There are frequent situations when a system administrator has to manually remove a domain controller from Active Directory. Such situations arise in the event of a physical failure of the north with the role of a domain controller or other abnormal situation. Naturally, it is most preferable to delete a domain controller using the DCPROMO command (detailed DCPROMO and its parameters) However, what to do if the domain controller is unavailable (turned off, broken, unavailable over the network)?

Naturally, you can’t just delete a domain controller account using the Active Directory User and Computer snap-in.

In a domain on Windows Server 2008 and above, when you delete the computer account of a failed domain controller using the ADUC console (Dsa.msc), automatic metadata cleaning in AD is performed. And in general, no additional manual manipulations, described below, are necessary.
For manual removal of a domain controller from Active Directory, the NTDSUTIL utility is suitable. NTDSUTIL is a command line utility that is designed to perform various complex operations with ActiveDirectory, including maintenance, management, and modification of Active Directory. I already wrote about using Ntdsutil to create snapshots of an Active Directory.

The following instructions will allow you to manually remove the failed domain controller.

Note: when using NTDSUTIL, it is not necessary to enter the entire command, it is enough to enter information that uniquely identifies the command, for example, instead of typing metadata cleanup, you can type met cle, or m c

Open command prompt

Write command :

  • ntdsutil


(all subsequent commands will be entered in the context of ntdsutil)

  • metadata cleanup
  • connections


Write command :

  • connect to server


where is the name of a valid domain controller, operations master

  • quit
  • select operation target
  • list sites
  • select site <#>


where <#> is where is the number of the site where the failed domain controller was located (the list sites command will display the site number)

  • list servers in site

select server <#>
where <#> is where is the number of the failed domain controller (the list servers command displays the server number)

  • list domains
  • select domain <#>


where <#> is the domain number in which the faulty DC is located (the list domains command displays the domain number)

  • quit


(back to the metadata cleanup menu)

  • remove selected server


(A warning window will appear, make sure that the desired domain controller is being deleted)

  • Yes

Open Active Directory Sites and Services Console

Deploy the site where the DC was located

Check that the controller does not contain any objects.

Right click on the controller and select Delete.

Close Active Directory Sites and Services console

Open the Active Directory Users and Computers snap-in.

Deploy the Domain Controllers OU

Delete the computer account of the failed domain controller from this OU

Open the DNS Manager snap-in.

Find the DNS zone for which your domain controller was a DNS server

Right-click the zone and select Properties.

Click the Servers Servers tab.

Delete the failed DC entry

Click OK to delete all remaining DNS records: HOST (A) or Pointer (PTR

Make sure that there are no DNS records in the zone associated with the remote domain controller.

That’s it, we completely removed the faulty domain controller and all resources associated with it from the DNS and Active Directory.

Share the post