Contact
  • Homelab
Dimitris Tonias
  • Management
  • Monitoring
  • Cloud
  • Virtualization
  • Networking
  • Productivity
No Result
View All Result
  • Management
  • Monitoring
  • Cloud
  • Virtualization
  • Networking
  • Productivity
No Result
View All Result
Dimitris Tonias
No Result
View All Result

Forced removal of a Domain Controller from Active Directory

Dimitris Tonias by Dimitris Tonias
February 4, 2018 - Updated on April 28, 2024
in Management
Reading Time: 5 mins read
A A
10
Share on FacebookShare on Twitter

Let’s assume the following scenario: We have a Domain Controller on the network that has ceased to work for some reason that we don’t care about at this point. We have no backup, and it will not work again, so we will need to completely remove it from the infrastructure.

To achieve this, we must implement a forced removal of the Domain Controller from Active Directory. Furthermore, because such an action leaves some orphaned metadata in the AD, we will need to clean up these metadata. In case the DC is somewhat online, the first action is to try to demote it from AD.

We will deal with this scenario in this article. Let’s move on.

Forced removal of a Domain Controller from Active Directory

The forced removal of a DC can be done in 3 ways. Using the Active Directory Users and Computers console, Active Directory Sites and Services console, and the NTDSUtil command-line tool.

When you use the two consoles, Microsoft claims that the orphaned metadata is automatically cleaned. However, as you will see, there are still some records of the deleted DC, especially on the DNS console and Sites and Services. Although DNS scavenging removes them, personally, when I delete a DC, I do a quick check of all DNS objects to confirm and delete all the remaining records.

Using the Users and Computers console

Open the Active Directory Users and Computers console and go to the Domain Controllers OU. Here, right-click the DC to be removed and then Delete.

Forced removal of a Domain Controller from Active Directory

Confirm the deletion by pressing Yes.

Forced removal of a Domain Controller from Active Directory

Immediately afterward, you will see a message informing you that you are about to remove a Domain Controller without using the classic method we have described in an earlier article. If DC is not going to go back online again, you need to select the Delete this Domain Controller anyway. It is permanently offline and can no longer be removed using the removal wizard option, and then click the Delete button.

Forced removal of a Domain Controller from Active Directory

If the DC you are deleting was also a Global Catalog (GC) server, click Yes to confirm the deletion.

Forced removal of a Domain Controller from Active Directory

If the DC you delete had one or more FSMO roles, click OK to transfer them to another DC. This is if you have not already seized them yourself.

Using Active Directory Sites and Services console

Open the Active Directory Sites and Services console, expand the Sites object till you find the DC you want to delete. Here, right-click the NTDS Settings icon on the DC, and then click Delete.

Forced removal of a Domain Controller from Active Directory

Confirm the deletion by pressing Yes.

Forced removal of a Domain Controller from Active Directory

Confirm again while accepting the warnings by clicking the Delete button.

Forced removal of a Domain Controller from Active Directory

As before, if DC was also Global Catalog and/or had at least one of the FSMO roles, you will need to confirm the deletion.

Forced removal of a Domain Controller from Active Directory

You can then delete the DC object in the Active Directory Sites and Services console.

Using the NTDSUtil tool

First, open the command line or PowerShell with administrator privileges.

Type ntdsutil and press Enter.
Type metadata cleanup and press Enter.
Type connections and press Enter.
Type connect to server <-servername> and press Enter. Where <-servername>, is the name of a working DC in the same domain.
Type quit and press Enter.
Type select operation target and press Enter.
Type list domains and press Enter.
Type select domain <-number> and press Enter. Where <-number>, the corresponding number to the domain that the non-functional DC member was a member of.
Type list sites and press Enter.
Type select site <-number> and press Enter. Where <-number>, the number that corresponds to the site that the non-functional DC member was a member of.
Type list servers in site and press Enter.
Type select server <-number> and press Enter. Where <-number>, the number that corresponds to the DC you want to remove.
Type quit and press Enter.
Type remove selected server and press Enter.

Forced removal of a Domain Controller from Active Directory

In the confirmation window that appears, click Yes to continue the deletion process.

Forced removal of a Domain Controller from Active Directory

Finally, type quit and press Enter to exit the NTDSUtil management environment.

After completing the steps above, do not forget to check all DNS objects to delete any records of the removed DC.

