Remove a Current Operational Domain Controller from Active Directory

Remove a Current Operational Domain Controller from Active Directory


Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer


Original Publication: 10/9/2010
Updated 12/27/2011 – added time service configuration info.


 


Preface



I’ve written this blog because this question has come up numerous times in the forums, newsgroups, and from colleagues. There are other very well qualified blogs, posts and tech articles on these steps. I thought to outline the steps with adding links for each appropriate step to explain how to do it if one is not sure of the steps.


Keep in mind, you can’t simply unplug a DC and be done with it, such as you could do in the Windows NT4 days. There are numerous ramifications involved with a domain controller in the AD database and AD functionality. Other DCs will still think it’s there and will try to replicate to it because it’s still in the AD database. You must remove it properly.


Now if the domain controller has been unplugged and offline for more than the tombstone lifetime, (60 days for Windows 2000, Windows 2003 SP0, or 180 days for Windows 2003 SP1 and all newer operating systems), you will need to run a Metadata Cleanup to remove the DC. This is due to the scavenging period that AD will keep deleted objects or objects that have not been in communication with such as a domain controller.


If I’ve omitted any basic or necessary steps, please do comment and let me know. All comments and suggestions are welcome!


 


If the DC has been unplugged for more than the Tombstone Lifetime



If the case is that it’s been unplugged for longer than the tombstone with Windows 2003 or newer, you can either run a simple dcpromo /forceremoval to remove AD off the DC, or reinstall the DC from scratch. Either way, you will need to run a Metadata Cleanup procedure.


Restart the DC OFF the network
On this DC, run “DCPROMO /FORCEREMOVAL”
Run the Metadata Cleanup procedure to remove it’s reference on a current DC
If you want to reintroduce the old DC, you can simply promote the old DC back to a DC



Once you’ve done the above, run the Metadata Cleanup Procedure. Here are some links to guide you


How to remove data in Active Directory after an unsuccessful Domain Controller Promotion
http://support.microsoft.com/kb/216498


Clean up server metadata: Active Directory, Mar 2, 2005
http://technet.microsoft.com/en-us/library/cc736378(WS.10).aspx


Script to run Metadata Cleanup Procedure:
Script to Remove Active Directory Domain Controller Metadata
Microsoft: The Scripting Guys, Published on 8/10/2009
http://gallery.technet.microsoft.com/ScriptCenter/en-us/d31f091f-2642-4ede-9f97-0e1cc4d577f3


Delete Failed DCs from Active Directory
This link put together by Dan Petri, includes screen shots.
http://www.petri.co.il/delete_failed_dcs_from_ad.htm


 



To remove a Current Operational DC under the Tombstone Lifetime, the Basis steps are



Reminder: Do this during off-production hours. This will allow time for changes to replicate in the AD and DNS infrastructure prior to users logging on the next production day.


1. Change the DNS addresses on the DC to point to an existing DC/DNS server in the same AD Site. If no other DCs in the Site, choose a DC in another Site with a fast link.


2. If DHCP is installed, export the DHCP database off the DC in preparation to migrate to the new DC.


How to move a DHCP database from a computer that is running Windows 2003 (Als applies to newer versions)
http://support.microsoft.com/kb/325473


How to migrate a DHCP database from Windows 2000 Server to Windows, Nov 9, 2009
http://www.google.com/url?sa=t&source=web&cd=5&sqi=2&ved=0CCUQFjAE&url=http%3A%2F%2Fblogs.technet.com%2Fb%2Fnetworking%2Farchive%2F2009%2F11%2F09%2Fhow-to-migrate-a-dhcp-database-from-windows-2000-server-to-windows-server-2008-or-windows-server-2008-r2.aspx&ei=IZCwTP7ADcK88ga_5cSvCQ&usg=AFQjCNFaNCXFfYCbpjjnIrAkaQ-3PjAd1Q


3. If WINS is installed, you’ll need to migrate it to another server. Read more in this link:


How to migrate a WINS Database from Windows 2000-based WINS server (Applies to all Windows 2000 and newer Windows versions)
http://support.microsoft.com/kb/875419


4. Disable the Global Catalog service from the domain controller.


Open Active Directory Sites & Service, 
Drill down and expand the AD Site name the domain controller exists in
Click on the DC’s name
In the right window pane, you will see “NTDS Settings”
Right-click NTDS Settings, Choose Properties
Under the General tab, uncheck the Global Catalog checkbox


5. If this domain controller currently holds one or more FSMO operations master roles, transfer the operations master roles to another domain controller before demoting it. You can allow dcpromo to automatically transfer the roles, however, they may transfer to a DC that you may not want to transfer the roles to. This is why this is suggested in order to allow you to transfer the roles to a specific DC.


