Clean Up Active Directory Domain Controller Manually (when dcpromo fails or isn’t an option)

You are here:
< Back

Problem

There are times a domain controller cannot be removed per Microsoft recommended best practices using dcpromo.  When this occurs the following guide has been the definitive method to properly and cleanly remove a domain controller from active directory.

Background / Cause

There are a number of reasons that a domain controller needs to be manually removed from Active Directory.  For example, if there is an unrecoverable hardware failure, a corrupted virtual machine, or someone just performed the wrong steps, leaving information in Active Directory and DNS.  a failed dcpromo either removing a domain controller or adding a domain controller is also another reason for manual domain controller object clean up.

Resolution

In the event that the NTDS Settings object is not removed correctly or fails using dcpromo,  you can use the Ntdsutil.exe utility to manually remove the NTDS Settings object.

If a new domain controller with the same name as the failed domain controller is built to be placed back in production, then only need perform only the first procedure to clean up metadata, which removes the NTDS Settings object of the failed domain controller. If the goal is complete removal of the domain controller all the procedures / steps need to be completed: clean up the Domain Controller metadata, remove the failed server object from Active Directory Sites and Services, remove the computer object from the domain controllers container in Active Directory Users and Computers, and clean up DNS.

Requirements

The following tools will be required to successfully complete all steps: Ntdsutil.exe, Active Directory Sites and Services, and Active Directory Users and Computers.

An account with Enterprise Admins universal group membership is also required.

Caution: Using the Ntdsutil.exe utility incorrectly may result in partial or complete loss of Active Directory functionality.

Step 1: Clean up the Domain Controller metadata

From a command prompt, type Ntdsutil.exe and press ENTER (shown below).

C:\WINDOWS>ntdsutil.exe
(result)  
ntdsutil:

At the Ntdsutil: prompt, type metadata cleanup and press ENTER.

ntdsutil: metadata cleanup
(result)  
metadata cleanup:

From the metadata cleanup: prompt, type connections and press ENTER.

metadata cleanup: connections
(result)  
server connections:

From the server connections: prompt, type connect to server <servername>, where <servername> is the domain controller (any functional domain controller in the same domain) from which you plan to clean up the metadata of the failed domain controller. Press ENTER.

server connections: connect to server dc1
(result)  
Binding to dc1 ...
Connected to dc1 using credentials of locally logged on user.
server connections:

Note: Windows Server 2003 Service Pack 1 eliminates the need for the above step.

Type quit and press ENTER to return you to the metadata cleanup: prompt.

server connections: q
(result)  
metadata cleanup:

Type select operation target and press ENTER.

metadata cleanup: select operation target
(result)  
select operation target:

Type list domains and press ENTER. This lists all domains in the forest with a number associated with each.

select operation target: list domains
(result)  
Found 1 domain(s)
0 - DC=domain,DC=net
select operation target:

Type select domain <number>, where <number> is the number corresponding to the domain in which the failed server was located. Press ENTER.

select operation target: Select domain 0
(result)
No current site
Domain - DC=domain,DC=net
No current server
No current Naming Context
select operation target:

Type list sites and press ENTER.

select operation target: list sites
(result)
Found 1 site(s)
0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=net
select operation target:

Type select site <number>, where <number> refers to the number of the site in which the domain controller was a member. Press ENTER.

select operation target: Select site 0
(result)  
Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=net
Domain - DC=domain,DC=net
No current server
No current Naming Context
select operation target:

Type list servers in site and press ENTER. This will list all servers in that site with a corresponding number.

select operation target: List servers in site
(result)
Found 2 server(s)
0 - CN=dc2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=net
1 - CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=net
select operation target:

Type select server <number> and press ENTER, where <number> refers to the domain controller to be removed.

select operation target: Select server 1
(result)
Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=net
Domain - DC=domain,DC=net
Server - CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=net
 DSA object - CN=NTDS Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=net
 DNS host name - dc1.domain.net
 Computer object - CN=dc1,OU=Domain Controllers,DC=domain,DC=net
No current Naming Context
select operation target:

Type quit and press ENTER. The Metadata cleanup menu is displayed.

select operation target: q
(result)
metadata cleanup:

Type remove selected server and press ENTER.

A warning message will be displayed.  It can be reviewed, but pressing Yes will remove the metadata of the server.

 

metadata cleanup: Remove selected server
(result)
"CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=net" removed from server "dc2"
metadata cleanup:

At this point, Active Directory confirms that the domain controller was removed successfully. Note:  If an error is received stating the object could not be found, Active Directory might have already removed from the domain controller.

Type quit, and press ENTER until back at the command prompt.

Remove the failed server object from the sites and services mmc

In Active Directory Sites and Services, expand the appropriate site.

Delete the server object associated with the failed domain controller.

Remove the failed server object from the domain controllers container

In Active Directory Users and Computers, expand the domain controllers container.

Delete the computer object associated with the failed domain controller.

Windows Server 2003 Active Directory might display a question window, asking you if you want to delete the server object without performing a dcpromo operation (which, of course, you cannot perform, otherwise you wouldn’t be reading this article, would you…) Select “This DC is permanently offline…” and click on the Delete button.

Another confirmation window will be displayed.  If this is, in fact, the domain controller object to be removed, click Yes.

Remove the failed server object from DNS

In the DNS snap-in, expand the zone that is related to the domain from where the server has been removed.

Remove the CNAME record in the _msdcs.root domain of forest zone in DNS. You should also delete the hostname and other DNS records.  A through discovery of all records should be completed to ensure all references to the missing domain controller have been removed.  This means that expanding all areas of the DNS tree and verifying each section only has valid “live” domain controllers is required.

If you have reverse lookup zones, also remove the server from these zones.

Other considerations

Also, consider the following:

  • If the removed domain controller was a global catalog server, evaluate whether application servers that pointed to the offline global catalog server must be pointed to a live global catalog server.
  • If the removed DC was a global catalog server, evaluate whether an additional global catalog must be promoted to the address site, the domain, or the forest global catalog load.
  • If the removed DC was a Flexible Single Master Operation (FSMO) role holder, relocate those roles to a live DC.
  • If the removed DC was a DNS server, update the DNS client configuration on all member workstations, member servers, and other DCs that might have used this DNS server for name resolution. If it is required, modify the DHCP scope to reflect the removal of the DNS server.
  • If the removed DC was a DNS server, update the Forwarder settings and the Delegation settings on any other DNS servers that might have pointed to the removed DC for name resolution.

Known Issues / Troubleshooting

Problem: | The domain controller doesn’t appear to exist when using the ntdsutil.exe utility

Solution: | It is possible that the metadata for the domain controller was, in fact, removed but other areas (Sites and Services, Users and Computers, and / or DNS) may still have information about the server.  Quitting the ntdsutil.exe utility and reviewing the other areas is recommended.  If no further evidence has been found, it is safe to assume the domain controller was successfully removed.

Problem: | Strange error messages showing up on client machines when authenticating to the domain.

Solution: | This is almost always related to incomplete removal of domain controller information in DNS.  Review all levels of DNS to ensure complete removal of all information regarding the missing domain controller.

References

Petri IT Knowledgebase

http://www.petri.co.il/delete_failed_dcs_from_ad.htm

 

Last Updated On October 24, 2017