Windocuments.net

Force Removal of Domain Controllers

To remove a domain controller it must have connectivity to other domain controllers in the domain in order to demote and successfully remove Active Directory Domain Services. If a domain controller has no connectivity to other domain controllers, the standard removal process will fail, you will need to connect the domain controller to the domain and then restart the removal process. In some rare situations, you might not want or can not connect the domain controller to the domain and instead want to force a removal.



Start in Directory Services Restore Mode

Before you can forcibly remove Active Directory Domain Services, you must restart the domain controller in Directory Services Restore Mode. Restarting in this mode takes the domain controller offline, making it a member server. You can restart a domain controller in Directory Services Restore Mode by pressing the F8 during startup. You must then log on by using the Directory Services Restore Mode password for the local Administrator account. To ensure the domain controller is in Directory Services Restore Mode,you can use the System Configuration utility or the Boot Configuration Data (BCD) editor to set a Directory Repair flag. Once this flag is set, the domain controller will always start in Directory Services Restore Mode, and you can be sure that you will not accidentally restart the domain controller in another mode. To restart a domain controller in Directory Services Restore Mode using the System Configuration utility.
1. On the Start menu, point to Administrative Tools, and then click System Configuration.

2. On the Boot tab, in Boot Options, select Safe Boot, and then click Active Directory Repair

3 Click OK to exit the System Configuration utility and save your settings.

4. Restart the domain controller. The domain controller restarts in Directory Services Restore Mode. When you have finished performing procedures in Directory Services Restore Mode, restart the domain controller in normal mode.

1. On the Start menu, point to Administrative Tools, and then click System Configuration.

2. On the General tab, in Startup Selection, click Normal Startup, and then click OK.

3. The domain controller restarts in normal mode.

To restart a domain controller in Directory Services Restore Mode using the BCD editor

1. Click Start, right-click Command Prompt, and then click Run As Administrator to open an elevated command prompt.

2. At the command prompt, enter the following command: bcdedit /set safeboot disrepair. This configures the boot process to start in Directory Services Restore Mode.

3. At the command prompt, enter the following command: shutdown -t 0 -r.

This shuts down the server and restarts it without delay.When you have finished with the procedures in Directory Services Restore Mode, restart the domain controller in normal mode.

1. Click Start, right-click Command Prompt, and then click Run As Administrator to open an elevated command prompt.

2. At the command prompt, you need to enter the following command: bcdedit /deletevalue safeboot. This deletes the safeboot value and returns the boot process to the previous setting.

3. At the command prompt, enter the following command: shutdown -t 0 -r. This shuts down the server and restarts it without delay



Performing Forced Removal of Domain Controllers

1. Click Start, right-click Command Prompt, and then click Run As Administrator to open an elevated command prompt.

2. At the command prompt, enter the following command: dcpromo /forceremoval. This starts the Active Directory Domain Services Installation Wizard in Force Removal mode.

3. If the domain controller hosts any operations master roles, is a DNS server, or is a global catalog server,a warning are displayed to explain how the forced removal of the related function will affect the rest of the environment. click Yes.

4. The Active Directory Domain Services Installation Wizard starts.Click Next.

5. On the Force The Removal Of Active Directory Domain Services page, review the information and then click Next.

6. If the domain controller is a DNS server with zones integrated with Active Directory, you see a warning stating one or more Active Directory integrated zones will be deleted. Before continuing by clicking OK, you should ensure that there is another DNS server for these zones. Also note that you need to manually remove DNS delegations pointing to this server.

7. On the Administrator Password page, you are prompted to type and confirm the password for the local Administrator account on the server. The local Administrator account will be recreated as part of the Active Directory removal process. Click Next.

8. On the Summary page, review your selections. If you like Click Export Settings to save these settings to an answer file that you can use to perform unattended forced removal of other domain controllers.

9. On the Completing The Active Directory Domain Services Installation Wizard page, click Finish. Do not select the Reboot On Completion check box. When you are prompted to restart the server,wait with this.First examine the server and perform any necessary additional tasks. When it looks ok, restart the server in normal mode.

Cleaning Up Metadata in the Active Directory Forest

When you force the removal of a disconnected domain controller, the Active Directory forest metadata is not updated automatically as it is when a domain controller is removed normally. Because of this, you must manually update the forest metadata after you remove the domain controller.You perform metadata cleanup on a domain controller in the domain of the domain controller that you forcibly removed.



