Complete Step by Step to Remove an Orphaned Domain Controller
Complete Step by Step to Remove an Orphaned Domain controller
Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer
Revamped 11/3/2010 - Changed the steps to make more sense and easier to follow
I think at this time you're probably thinking, "What, another blog on how to remove an Orphaned DC?" I know. There are many out there, and I commend all the ones I've read. I thought to put together a complete step by step with all the little nuances that are involved with links and explanations. If I've forgotten any, I do hope someone is kind of enough to post a comment indicating, or even if I've made a mistake. I would do the same.
In a nutshell, I wrote this is in response to questions that have come up numerous times in the AD NNTP newsgroups and Microsoft Social Forums. The question isn't usually asked directly, because in some cases some may not have realized these steps are required, rather how to remove an orphaned DC is normally a response after diagnosing a specific DC or replication issue, such as not being able to introduce a new DC with the same name as a failed one, or a DC was lost and there are numerous Event log replication errors, as well as DCDIAG and other errors, to something simple as having ran the procedure but may have forgotten a step or two.
To point out, many of the steps were taken from the following link, but I've extrapolated the steps and added additional information, links, and explanations.
How to remove completely orphaned Domain Controller
Should I repair the DC or simply dump it and create a new one?
Good question. In many cases, whenever a DC is lost, the easiest and simplest way is to simply dump the machine, cleanup AD and rebuild it using the same name. Compared to doing a restore, this is the simplest procedure and will save wasted time, because it's much faster. HOwever, just to add, if any application or service is installed on the DC, it adds a compexity, especially if Exchange was installed on it. Needless to say, which many are aware of or already have heard, it's recommended to never install Exchange on a DC. See the next section where I posted a link that explains this in greater detail.
Of course the decision to dump the failed DC and rebuild a new one with the same name is a sound and proven popular decision, however this it's assumed there are no applications or major services installed and running, or files to be restored on the DC. Normally we do not recommend installing additional apps or services, other than DNS, WINS and/or DHCP. If there are, then of course the apps, services, files, etc, must be reinstalled, reconfigured, or restored.
Was Exchange on the DC?
As mentioned in the Preface , one thing I like to point out that if Exchange is on a DC, well, besides not wanting to reiterate that this is not a recommended option nonetheless, hopefully you have a full backup of the Exchange Information Store and the DC System State, because both would have to be restored. Hopefully as well you have two separate backups of each and not together in the same backup job, otherwise you may find the Exchange backup is useless to restore. More about Exchange on a DC in the following link. It's not a DC/Exchange restore link, rather it explains why you wouldn't want to install Exchange on a DC and the ramifications, as long as it's not SBS, which is designed to allow Exchange on it. Read more if this applies to your scenario:
Exchange on a Domain Controller - Ramifications and How to Move Exchange off a DC
Published by acefekay on Aug 8, 2009 at 7:00 PM
Were there any applications or services installed?
Was DHCP installed?
If you don't have a backup that you can retrieve the DHCP database, your best bet is to reinstall DHCP services and start from scratch. If you do have a backup and can restore the DHCP files, follow this link:
How to move a DHCP database from a computer that is running Windows 2003 (Als applies to newer versions)
How to migrate a DHCP database from Windows 2000 Server to Windows, Nov 9, 2009
Was WINS installed?
If you don't have a backup that you can retrieve the WINS database, your best bet is to reinstall WINS services and start from scratch. If the WINS server had a partner, you can possibly use that to reinitiate the database. If you do have a backup and can restore the WINS files, follow this link:
How to migrate a WINS Database from Windows 2000-based WINS server (Applies to all Windows 2000 and newer Windows versions)
Was DNS installed?
No worries as long as the zones were AD Integrated. They'll just replicate over from another DC automatically. No need to manually create the zones. If you do try to manually create the zones and they are AD Integrated, you'll introduce a duplicate zone issue in the AD database, which is another topic to clean them up.
Any other applications or services installed?
Dep[ending on the application or service installed, hopefully you'll have either a backup that you can retrieve the files, or you'll have to reinstall. For any third party application, you'll need to refer to the documentation or contact the vendor for assistance.
Basic High-Level steps
1. Run a Metadata Cleanup
2. Remove the old computer in "Active Directory Sites and Services."
3. Remove old DNS and WINS records of the orphaned Domain Controller.
4. If Windows 2000, use "ADSIEdit" to remove old computer records from the Active Directory.
5. Force Active Directory replication
Steps Broken Down with a Low-Level Description
1. Make sure at least one of the current live DCs is a GC. It's actually recommended to make all DCs GCs, whether in a single domain or multi-domain forest. This way it alleviates issues with the IM/GC conflict. Many large installations have been using this design successfully without issues. Matter of fact, Exchange likes it.
Global Catalog vs. Infrastructure Master:
"If a single domain forest, you can have all DCs a GC. If multiple domains, it is recommended for a GC to not be on the FSMO IM Role, unless you make all DCs GCs"
Enable or disable a global catalog: Active Directory
Jan 21, 2005 ... Select the Global Catalog check box to enable the global catalog, or clear the check box to disable the global catalog. ...
