Another one from the questions I answer all the time on the newsgroups – what do I do when a domain controller is permanently failed and needs to be removed from Active Directory?
The first thing to do is to make sure the DC is really gone – wipe it. You don't want it coming back up after all this for whatever reason. The second thing is don't just delete the DC from AD Users & Computers or AD Sites & Services. There are a bunch of things under the hood that have to take place first. Microsoft has several KB articles that walk through the various steps that are necessary.
If you're not running Windows 2003 SP1 on the machine you'll do these steps from, you need to seize any FSMO roles which were on the failed domain controller first:
- Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
http://support.microsoft.com/kb/255504/en-us
After this, clean up the server metadata in AD:
- How to remove data in Active Directory after an unsuccessful domain controller demotion
http://support.microsoft.com/?id=216498
Give it time to replicate through your environment. There will be an empty server object in AD Sites & Services which you can delete. If there's a computer account left over you can delete that as well.
Comments
#1 re: Manually Removing a Domain Controller from Active Directory
Thursday, December 06 2007 2:28 PM by Jeff#2 re: Manually Removing a Domain Controller from Active Directory
Monday, July 21 2008 11:27 AM by Rodney MarableVery well written - I meant to tell you this months ago.
This saved my domain, we had a DC that went off line for to long "Tombstoned". this was the correct information and has me working again.
Jeff - U.S. Army, Network Engeneer
Thanks Brian!