There are frequent situations when a system administrator has to manually remove a domain controller from Active Directory. Such situations arise in the event of a physical failure of the north with the role of a domain controller or other abnormal situation. Naturally, it is most preferable to delete a domain controller using the DCPROMO command (detailed DCPROMO and its parameters) However, what to do if the domain controller is unavailable (turned off, broken, unavailable over the network)?
Naturally, you can’t just delete a domain controller account using the Active Directory User and Computer snap-in.
In a domain on Windows Server 2008 and above, when you delete the computer account of a failed domain controller using the ADUC console (Dsa.msc), automatic metadata cleaning in AD is performed. And in general, no additional manual manipulations, described below, are necessary.
For manual removal of a domain controller from Active Directory, the NTDSUTIL utility is suitable. NTDSUTIL is a command line utility that is designed to perform various complex operations with ActiveDirectory, including maintenance, management, and modification of Active Directory. I already wrote about using Ntdsutil to create snapshots of an Active Directory.
The following instructions will allow you to manually remove the failed domain controller.
Note: when using NTDSUTIL, it is not necessary to enter the entire command, it is enough to enter information that uniquely identifies the command, for example, instead of typing metadata cleanup, you can type met cle, or m c
Open command prompt
Write command :
(all subsequent commands will be entered in the context of ntdsutil)
- metadata cleanup
Write command :
- connect to server
where is the name of a valid domain controller, operations master
- select operation target
- list sites
- select site <#>
where <#> is where is the number of the site where the failed domain controller was located (the list sites command will display the site number)
- list servers in site
select server <#>
where <#> is where is the number of the failed domain controller (the list servers command displays the server number)
- list domains
- select domain <#>
where <#> is the domain number in which the faulty DC is located (the list domains command displays the domain number)
(back to the metadata cleanup menu)
- remove selected server
(A warning window will appear, make sure that the desired domain controller is being deleted)
Open Active Directory Sites and Services Console
Deploy the site where the DC was located
Check that the controller does not contain any objects.
Right click on the controller and select Delete.
Close Active Directory Sites and Services console
Open the Active Directory Users and Computers snap-in.
Deploy the Domain Controllers OU
Delete the computer account of the failed domain controller from this OU
Open the DNS Manager snap-in.
Find the DNS zone for which your domain controller was a DNS server
Right-click the zone and select Properties.
Click the Servers Servers tab.
Delete the failed DC entry
Click OK to delete all remaining DNS records: HOST (A) or Pointer (PTR
Make sure that there are no DNS records in the zone associated with the remote domain controller.
That’s it, we completely removed the faulty domain controller and all resources associated with it from the DNS and Active Directory.
Related post : How to delegate administration of the RODC controller