Active Directory Administrator's Pocket Consultant: Deploying Writable Domain Controllers
- Preparing to Deploy or Decommission Domain Controllers
- Adding Writable Domain Controllers
- Decommissioning Domain Controllers
- Forcing the Removal of Domain Controllers
Decommissioning Domain Controllers
When you no longer need a domain controller, you can decommission it and remove it from service. Running the Active Directory Domain Services Installation Wizard (Dcpromo.exe) on the domain controller allows you to remove Active Directory Domain Services and demote the domain controller to either a stand-alone server or a member server.
The process for removing an additional domain controller is different from the process for removing the last domain controller. If the domain controller is the last in the domain, it will become a stand-alone server in a workgroup. Otherwise, if other domain controllers remain in the domain, the domain controller will become a member server in the domain.
Preparing to Remove Domain Controllers
Before you demote a domain controller, you should determine the functions and roles the server has in the domains and plan accordingly. With regard to Active Directory Domain Services, the functions and roles to check for are as follows:
Global catalog server
Don’t accidentally remove the last global catalog server from a domain. If you remove the last global catalog server from a domain, you will cause serious problems. Users won’t be able to log on to the domain, and directory search functions will be impaired. To avoid problems, ensure another global catalog server is available or designate a new one.
Don’t accidentally remove the last global catalog server from a site. If you remove the last global catalog server from a site, computers in the site will query a global catalog server in another site when searching for resources in other domains in the forest, and a domain controller responding to a user’s logon or authentication request will need to obtain the required information from a global catalog server in another site. To avoid problems, ensure another global catalog server is available, designate a new one, or verify the affected site is connected to other sites with fast, reliable links.
Determine whether a domain controller is acting as a global catalog server by typing the following at a command prompt: dsquery server -domain DomainName | dsget server -isgc -dnsname where DomainName is the name of the domain you want to examine. The resulting output lists all global catalog servers in the domain.
Don’t accidentally remove the last preferred bridgehead server from a site. If you remove the last preferred bridgehead server, intersite replication will stop until you change the preferred bridgehead server configuration options. You can avoid problems by (1) removing the preferred bridgehead server designation prior to demoting the domain controller and thereby allowing Active Directory to select the bridgehead servers to use, or (2) ensuring one or more additional preferred bridgehead servers are available.
Determine whether a domain controller is acting as a bridgehead server by typing the following at a command prompt: repadmin /bridgeheads site:SiteName where SiteName is the name of the site, such as repadmin /bridgeheads site:Seattle-First-Site. The resulting output is a list of bridgehead servers in the specified site. If you omit the site:SiteName value, the details for the current site are returned.
Don’t accidentally demote a domain controller holding a forestwide or domainwide operations master role. If you remove an operations master without first transferring the role, Active Directory will try to transfer the role as part of the demotion process, and the domain controller that ends up holding the role may not be the one you would have selected.
Determine whether a domain controller is acting as an operations master by typing the following at a command prompt: netdom query fsmo. The resulting output lists the forestwide and domainwide operations master role holders.
Before you remove the last domain controller in a domain, you should examine domain accounts and look for encrypted files and folders. Because the deleted domain will no longer exist, its accounts and cryptographic keys will no longer be applicable, and this results in the deletion of all domain accounts and all certificates and cryptographic keys. You must decrypt any encrypted data on the server, including data stored using the Encrypting File System (EFS), before removing the last domain controller, or the data will be permanently inaccessible.
You can check for encrypted files and folders by using the EFSInfo utility. At a command prompt, enter efsinfo /s:DriveDesignator /i | find “: Encrypted” where DriveDesignator is the drive designator of the volume to search, such as C:.
The credentials you need to demote a domain controller depend on the domain controller’s functions and roles. Keep the following in mind:
To remove the last domain controller from a domain tree or child domain, you must use an account that is a member of the Enterprise Admins group or be able to provide credentials for an enterprise administrator account.
To remove the last domain controller in a forest, you must log on to the domain as Administrator or use an account that is a member of the Domain Admins group.
To remove other domain controllers, you must use an account that is a member of either the Enterprise Admins or Domain Admins group.
