Complete Force Removal of a Domain Controller from Active Directory

Manually remove a DC from AD follow these steps
Know Your FSMO Locations

Make sure that the DC you are removing is not holding any of the FSMO Roles

i) On any health domain controller, click Start, click Run, type “Ntdsutil” in the Open box, and then click OK
ii) Type “roles”, and then press ENTER
iii) Type “connections”, and then press ENTER
iv) Type “connect to server <servername>”, where <servername> is the name of the server you want to use, and then press ENTER
v) Type “quit”, and then press ENTER
vi) Type “select operation target”, and then press ENTER
vii) Type “list roles for connected server”, and then press ENTER
viii) Review the listed roles and their host, if the DC that wish to remove is not listed proceed to step 4

Seizing FSMO Roles (The Last Resort)

If for what ever reason you can not do a clean transfer you will need to seize it

i) On any health domain controller, click Start, click Run, type “Ntdsutil” in the Open box, and then click OK
ii) Type “roles”, and then press ENTER
iii) Type “connections”, and then press ENTER
iv) Type “connect to server <servername>”, where <servername> is the name of the server you want to use, and then press ENTER
v) Type “quit”, and then press ENTER
vii) Type seize <role>, where <role> is the role you want to seize
viii) You will receive a warning window asking if you want to perform the seize. Click on Yes

***Note***
Do not put the Infrastructure Master (IM) role on the same domain controller as the Global Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest.
Transferring the any hosted FSMO Roles

i) For the RID, PDC, and Infrastructure Master
1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
2. Right-click the icon next to Active Directory Users and Computers, and then click Connect to Domain Controller.NOTE: If you are not on the domain controller where you want to transfer the role ,you need to take this step. It is not necessary if you are connected to the domain controller whose role you want to transfer.
3. Click the domain controller which will be the new role holder, and then click OK.
4. Right-click Active Directory Users and Computers icon, and then click Operation Masters.
5. In the Change Operations Master dialog box, click the appropriate tab (RID, PDC, or Infrastructure) for the role you want to transfer.
6. Click Change in the Change Operations Master dialog box.
7. Click OK to confirm that you want to transfer the role.
8. Click OK.
9. Click Cancel to close the dialog box.

For the Domain Naming Master role
1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Domains and Trusts.
2. Right-click the Active Directory Domains and Trusts icon, and then click Connect to Domain Controller.NOTE: If you are not on the domain controller where you want to transfer the role ,you need to take this step. It is not necessary if you are connected to the domain controller whose role you want to transfer.
3. click the domain controller that will be the new role holder, and then click OK.
4. Right-click Active Directory Domains and Trusts, and then click Operation Masters.
5. In the Change Operations Master dialog box, click Change.
6. Click OK to confirm that you want to transfer the role.
7. Click OK.
8. Click Cancel to close the dialog box.

For the Schema Master Role
1. Click Start, click run, type mmc, and then click OK.
2. On the Console, menu click Add/Remove Snap-in.
3. Click Add.
4. Click Active Directory Schema.
5. Click Add.
6. Click Close to close the Add Standalone Snap-in dialog box.
7. Click OK to add the snap-in to the console.
8. Right-click the Active Directory Schema icon, and then click Change Domain Controller.NOTE: If you are not on the domain controller where you want to transfer the role ,you need to take this step. It is not necessary if you are connected to the domain controller whose role you want to transfer.
9. Click Specify Domain Controller, type the name of the domain controller that will be the new role holder, and then click OK.
10. Right-click Active Directory Schema, and then click Operation Masters.
11. In the Change Schema Master dialog box, click Change.
12. Click OK.
13. Click OK .
14. Click Cancel to close the dialog box.
Attempt a Force Removal

i) As a Domain Admin and in a command prompt type dcpromo /forceremoval
ii) If the force removal did not work pull the plug ( or shut down properly) and never every turn it back on while connected to the network
Clear the Metadata from AD

i) On any health domain controller, click Start, click Run, type “Ntdsutil” in the Open box, and then click OK
ii) Type “metadata cleanup”, and then press ENTER
iii) Type “connections”, and then press ENTER
iv) Type “connect to server <servername>”, where <servername> is the name of the server you want to use, and then press ENTER
v) Type “quit”, and then press ENTER
vi) Type “select operation target”, and then press ENTER
vii) Type “list domains”, and then press ENTER
viii) Type “select domain [n]”, [n] representing the domain, and then press ENTER
ix) Type “list sites”, and then press ENTER
x) Type “select site [n]”, [n] representing the site, and then press ENTERR
xi) Type “list servers in site”, and then press ENTER
xii) Type “select server [n]”, [n] representing the DC to be removed, and then press ENTERR
xiii) Type “quit”, and then press ENTER
xiv) Type “remove selected server”, and then press ENTER
6
Cleanup DNS by Removing all References to the Removed server

i) In the DNS snap-in, right click domain.whatever and Properties
1. Click on Nameservers tab: remove server
ii) Repeat the above instructions for Reverse lookup and all zones
iii) Open up _msdcs and check all folders within for server name or ip reference
iv) Repeat the above step for _sites, and all others
v) Repeat the above steps for the Reverse Lookup Zones
7
In Active Directory Sites and Services – delete server

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s