Well eventually you are going to remove an RODC and if you are running in a test lab sooner rather than later. Microsoft has a TechNet Article which covers removing the RODC with the claim that AD metadata is removed. I have not found that to be entirely accurate. This post reflects my experience and the additional items which needed to be removed. This post reflects how to remove the RODC when the server has been lost or stolen, or in my case restored to an earlier backup.
Note: If the RODC is still connected to the domain follow the steps in the above TechNet Article and then read on for additional information about things to check for.
I originally asked a question in the MS Partner Forums.
Here is the question:
I would like to know how one properly removes an RODC server which has been permanently removed from the domain. So the scenario is, you restore an earlier version of a backup before the RODC computer was joined to the domain. However the computer name is the same and you cannot rejoin the domain.
Paulo Lin from Microsoft Partner Forums helpfully contributed among other things:
a. Forcefully remove AD DS on rodc. [note from Jeff: In the Restored Backup, RODC was not yet installed]
Run “dcpromo /forceremoval” on RODC.
b. Clean up AD database for this RODC from any other working DC
How to remove data in Active Directory after an unsuccessful domain controller demotion
c. Wait for AD replication.
d. Promote RODC back to domain as a DC or RODC.
The steps will clean up AD account, DNS records, DC objects in configuration partition and DFS replication object all in once.
I contributed the following additional best practice notes:
First I wanted to let you know that I did remove the RODC. I then went through and did some forensics to check to see if the claim was accurate that AD Metadata and DNS records were cleaned up.
Here is a list of things that were not removed when I followed the NTDSUtil steps from the article.AD Sites and Services => Default-First-Site-Name ==>Servers
Server was still listed
=>Forward Lookup Zones
=>Forward Lookup Zones
DHCP Entries (For Site-Site VPN)
Address Leases would eventually expire however you need to manually remove them if you want them to be realocated.
System Center Essential
Systems Center may still report computers as not connected
Subscribe in a reader