Removing Additional Domain Controllers
You can remove an additional domain controller from a domain by completing the following steps:
Start the Active Directory Domain Services Installation Wizard by clicking Start, typing dcpromo in the Search box, and pressing Enter.
When the wizard starts, it will confirm that the computer is a domain controller. You should see a message stating the server is already a domain controller and that by continuing you will remove Active Directory, as shown in Figure 3-7. Click Next.
Figure 3-7. Initiate Active Directory removal.
If the domain controller is a global catalog server, a message appears to warn you about ensuring other global catalog servers are available, as shown in Figure 3-8. Before you click OK to continue, you should ensure one or more global catalog servers are available, as discussed previously.
Figure 3-8. Ensure that you don’t accidentally remove the last global catalog server.
On the Delete The Domain page, click Next without making a selection. If the domain controller is the last in the domain, you’ll see a warning like the one shown in Figure 3-9. In this case, I recommend clicking No and then clicking Cancel, which will exit the wizard and allow you to perform any necessary preparatory tasks if you do indeed want to remove the last domain controller. When you are ready to proceed, you should perform the tasks discussed in “Removing the Last Domain Controller,” later in this chapter.
Figure 3-9. Ensure that you don’t accidentally remove the last domain controller.
If the domain controller is the last DNS server for one or more Active Directory–integrated zones, a message appears to warn you that you may be unable to resolve DNS names in the applicable zones. Before continuing by clicking OK, you should ensure that you establish another DNS server for these zones.
If the domain controller has application directory partitions, the next page you will see is the Application Directory Partitions page, shown in Figure 3-10. You will need to do the following:
If you want to retain any application directory partitions that are stored on the domain controller, you will need to use the application that created the partition to extract and save the partition data as appropriate. If the application does not provide such a tool, you can let the Active Directory Domain Services Installation Wizard remove the related directory partitions. When you are ready to continue with Active Directory removal, you can click Refresh to update the list and see any changes.
Click Next. Confirm that you want to delete all application directory partitions on the domain controller by selecting the related option and then clicking Next. Keep in mind that deleting the last replica of an application partition will delete all data associated with that partition.
Figure 3-10. Ensure that you don’t accidentally remove the last replica of application partitions.
The wizard checks DNS to see if any active delegations for the server need to be removed. If the Remove DNS Delegation page is displayed, as shown in Figure 3-11, verify that the Delete The DNS Delegations Pointing To This Server check box is selected. Then click Next. If you don’t remove the delegations at this time, you’ll need to manually remove them later using the DNS console.
Figure 3-11. Verify that you want to remove DNS delegations.
If you are removing DNS delegations, the Active Directory Domain Services Installation Wizard then examines the DNS configuration, checking your credentials and attempting to contact a DNS server in the domain. If you need additional credentials to remove DNS delegations, the Windows Security dialog box is displayed. Enter administrative credentials for the server that hosts the DNS zone in which the domain controller is registered and then click OK.
On the Administrator Password page, you are prompted to type and confirm the password for the local Administrator account on the server. You need to enter a password for the local Administrator account because domain controllers don’t have local accounts but member or stand-alone servers do, so the local Administrator account will be re-created as part of the Active Directory removal process. Click Next.
On the Summary page, review your selections. Optionally, click Export Settings to save these settings to an answer file that you can use to perform unattended demotion of other domain controllers. When you click Next again, the wizard uses the options you’ve selected to demote the domain controller. This process can take several minutes.
On the Completing The Active Directory Domain Services Installation Wizard page, click Finish. You can either select the Reboot On Completion check box to have the server restart automatically, or you can restart the server to complete the Active Directory removal when you are prompted to do so.
When removing an additional domain controller from a domain, the Active Directory Domain Services Installation Wizard does the following:
Removes Active Directory and all related services from the server and makes it a member server in the domain
Changes the computer account type and moves the computer account from the Domain Controllers container in Active Directory to the Computers container
Transfers any operations master roles from the server to another domain controller in the domain
Updates DNS to remove the domain controller SRV records
Creates a local Security Accounts Manager (SAM) account database and a local Administrator account
Removing the Last Domain Controller
You can remove the last domain controller in a domain or forest by completing the following steps:
Start the Active Directory Domain Services Installation Wizard by clicking Start, typing dcpromo in the Search box, and pressing Enter.
