Remove Domain Controllers in a Windows Server environment

This specifically refers to a situation with a Windows 2008 domain I was dealing with… with three “dead” DCs still existing on the domain. All three were victims of a ransomware attack a few years ago and were DOA as a result. I had to remove domain controllers to fix the client’s broken domain and it wasn’t pretty… I figured I’d note what I had to do here in case it’s helpful. If you need help, get in touch.

First, you have to use dcpromo… the standard process did not work so I had no choice but to use a /forceremoval on the command.

If you run dcpromo on an existing DC to demote it and it fails because of one of the above scenarios the best thing you should do is to try to resolve the problem and then restart Dcpromo. However, if Dcpromo still fails you can still demote the DC by running dcpromo with the /forceremoval switch, which tells the process to ignore errors.

Remember, the /forceremoval switch is a last resort situation if you want to remove domain controllers. Don’t start with it. Bad idea.

With /forceremoval, an administrator can forcibly remove Active Directory and roll back the system without having to contact or replicate any locally held changes to another DC in the forest. When it is run it checks to determine whether the DC hosts an operations master role, is a Domain Name System (DNS) server, or is a global catalog server. For each of these roles, the administrator receives a popup warning that advises the administrator to take appropriate action.

Assuming you’ve already attempted a dcpromo /forceremoval successfully, you’ll need to clean up the metadata. Here’s a quick rundown on how to do this.

  1. Open up a command prompt and run ntdsutil. Enter the following commands followed by Enter each time.
  2. metadata cleanup
  3. connections
  4. connect to server <servername> (server name that corresponds to the one you will be conducting this FROM – NOT the server you want to delete!)
  5. q
  6. select operation target
  7. list domains
  8. select domain <domain number>
  9. list sites
  10. select site <site number>
  11. list servers in site
  12. select server <server number> (server number that corresponds to the one that you want to remove)
  13. q
  14. remove selected server
  15. Yes to any prompts
  16. q until you get back to command prompt
  17. Open DNS management, go to Forward Lookup Zones, _msdcs.<domain>, and delete any associated CNAME record that points to the dead server you just removed. Make sure you do this in Reverse Lookup Zones as well.

Hope this is helpful. For more information, see the following resources:

Technet Forum Post on a similar topic (I found it helpful)

Decommissioning a 2003/2008 Windows Server on Ivan’s Blog