Cleaning Up Server Metadata

On domain controllers that are running Windows Server 2008, you can use Active Directory Users and Computers to clean up server metadata. Deleting the computer object in the Domain Controllers organizational unit (OU) initiates the cleanup process, and all related tasks are performed automatically. 1. Open Active Directory Users and Computers by clicking Start, clicking Administrative Tools, and then clicking Active Directory Users And Computers.

2. You must be connected to a domain controller in the domain of the domain controller that you forcibly removed. If not or you are unsure if you are, right-click the Active Directory Users And Computers node and then click Change Domain Controller. Click the name of a domain controller in the appropriate domain, and then click OK.

3. Expand the domain of the domain controller that you forcibly removed, and then click Domain Controllers.

4. In the details pane, right-click the computer object of the retired domain controller, and then click Delete.

5. In the Active Directory Domain Services dialog box, click Yes to confirm that you want to delete the computer object

6. In the Deleting Domain Controller dialog box, select This Domain Controller Is Permanently Offline And Can No Longer Be Demoted, and then click Delete.

7. If the domain controller was a global catalog server, in the Delete Domain Controller dialog box, click Yes to continue with the deletion.

8. If the domain controller currently holds one or more operations master roles,click OK to move the role or roles to the domain controller. Although you cannot change this domain controller at the present time, you can move the role once the metadata cleanup procedure is completed. On domain controllers that are running Windows Server 2003 with Service Pack 1 (SP1), Windows Server 2003 with Service Pack 2 (SP2), Windows Server 2003 R2, or Windows Server 2008, you also can perform metadata cleanup by using the Ntdsutil command-line tool.

1. Click Start, right-click Command Prompt, and then click Run As Administrator to open an elevated command prompt.

2. At the command prompt, enter the following command: ntdsutil.

3. At the ntdsutil prompt, enter the following command: metadata cleanup.

4. At the metadata cleanup prompt, enter the following command if you are logged on to the domain of the domain controller that you forcibly removed: remove selected server RetiredServer where RetiredServer is the distinguished name of the retired domain controller. Otherwise, enter the following command: remove selected server RetiredServer on Target Server where RetiredServer is the distinguished name of the retired domain controller and where TargetServer is the DNS name of a domain controller in the domain of the domain controller that you forcibly removed.

5. When prompted with the Server Remove Configuration dialog box, read the details. Click Yes to remove the server object and related metadata. Ntdsutil will then confirm that the server object and related metadata was removed successfully. If you receive an error message that indicates that the object cannot be found, the server object and related metadata might have been removed previously.

6. At the metadata cleanup prompt, enter the following command: quit.

7. At the ntdsutil prompt, enter the following command: quit.

Confirming Removal of Deleted Server Objects

When you remove a domain controller, the related server object is removed from the domain directory partition automatically. You can confirm this using Active Directory Users and Computers. The server object representing the retired domain controller in the configuration directory partition can have child objects and is therefore not removed automatically. You can confirm the status of the server object in the configuration directory partition by using Active Directory Sites And Services,to confirm:

1. Open Active Directory Users and Computers by clicking Start, clicking Administrative Tools, and then clicking Active Directory Users And Computers.

2. Expand the domain of the domain controller that you forcibly removed, and then click Domain Controllers.

3. In the details pane, the computer object of the retired domain controller should not appear.

4. Open Active Directory Sites and Services by clicking Start, clicking Administrative Tools, and then clicking Active Directory Sites And Services.

5. Any domain controllers associated with a site are listed in the sites Servers node. Select the site that the retired domain controller was previously associated with and then expand the related Servers node.

6. Confirm that the server object for the retired domain controller does not contain an NTDS Settings object. If no child objects appear below the server object, you can delete the server object. Right-click the server object and then click Delete.Click Yes.

Removing a Domain Controller in Windows Server 2012

1.Log on to the server running Windows Server 2012 using an account with Administrative privileges. 2.Launch the Remove Roles and Features Wizard and remove the Active Directory Domain Services role and its accompanying features 3.Click the Demote This Domain Controller hyperlink. 4.Select the Force The Removal Of This Domain Controller check box and click Next 5.In the Password and Confirm Password text boxes, type the password you want the server to use for the local Administrator account after the demotion. Then click Next. 6.Click Demote. 7.Log on using the local Administrator password you specified earlier. 8.Launch the Remove Roles and Features Wizard again and repeat the process of removing the Active Directory Domain Services role and its accompanying features. 9.Close the wizard and restart the server.



Demote Using Windows PowerShell

To demote a domain controller by using Windows PowerShell, use the following command: Uninstall-ADDSDomainController -ForceRemoval -LocalAdministratorPassword -Force