When the wizard starts, click Next. If the domain controller is a global catalog server, a message appears to warn you about ensuring other global catalog servers are available. Click OK to continue.
On the Delete The Domain page, select Delete The Domain Because This Server Is The Last Domain Controller In The Domain check box, as shown in Figure 3-12. Click Next to continue. After you remove the last domain controller in a domain or forest, you can no longer access any directory data, Active Directory accounts, or encrypted data.
Figure 3-12. Verify that you want to delete the domain or forest.
The rest of the installation proceeds as previously discussed. Continue with steps 6 through 11 of the previous section, “Removing Additional Domain Controllers.” Note the following:
If you are removing the last domain controller from a domain, the wizard verifies that there are no child domains of the current domain before performing the removal operation. If child domains are found, removal of Active Directory fails, with an error telling you that you cannot remove Active Directory.
When the domain being removed is a child domain, the wizard notifies a domain controller in the parent domain that the child domain is being removed. For a parent domain in its own tree, a domain controller in the forest root domain is notified. Either way, the domain object is tomb-stoned, and this change is then replicated to other domain controllers. The domain object and any related trust objects are also removed from the forest.
As part of removing Active Directory from the last domain controller in a domain, all domain accounts, all certificates, and all cryptographic keys are removed from the server. The wizard creates a local SAM account database and a local Administrator account. It then changes the computer account type to a stand-alone server and puts the server in a new workgroup.
Removing Domain Controllers Using Answer Files or the Command Line
On a Full Server or Core Server installation of Windows Server 2008, you can remove domain controllers using an unattended removal or the command line. You must be logged on as the Domain Admins group in the domain.
With the unattended removal method, you must first prepare an answer file that contains the desired removal values. You can create an answer file for removing a domain controller by completing the following steps:
Open Notepad or any other text editor.
On the first line, type [DCINSTALL], and then press Enter.
Type the following entries, one entry on each line.
UserName=AdminAccountInDomainOfDC UserDomain=DomainOfAdminAccount Password="PasswordOfAdminAccount" AdministratorPassword=NewLocalAdminPassword RemoveApplicationPartitions=yes RetainDCMetadata=No RemoveDNSDelegation=yes RebootOnCompletion=yes
If the account that is being used to remove AD DS is different from the account in the parent domain that has the privileges that are required to remove a DNS delegation, you must specify the account that can remove the DNS delegation by entering the following additional parameters.
If the domain controller is the last DNS server for one or more Active Directory–integrated DNS zones that it hosts, Dcpromo will exit with an error. You can force Dcpromo to proceed by entering the following additional parameter.
If the domain controller is the last in the domain or forest, Dcpromo will exit with an error. You can force Dcpromo to proceed by entering the following additional parameter.
Save the answer file as a .txt file and then copy the file to a location accessible from the server you want to promote.
After you create the answer file, you can start the unattended removal by entering the following at a command prompt:
where PathToAnswerFile is the full file path to the answer file, such as C:\data\ removedc.txt.
At the command line, you can remove a domain controller from a domain using the following command.
dcpromo /unattend /UserName:AdminAccountInDomainOfDC /UserDomain:DomainOfAdminAccount /Password:"PasswordOfAdminAccount" /AdministratorPassword:NewLocalAdminPassword /RemoveApplicationPartitions:yes /RetainDCMetadata:No /RemoveDNSDelegation:yes /RebootOnCompletion:yes
If the domain controller is the last DNS server for one or more Active Directory–integrated DNS zones that it hosts, Dcpromo will exit with an error. You can force Dcpromo to proceed using the following additional parameter.
If the domain controller is the last in the domain or forest, Dcpromo will exit with an error. You can force Dcpromo to proceed using the following additional parameter.
When the unattended removal or command-line execution completes, Dcpromo exits with a return code. A return code of 1 to 10 indicates success. A return code of 11 to 100 indicates failure. Note any related error text and take appropriate corrective action as necessary.