How to create or move a global catalog in Windows Server 2003 (same in 2008 & 2008 R2)
2. Use the following knowledgebase to run a Metadata Cleanup to remove common Domain Controller objects and settings from Active Directory.
A. For Windows 2003
NTDSUTIL in 2003 and newer automatically removes the Computer Account and FRS Objects from Active Directory, but if you like, you can still use these steps to insure the objects were removed.
How to remove data in Active Directory after an unsuccessful domain controller demotion
B. For Windows 2000, you must use ADISEdit to remove the Computer Account and the FRS Object from Active Directory.
Use ADSIEdit to delete the computer account. To do this, follow these steps:
- Click Start, click Run, type adsiedit.msc in the Open box, and then click OK.
- Expand the Domain NC container.
- Expand DC=Your Domain Name, DC=COM, PRI, LOCAL, NET.
- Expand OU=Domain Controllers.
- Right-click CN=domain controller name, and then click Delete.
If you receive the "DSA object cannot be deleted" error message when you try to delete the object, change the UserAccountControl value. To change the UserAccountControl value, right-click the domain controller in ADSIEdit, and then click Properties. Under Select a property to view, click UserAccountControl. Click Clear, change the value to 4096, and then click Set. You can now delete the object.
Note The FRS subscriber object is deleted when the computer object is deleted because it is a child of the computer account.
Use ADSIEdit to delete the FRS member object. To do this, follow these steps:
- Click Start, click Run, type adsiedit.msc in the Open box, and then click OK
- Expand the Domain NC container.
- Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET.
- Expand CN=System.
- Expand CN=File Replication Service.
- Expand CN=Domain System Volume (SYSVOL share).
- Right-click the domain controller you are removing, and then click Delete.
C. For Windows 2008 and WIndows 2008 R2:
It's all GUI based in 2008 and 2008 R2. However, you'll still want to follow the rest of the steps to seize FSMOs, force replication, checking DNS & WINS, etc.
Cleanup Server Metadata Windows 2008 (GUI Based)
Active Directory Metadata Cleanup (For Windows 2008 or newer - with screen shots)
By Meinolf Weber, MVP
Optional Script For Windows 2000, 2003, 2008, and 2008 R2
If you don't like to use the command line tools, you can use a script that was developed to do this part for you:
You can also use Microsoft's Script written specifically to run a Metadata Cleanup if reluctant to use ntdsutil in a command line:
Remove Active Directory Domain Controller Metadata (Microsoft) - Applies to all Windows Server Versions (2000, 2003, 2003 R2, 2008, 2008 R2, SBS 2003 & SBS 2008)
3. If the failed DC held any of the FSMO Roles, you need to seize the FSMO to alternative Domain Controller
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
How to view and transfer FSMO roles in Windows Server 2003 using the GUI
4. If the failed DC held the PDC Emulator Role, you need to configure a new authoritative timeserver in the domain. The first link is my blog with complete steps. It was compiled using the following two Microsoft KBs, among other links.
Configuring the Windows Time Service for Windows Server
Scroll down to the section "Transferring the PDC Emulator Role"
Published by acefekay on Sep 18, 2009 at 8:14 PM 3050 1
How to configure an authoritative timerver in Windows 2000
How to configure an authoritative time server in Windows Server 2003
5. Remove old computer account by using "Active Directory Sites and Services" tool.
Open Active Directory Sites and Services
Expand the Sites folder
Select the site the old DC was in
Delete the old DC name
6. Remove any old WINS records of the orphaned Domain Controller from the WINS database. If there are WINS replication partners, when you delete them, choose the "Tombstone" option.
Deletion of WINS Database Records
If WINS records deleted this way have been replicated to other WINS servers, these additional records will not be removed fully. The records on other WINS ...
Deleting and tombstoning records: Windows Internet Name Service (WINS)
Jan 21, 2005 ... If the WINS records deleted in this way exists in WINS data replicated to other WINS servers on your network, these additional records are ...
7. Force Active Directory replication by using "Repadmin.exe" tool.
Repadmin /syscall - to initiate a replication for all partners
repadmin /syncall /A /e /P (/A Synchronizes all partitions on the DC you're running it on, /e Synchronizes partitions across all Sites, /P Forces a "Push" that pushes changes outwards instead of the default to pull changes)
Also, to check replication status:
To see if anything is in the queue waiting for replication:
Run "repadmin /queue *"
Find out what the replication latency is, if any. If it's less than a few minutes, you're fine.
Run "repadmin /showutdvec server-name dc=mydomain,dc=lab /latency"
You can also use the Replmon Gui version for Windows 2000 and 2003, but it's no longer available for 2008 or newer.
Getting Over Replmon - Ask the Directory Services Team - Site Home ...Jul 1, 2009 ...
With the release of Window Server 2008 Replmon was not included ...
Repadmin: More info as well as explanations on the specific repadmin switches
Updated: August 22, 2005
A complete list of switches with details and usage.
Applies To: Windows Server 2003 R2 (However, the switches apply to 2008 and 2008 R2 as well.)
