This article describes how to remove data in Active Directory due to an unsuccessful domain controller (DC) demotion via DCPROMO or simply because you have a DC that failed and you are unable to restart it to properly demote it to a member server.
If you attempted to demote the DC using DCPROMO, as part of the demotion process, the configuration data is removed for the domain controller from Active Directory. This data is in the form of an NTDS Settings
object that exists as a child of the server object in Active Directory Sites and Services.
The information is in the following location in Active Directory:
CN=NTDS Settings,CN=SERVERNAME,CN=Servers,CN=SITENAME,CN=Sites,CN=Configuration,DC=DOMAIN
- Removes the
NTDSA
orNTDS Setting
subject. - Removes inbound AD connection objects that existing destination DCs use to replicate from the source DC being deleted.
- Removes the computer account.
- Removes
FRS member
object. - Removes
FRS subscriber
objects. - Tries to seize flexible single operations master roles (also known as flexible single master operations or FSMO) held by the DC that are being removed.
To begin the cleanup process click Start, point to Programs, point to Accessories, and then click Command Prompt. Run as an Enterprise Admin.
- At the command prompt, type
ntdsutil
, and then press ENTER. - Type
metadata cleanup
, and then press ENTER. - Type
connections
and press ENTER. - Type
connect to server servername
, and then press ENTER. - Type
quit
, and then press ENTER. - Type
select operation target
and press ENTER. - Type
list domains
and press ENTER. - Type
select domain number
and press ENTER. - Type
list sites
and press ENTER. - Type
select site number
and press ENTER. - Type
list servers in site
and press ENTER. - Type
select server number
. - Type
quit
and press ENTER. - Type
remove selected server
and press ENTER. - Type
quit
, and then press ENTER at each menu quit the Ntdsutil utility.
You should receive confirmation that the removal was completed successfully. If you receive the error message, “The DSA object could not be found”, the NTDS Settings object may already be removed from Active Directory as the result of another administrator removing the NTDS Settings object or replication of the successful removal of the object after running the DCPROMO utility.
You may also see this error when you try to bind to the domain controller that will be removed. Ntdsutil has to bind to a domain controller other than the one that will be removed with metadata cleanup.
Additional Steps for pre-Windows 2003 SP1, but should be verified in all versions. Use ADSIEdit to delete the computer account. To do this, follow these steps:
- Click Start, click Run, type
adsiedit.msc
in the Open box, and then click OK. - Expand the Domain NC container.
- Expand
DC=domain name, DC=ext
. - Expand
OU=Domain Controllers
. - Right-click
CN=domain controller
name, and then click Delete.
Additional Steps for pre-Windows 2003 SP1, but should be verified in all versions. Use ADSIEdit to delete the FRS member object.
- Click Start, click Run, type
adsiedit.msc
in the Open box, and then click OK. - Expand the Domain NC container.
- Expand
DC=domain name, DC=ext
. - Expand
CN=System
. - Expand
CN=File Replication Service
. - Expand
CN=Domain System Volume (SYSVOL share)
. - Right-click the domain controller you are removing, and then click Delete.
Additional cleanup steps to perform… Windows 200x
- Remove the cname record in the
_msdcs.root
domain of forest zone in DNS. - As best practice, you should delete the host name and other associated DNS records.
- Delete the cname record in the
_msdcs
container. - If this is a DNS server, remove the reference to this DC under the Name Servers tab.
- If you have reverse lookup zones, also remove the server from these zones.
If the deleted computer is the last domain controller in a child domain, and the child domain was also deleted, use ADSIEdit to delete the trustDomain
object for the child. To do this, follow these steps:
- Click Start, click Run, type
adsiedit.msc
, and then click OK. - Expand the Domain NC container.
- Expand
DC=domain name, DC=ext
. - Expand
CN=System
. - Right-click the Trust Domain object, and then click Delete.
- Use Active Directory Sites and Services to remove the domain controller.
- Start Active Directory Sites and Services.
- Expand Sites.
- Expand the server’s site.
- Expand Server.
- Right-click the domain controller, and then click Delete.