Branch Office: Removing an RODC from AD

Well eventually you are going to remove an RODC and if you are running in a test lab sooner rather than later. Microsoft has a TechNet Article which covers removing the RODC with the claim that AD metadata is removed. I have not found that to be entirely accurate. This post reflects my experience and the additional items which needed to be removed. This post reflects how to remove the RODC when the server has been lost or stolen, or in my case restored to an earlier backup.


Note: If the RODC is still connected to the domain follow the steps in the above TechNet Article and then read on for additional information about things to check for.


I originally asked a question in the MS Partner Forums.


Here is the question:


I would like to know how one properly removes an RODC server which has been permanently removed from the domain. So the scenario is, you restore an earlier version of a backup before the RODC computer was joined to the domain. However the computer name is the same and you cannot rejoin the domain.

What is the procedure to properly remove them if they are in an abandoned state.


Paulo Lin from Microsoft Partner Forums helpfully contributed among other things:


a.    Forcefully remove AD DS on rodc. [note from Jeff: In the Restored Backup, RODC was not yet installed]

Run “dcpromo /forceremoval” on RODC.

 

b.    Clean up AD database for this RODC from any other working DC

How to remove data in Active Directory after an unsuccessful domain controller demotion

http://support.microsoft.com/kb/216498

 

c.    Wait for AD replication.

 

d.    Promote RODC back to domain as a DC or RODC.

 

The steps will clean up AD account, DNS records, DC objects in configuration partition and DFS replication object all in once.


I contributed the following additional best practice notes:


First I wanted to let you know that I did remove the RODC. I then went through and did some forensics to check to see if the claim was accurate that AD Metadata and DNS records were cleaned up.

My conclusion is that only certain metadata is cleaned up while other information is not. Equally, DNS information is not entirely cleaned up. This may or may not be by design and I would have to talk to people in the Product team to get a better understanding of whether the behavior I saw was expected and desired. In my case since we were permanently removing the RODC, the behavior was not desired. In KB/216498 there was some reference to ‘Advanced optional syntax with the SP1 or later versions of Ntdsutil.exe’. In this section, which is the method I would recommend, it talks about DNS and DHCP records which need cleanup.

Here is a list of things that were not removed when I followed the NTDSUtil steps from the article.

AD Sites and Services => Default-First-Site-Name ==>Servers
Server was still listed
DNS Entries
1)
=>Forward Lookup Zones
==><TheSampleDomainName.TLD>
===>ForestDNSZones
====>_sites
=====>Default-First-Site-Name
======>_tcp
2)
=>Forward Lookup Zones
==><TheSampleDomainName.TLD>
===>DomainDNSZones
====>_sites
=====>Default-First-Site-Name
======>_tcp
DHCP Entries (For Site-Site VPN)
Address Leases would eventually expire however you need to manually remove them if you want them to be realocated.
System Center Essential
Systems Center may still report computers as not connected



Jeff Loucks
Available Technology
Available Technology
  Subscribe in a reader 

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>