Active Directory Administrator's Pocket Consultant: Deploying Writable Domain Controllers

  • 1/14/2009

Forcing the Removal of Domain Controllers

A domain controller must have connectivity to other domain controllers in the domain in order to demote the domain controller and successfully remove Active Directory Domain Services. If a domain controller has no connectivity to other domain controllers, the standard removal process will fail, and you will need to connect the domain controller to the domain and then restart the removal process. In a limited number of situations, however, you might not want or be able to connect the domain controller to the domain and instead might want to force the removal of the domain controller.

Forcing the removal of a domain controller is a three-part process. You must:

  1. Restart the domain controller in Directory Services Restore Mode.

  2. Perform the forced removal of the domain controller.

  3. Clean up the Active Directory forest metadata.

These tasks are discussed in the sections that follow.

Restarting a Domain Controller in Directory Services Restore Mode

Before you can forcibly remove Active Directory Domain Services, you must restart the domain controller in Directory Services Restore Mode. Restarting in this mode takes the domain controller offline, meaning it functions as a member server, not as a domain controller. During installation of Active Directory Domain Services, you set the Administrator password for logging on to the server in Directory Services Restore Mode.

You can restart a domain controller in Directory Services Restore Mode manually by pressing the F8 key during domain controller startup. You must then log on by using the Directory Services Restore Mode password for the local Administrator account. A disadvantage of this technique is that if you accidentally restart the domain controller, you might forget to put it back into Directory Services Restore Mode.

To ensure the domain controller is in Directory Services Restore Mode until you specify otherwise, you can use the System Configuration utility or the Boot Configuration Data (BCD) editor to set a Directory Repair flag. Once this flag is set, the domain controller will always start in Directory Services Restore Mode, and you can be sure that you won’t accidentally restart the domain controller in another mode.

To restart a domain controller in Directory Services Restore Mode using the System Configuration utility, complete the following steps:

  1. On the Start menu, point to Administrative Tools, and then click System Configuration.

  2. On the Boot tab, in Boot Options, select Safe Boot, and then click Active Directory Repair, as shown in Figure 3-13.

    Figure 3-13

    Figure 3-13. Change the boot options.

  3. Click OK to exit the System Configuration utility and save your settings.

  4. Restart the domain controller. The domain controller restarts in Directory Services Restore Mode.

When you have finished performing procedures in Directory Services Restore Mode, restart the domain controller in normal mode by completing the following steps:

  1. On the Start menu, point to Administrative Tools, and then click System Configuration.

  2. On the General tab, in Startup Selection, click Normal Startup, and then click OK.

  3. The domain controller restarts in normal mode.

To restart a domain controller in Directory Services Restore Mode using the BCD editor, complete the following steps:

  1. Click Start, right-click Command Prompt, and then click Run As Administrator to open an elevated command prompt.

  2. At the command prompt, enter the following command: bcdedit /set safeboot disrepair. This configures the boot process to start in Directory Services Restore Mode.

  3. At the command prompt, enter the following command: shutdown -t 0 -r. This shuts down the server and restarts it without delay.

When you have finished performing procedures in Directory Services Restore Mode, restart the domain controller in normal mode by completing the following steps:

  1. Click Start, right-click Command Prompt, and then click Run As Administrator to open an elevated command prompt.

  2. At the command prompt, you need to enter the following command: bcdedit /deletevalue safeboot. This deletes the safeboot value and returns the boot process to the previous setting.

  3. At the command prompt, enter the following command: shutdown -t 0 -r. This shuts down the server and restarts it without delay.

Performing Forced Removal of Domain Controllers

You can force the removal of a domain controller by completing the following steps:

  1. Click Start, right-click Command Prompt, and then click Run As Administrator to open an elevated command prompt.

  2. At the command prompt, enter the following command: dcpromo /forceremoval. This starts the Active Directory Domain Services Installation Wizard in Force Removal mode.

  3. If the domain controller hosts any operations master roles, is a DNS server, or is a global catalog server, warnings similar to the one shown in Figure 3-14 are displayed to explain how the forced removal of the related function will affect the rest of the environment. After you review the recommendations and take appropriate actions (if possible), click Yes to continue.

    Figure 3-14

    Figure 3-14. Review each removal warning in turn.

  4. The Active Directory Domain Services Installation Wizard starts. On the Welcome page, click Next.

  5. On the Force The Removal Of Active Directory Domain Services page, shown in Figure 3-15, review the information about forcing the removal of Active Directory Domain Services and the required metadata cleanup operations, and then click Next.

    Figure 3-15

    Figure 3-15. Review the forced removal warning.

  6. If the domain controller is a DNS server with zones integrated with Active Directory, you’ll see a warning stating one or more Active Directory–integrated zones will be deleted. Before continuing by clicking OK, you should ensure that there is another DNS server for these zones. Also note that you’ll need to manually remove DNS delegations pointing to this server.

  7. On the Administrator Password page, you are prompted to type and confirm the password for the local Administrator account on the server. You need to enter a password for the local Administrator account because domain controllers don’t have local accounts, but member or stand-alone servers do, so the local Administrator account will be re-created as part of the Active Directory removal process. Click Next.

  8. On the Summary page, review your selections. Optionally, click Export Settings to save these settings to an answer file that you can use to perform unattended forced removal of other domain controllers. When you click Next again, the wizard uses the options you’ve selected to forcibly remove Active Directory Domain Services. This process can take several minutes.

  9. On the Completing The Active Directory Domain Services Installation Wizard page, click Finish. Do not select the Reboot On Completion check box. When you are prompted to restart the server, do not do so. Instead, you’ll want to examine the server and perform any necessary additional tasks. Then when you are finished, restart the server in normal mode using the appropriate technique discussed previously.