How to view and transfer FSMO roles in Windows Server 2003 using the GUI
http://support.microsoft.com/kb/324801


Using Ntdsutil.exe to transfer or seize FSMO roles to a domain
http://support.microsoft.com/kb/255504


How to view and transfer FSMO roles in the graphical user interfaceThere are five Flexible Single Master Operations (FSMO) roles in a Windows …
http://support.microsoft.com/kb/255690


Transferring FSMO Roles – How can I transfer some or all of the FSMO Roles from one DC to another?
You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or …
http://www.petri.co.il/transferring_fsmo_roles.htm


6. If you transfer the PDC Emulator FSMO role to the new DC, you will need to configure the time service on the new PDC.


On the new PDCEmulator:           (Note: ‘peers’ is an Internet time source such as time-a.nist.gov or time.windows.com):
w32tm /config /manualpeerlist:peers /syncfromflags:manual /reliable:yes /update


On the old PDCEmulator:
w32tm /config /syncfromflags:domhier /update


After that run the following on all DCs:
net stop w32time
net start w32time


The “peers” can be a text file, or direct input, allowing you to set the time source, either DNS name such as (time.windows.com, or an ip address for a reliable time source. I normally use 192.5.41.41. Check http://www.pool.ntp.org for time servers in your own locale.


On your edge firewall, make sure UDP port 123 traffic is allowed inbound from the time source to the new PDC Emulator.


For more Windows Tims Service specifics and troublshooting, check the following:


Configuring the Windows Time Service for Windows 2000, 2003, 2008 and newer, explanation of the time service hierarchy, and more
http://msmvps.com/blogs/acefekay/archive/2009/09/18/configuring-the-windows-time-service-for-windows-server.aspx


7. Make sure Exchange 2003 is not using this DC for OAB or RUS. Change it to the another DC is this is the case. If Exchange 2007 or 2010, Exchange will automatically discover the change.


If Exchange is installed on the DC, this introduces a huge complexity and would involve moving the Exchange installation to another Exchange server first. Read the following or more information:


Exchange on a Domain Controller – Ramifications and How to Move Exchange off a DC  
Published by acefekay on Aug 8, 2009 at 7:00 PM 
http://msmvps.com/blogs/acefekay/archive/2009/08/08/moving-from-exchange-2000-currently-on-a-windows-2000-domain-controller-to-a-new-exchange-2003-server-on-a-windows-2003-member-server.aspx


8. Run dcpromo. Choose this DC is not the last DC in the domain. Allow it to restart. If not sure how or options to choose, read the following links.


Removing a Domain Controller from a Domain
Updated: January 5, 2009
Applies To: Windows Server 2008, Windows Server 2008 R2
http://technet.microsoft.com/en-us/library/cc771844(WS.10).aspx


Demote a domain controller: Active Directory
Updated Jan 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2     
http://technet.microsoft.com/en-us/library/cc740017(WS.10).aspx


9. Go to an existing DC and check DNS to make sure it’s references (LdapIpAddres and GC) are gone.


Check _gc._msdcs.domain.com
If exists, delete the old reference.


Check the domain.com zone
If an entry for “(same as parent) A <oldIpAddress>” exists, delete it.


10. Check the domain.com and the _msdcs.domain.com zones for the NS (nameserver) records to make sure it no longer exists. If it still shows:


Right-click the zone properties
Choose Nameserver tab
Highlight the old entry
Choose Delete. Ok the message that pops up asking are you sure you want to delete it


11. Check AD Sites & Services to make sure it’s server object is gone. If not, delete the server object.


Open Active Directory Sites & Service,
Drill down and expand the AD Site name the domain controller exists in
Right-Click on the DC’s name
Choose Delete (or hit the delete key)


12. Check ADUC, Domain Controllers OU to make sure it’s gone. You should now find the old DC computer object in the Computers Container.


13. Change DNS settings to it’s own IP address (to itself). Delete the 127.0.0.1 entry. Make the other DC in SiteA the second DNS entry. Actually this is the preferred setting, where all DCs should point to themselves as the first entry, and another DC in its own Site as the second. If no other DCs are in its own Site, choose one across the WAN with the fasted link.


14. Go have a cold or hot beverage of your choosing. You should be good to go.


 


All comments, corrections and suggestions are welcome!


Ace Fekay

Leave a Reply