Using Repadmin.exe to troubleshoot Active Directory replication
Initiating Replication Between Active Directory Direct Replication Partners
Written for Windows 2000, but works for Windows 2003, 2008 and 2008 R2
This article shows how to use repadmin and the necessary switches to force replication between specific or all partners in the infrastructure
Updated: April 4, 2008
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Updated: July 13, 2010
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2008
Repadmin: Microsoft Technical Whitepaper (download link):
8. Go through DNS with a fined-toothed comb to delete all references for the old DC. You'll need to delete records such as such as SRV, host, LdapIPddress, and GcIpAddress.
Drill down into every record under both domain.local and _msdcs.domain.local.
Under the domain.local zone:
Delete the A (host record) for the failed DC
Delete the LdapIpAddress: Under domain.local, you will see a record such as (same as parent) A 192.168.1.10 (using this IP as an example). Delete it.
Delete any reference in the DomainDnsZones. If the DomainDnsZones folder exists, expand it. Check and delete any reference to the failed DC's FQDN and IP address.
Delete any reference in the ForestDnsZones. If the ForestDnsZones folder exists, expand it. Check and delete any reference to the old DC's FQDN and IP address.
To make sure all records are gone, fully expand each folder under the domain.local zone, and delete any references you see such as for the kerberos and ldap SRV references. The subfolders are:
Under the _msdcs.domain.local zone:
Delete the GcIpAddress: Click on the _gc._msdcs.domain.local folder. Delete the IP Address for the old DC.
Delete the DC's GUID ALIAS: Click on _msdcs.domain.local. You will see an ALIAS record with a long GUID number as the name pointing to the old DC's FQDN. Delete it.
To make sure all records are gone, fully expand each subfolder under the _msdcs.domain.local zone. Make sure you do not see any references to the failed DC. If so, please delete them. The subfolders are:
9. Delete the NameServer reference in all DNS zones' properties, Nameserver tab.
Right-click DNS server name, properties
Remove the old DC FQDN and/or IP
Repeat for every zone that exists
10. Run a DNSLINT report. Make sure the old DC is no longer listed anywhere in DNS. If it still does, go back to Steps #8 and #9.
Here are some links to understand how to use it.
Dnslint Overview: Domain Name System(DNS)
Prior to the development of DNSLint, the nslookup utility was frequently ...
Support WebCast: Microsoft Windows: Using the DNSLint Utility
Description of the DNSLint utility
Dec 3, 2007 ... DNSLint is a Microsoft Windows utility that helps you to diagnose common DNS name resolution issues.
How to use DNSLint to troubleshoot Active Directory replication issues
This article describes how to use the DNSLint utility to troubleshoot Active ...
Manually altering a DC to turn it into a non-DC
Last but not least, years ago before the /forceremoval switch, when a DC could not be removed yet wanting to keep the machine intact after demotion, there was a method posted the steps to manually rip out the pieces that make a DC a DC. FWIW, here they are:
14 easy manual steps to make a DC a non-DC
Some have posted this as 12 steps, 13 steps or 14 steps. They are the same steps. Some have combined multiple tasks, but they are the same.
Keep in mind, unless it was changed, this is not supported by Microsoft. I believe there was a KB on it at one time, but I don't have the KB#. If you follow this, keep in mind, this posting is AS-IS and offers no guarantees and confers no rights from Microsoft or myself. Here are a couple of links explaining the steps, as well as the steps posted below.
This was archived at this site from an old Newsgroup post I made back in 3/11/2003:
Remove failed DC from AD manually… Never been easier (step by step with screen shots)
Unlike Windows 2000 and 2003, Windows 2008 & Windows 2008 R2 have new GUI tools to remove a failed DC from the AD database.
1) On another DC in the domain run NTDSUTIL to move the FSMO's, er seize them! DOH. (If this is the only DC, then don't worry about it)
2) Make sure DNS is 100% solid on the working DC. (If only one DC, don't worry about it for now, but configure it correctly before promoting it to a new DC).
3) Make sure working DC is also a GC. (If just one DC, don't worry about it).
4) Boot corrupted DC into DSRM, edit the registry change HKLM\SYSTEM\CCS\Control\ProductOptions change the ProductType value from LanmanNT to ServerNT. This key dictates if the machine is a DC or just a server. ServerNT means it's not a DC.
5) Command prompt > net stop ntfrs to stop FRS.
6) Delete the Winnt\Sysvol and NTDS directories.
7) Reboot the now former DC
8) Log into the now member server. Change it to a stand alone, by joining a workgroup (My Computer Properties, Network ID tab, remove it from the old domain).
9) Reboot the now stand alone server.
10) If there is only one DC in the domain, skip this step, otherwise, on the good DC delete the disabled computer account for the old, now defunct DC.
11) Now on this new stand alone machine, set the Primary DNS Suffix to the new domain name that you want (In My Computer. Properties, Network ID Tab, Properties, More,). Reboot.
12) Make sure that DNS is configured with the new domain name and updates set to YES.
13) Run DCPROMO to create a new domain or join the domain/tree/forest again.
Comments, suggestions and corrections are welcomed!