When forcibly removing a domain controller from a domain, the Active Directory Domain Services Installation Wizard does the following:

  • Removes Active Directory and all related services from the server

  • Changes the computer account type

  • Creates a local Security Accounts Manager (SAM) account database and a local Administrator account

At the command line, you can force the removal of a domain controller from a domain using the following command.

dcpromo /unattend /forceremoval
/AdministratorPassword:NewLocalAdminPassword
/RemoveApplicationPartitions:yes
/RemoveDNSDelegation:yes
/RebootOnCompletion:yes

If the domain controller is an operations master, Dcpromo will exit with an error. You can force Dcpromo to proceed using the following additional parameter.

/DemoteFSMO:yes

This option should also suppress errors related to the domain controller being a global catalog server, a DNS server, or both.

When the command-line execution completes, Dcpromo exits with a return code. A return code of 1 to 10 indicates success. A return code of 11 to 100 indicates failure. Note the related error text and take appropriate corrective action as necessary.

Cleaning Up Metadata in the Active Directory Forest

When you force the removal of a disconnected domain controller, the Active Directory forest metadata is not updated automatically as it is when a domain controller is removed normally. Because of this, you must manually update the forest metadata after you remove the domain controller.

You perform metadata cleanup on a domain controller in the domain of the domain controller that you forcibly removed. During metadata cleanup, Active Directory automatically performs the following tasks:

  • Removes data from the directory that identifies the retired domain controller to the replication system

  • Removes any related File Replication Service (FRS) and Distributed File System (DFS) Replication connections

  • Attempts to transfer or seize any operations master roles that the retired domain controller holds

Cleaning Up Server Metadata

On domain controllers that are running Windows Server 2008, you can use Active Directory Users and Computers to clean up server metadata. Deleting the computer object in the Domain Controllers organizational unit (OU) initiates the cleanup process, and all related tasks are performed automatically. Using Active Directory Users and Computers, you can clean up metadata by completing the following steps:

  1. Open Active Directory Users and Computers by clicking Start, clicking Administrative Tools, and then clicking Active Directory Users And Computers.

  2. You must be connected to a domain controller in the domain of the domain controller that you forcibly removed. If you aren’t or are unsure, right-click the Active Directory Users And Computers node and then click Change Domain Controller. Click the name of a domain controller in the appropriate domain, and then click OK.

  3. Expand the domain of the domain controller that you forcibly removed, and then click Domain Controllers.

  4. In the details pane, right-click the computer object of the retired domain controller, and then click Delete.

  5. In the Active Directory Domain Services dialog box, click Yes to confirm that you want to delete the computer object.

  6. In the Deleting Domain Controller dialog box, select This Domain Controller Is Permanently Offline And Can No Longer Be Demoted, and then click Delete.

  7. If the domain controller was a global catalog server, in the Delete Domain Controller dialog box, click Yes to continue with the deletion.

  8. If the domain controller currently holds one or more operations master roles, click OK to move the role or roles to the domain controller that is shown. Although you cannot change this domain controller at the present time, you can move the role once the metadata cleanup procedure is completed.

On domain controllers that are running Windows Server 2003 with Service Pack 1 (SP1), Windows Server 2003 with Service Pack 2 (SP2), Windows Server 2003 R2, or Windows Server 2008, you also can perform metadata cleanup by using the Ntdsutil command-line tool. Using Ntdsutil, you can clean up server metadata by completing the following steps:

  1. Click Start, right-click Command Prompt, and then click Run As Administrator to open an elevated command prompt.

  2. At the command prompt, enter the following command: ntdsutil.

  3. At the ntdsutil prompt, enter the following command: metadata cleanup.

  4. At the metadata cleanup prompt, enter the following command if you are logged on to the domain of the domain controller that you forcibly removed: remove selected server RetiredServer where RetiredServer is the distinguished name of the retired domain controller. Otherwise, enter the following command: remove selected server RetiredServer on TargetServer where RetiredServer is the distinguished name of the retired domain controller and where TargetServer is the DNS name of a domain controller in the domain of the domain controller that you forcibly removed.

  5. When prompted with the Server Remove Configuration dialog box, read the details provided. Click Yes to remove the server object and related metadata. Ntdsutil will then confirm that the server object and related metadata was removed successfully. If you receive an error message that indicates that the object cannot be found, the server object and related metadata might have been removed previously.

  6. At the metadata cleanup prompt, enter the following command: quit.

  7. At the ntdsutil prompt, enter the following command: quit.

Confirming Removal of Deleted Server Objects

When you remove a domain controller, the related server object is removed from the domain directory partition automatically. You can confirm this using Active Directory Users and Computers. However, the server object representing the retired domain controller in the configuration directory partition can have child objects and is therefore not removed automatically. You can confirm the status of the server object in the configuration directory partition by using Active Directory Sites And Services.

You can confirm removal of server objects for a retired domain controller by completing the following steps:

  1. Open Active Directory Users and Computers by clicking Start, clicking Administrative Tools, and then clicking Active Directory Users And Computers.

  2. Expand the domain of the domain controller that you forcibly removed, and then click Domain Controllers.

  3. In the details pane, the computer object of the retired domain controller should not appear. If it does, follow the steps in “Cleaning Up Server Metadata,” earlier in this chapter, to remove the object using Active Directory Users and Computers.

  4. Open Active Directory Sites and Services by clicking Start, clicking Administrative Tools, and then clicking Active Directory Sites And Services.

  5. Any domain controllers associated with a site are listed in the site’s Servers node. Select the site that the retired domain controller was previously associated with and then expand the related Servers node.

  6. Confirm that the server object for the retired domain controller does not contain an NTDS Settings object. If no child objects appear below the server object, you can delete the server object. Right-click the server object and then click Delete. When prompted to confirm, click Yes.