Tags: Active DirectoryAD DomainDomain Controller
ShareTweetPin
Previous Post

Demote a Windows Server 2016 Domain Controller

Next Post

Install the DHCP role in Windows Server 2016

Related Posts

Approve updates in WSUS 2016
Management

Approve updates in WSUS 2016

Configure Group Policy to deploy updates using WSUS 2016
Management

Configure Group Policy to deploy updates using WSUS 2016

Configure computer groups in WSUS 2016
Management

Configure computer groups in WSUS 2016

The initial configuration of WSUS 2016
Management

The initial configuration of WSUS 2016

Install WSUS in Windows Server 2016
Management

Install WSUS in Windows Server 2016

Error opening Report Viewer on WSUS 2016
Management

Error opening Report Viewer on WSUS 2016

Comments 10

  1. Kostas says:
    6 years ago

    Καλησπέρα Δημήτρη,
    Αντιμετωπίζω ένα πρόβλημα με έναν demoted DC που έχει μείνει στα Sites and Services, και φυσικά με repadmin /replsummary.
    Ο server έχει γίνει κανονικά demote αλλα είναι up καθως είναι file server.
    Με τη διαδικασία του NTDSUtil και ειδικότερα με το “Server Remove Confirmation Dialog” τον διαγράφεις οριστικά απο DC ή τον διαγράφεις ΚΑΙ σαν object απο το AD;

    Αν τον διαγράφεις και σαν object εφόσον ο server πρέπει να συνεχίσει να υπάρχει σαν object μήπως θα πρέπει να προχωρήσω με τη διαδικασία χρησιμοποιόντας την Active Directory Sites and Services console;

    Reply
    • Dimitris Tonias says:
      6 years ago

      Καλησπέρα Κώστα. Θα προτιμούσα να γράφεις στα αγγλικά για να μπορούν να διαβάζουν όλοι οι επισκέπτες τα σχόλια.
      Η παραπάνω διαδικασία γίνεται ΜΟΝΟ στην περίπτωση που έχεις ‘χάσει’ τον DC και δε πρόκειται να επανέλθει στο δίκτυο. Οπότε, τον διαγράφει από DC και σαν object από το AD.
      Για να κάνεις ένα ‘απλό’ demote από DC σε member server που θα συνεχίσει να είναι παραγωγικός, ακολουθείς αυτή τη διαδικασία.

      Reply
  2. abhishek says:
    6 years ago

    what if I have a seperate child domain (with single DC) and is no more accessible. removed from everywhere but still showing in partitions. when trying to delete from root server saying can not delete a leaf object. when trying to delete the name index giving error again saying replication has not completed for 1 time.

    Reply
    • Anthony says:
      6 years ago

      Hi abhishek, you can check you child to ADSIEdit.
      Connect to your AD then select “Configuration”.

      ADSI Edit
      >Configuration[sample.contoso.com]
      >CN=Configuration,DC=contoso,DC=com
      >from this three, look for “Partition”.
      >Check child DC partition and try to delete.

      Once delete complete. Run repadmin /showrrepl

      Reply
  3. Mukhtar says:
    5 years ago

    To remove Domain Controller the above 3 steps will be helpful.After you removed domain controller .Is it Possible to add same domain controller in a Domain.If Possible please help me by providing steps .Thanks for sharing this article
    cionssystems

    Reply
  4. ohornig says:
    4 years ago

    Honestly, this is one of the best manuals I have read this month. Thank you!

    Reply
  5. said says:
    4 years ago

    saved my life love u

    Reply
  6. DanV says:
    4 years ago

    Thanks!

    Reply
  7. Herbert Caparoula says:
    3 years ago

    look forward to your next post

    Reply
  8. Gene says:
    1 month ago

    Excellent info, fixed my client’s server issue. Thank you!!!

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

No Result
View All Result
Zabbix server: More than 75% used in the trends cache
Monitoring

Zabbix server: More than 75% used in the trends cache

In Zabbix, "trends" are a type of data storage representing aggregated historical data. Zabbix monitors and collects a vast amount...

Read moreDetails
Check word count on Google Docs

Check word count on Google Docs

Zabbix server: More than 75% used in the configuration cache

Zabbix server: More than 75% used in the configuration cache

Approve updates in WSUS 2016

Approve updates in WSUS 2016

Configure Group Policy to deploy updates using WSUS 2016

Configure Group Policy to deploy updates using WSUS 2016

Configure computer groups in WSUS 2016

Configure computer groups in WSUS 2016

The initial configuration of WSUS 2016

The initial configuration of WSUS 2016

Get more stuff

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.

we respect your privacy and take protecting it seriously

  • Contact
  • Homelab

© 2024 Dimitris Tonias

No Result
View All Result
  • About
  • Contact
  • Free Tools
  • Home
  • Homelab

© 2024 Dimitris Tonias

This website uses cookies. By continuing to use this website you are giving consent to cookies being used.