Data
Reader small image

You're reading from  Active Directory Administration Cookbook - Second Edition

Product typeBook
Published inJul 2022
PublisherPackt
ISBN-139781803242507
Edition2nd Edition
Concepts
Identity Management
Right arrow
Author (1)
Sander Berkouwer
Sander Berkouwer
author image
Sander Berkouwer

Sander Berkouwer calls himself an Active Directory aficionado; he's done everything with Active Directory and Azure AD, including decommissioning. He has been MCSA, MCSE, and MCITP-certified for ages, an MCT for the past 5 years and a Microsoft Most Valuable Professional (MVP) on Directory Services and Enterprise Mobility for over a decade. Sander is also decorated with Veeam Vanguard and VMware vExpert awards for his international cross-platform knowledge, experience and passion. As the CTO at SCCT, Sander leads a team of architects performing many projects, most of them identity-related, throughout Europe.
Read more about Sander Berkouwer

Right arrow

Demoting a domain controller forcefully

It's also an option to forcefully remove a domain controller from Active Directory. While graciously demoting should be the preferred option, you might have to resort to this option.

The process of demoting a domain controller forcefully consists of these steps:

  • Performing a metadata cleanup
  • Deleting the domain controller from DNS
  • Deleting the computer object for the domain controller
  • Deleting the SYSVOL replication membership
  • Deleting the domain controller from Active Directory Sites and Services
  • Seizing any FSMO roles that were hosted by the domain controller (you can do this first to ensure there are no impacts on domain members)
  • Taking care of the existence of global catalog servers

If the domain controller was the last domain controller for a domain in an existing forest, the domain will need to be removed, as it is now an orphaned domain.

Getting ready

Although you would demote a domain controller forcefully when it no longer replicates, you should ensure that the remaining domain controllers are replicating properly.

How to do it...

This recipe describes two ways to do it:

  • Using the Active Directory Domain Services Configuration Wizard
  • Using manual steps

Using the Active Directory Domain Services Configuration Wizard

The Active Directory Domain Services Configuration Wizard can be used to forcefully demote a domain controller when the Windows Server installation is still bootable and you are able to sign in to it with administrative credentials.

Perform these steps:

  1. Press Start.
  2. Search for Server Manager and click its corresponding search result, or run servermanager.exe. The Server Manager window appears.
  3. In the gray top bar of Server Manager, click Manage.
  4. Select Remove Server Roles and Features from the menu.
  5. On the Before you begin screen, click Next >.
  6. On the Select destination server screen, select the local Windows Server installation from the server pool list.
  7. Click Next >.
  8. On the Select server roles screen, deselect the Active Directory Domain Services role from the list of installed roles.
  9. In the pop-up window, click the Remove Features button to remove features that are required for Active Directory Domain Services.
  10. On the Validation Results screen, follow the Demote this domain controller link to acknowledge that the domain controller needs to be demoted before the Active Directory Domain Services role can be removed.
  11. On the Credentials screen, select the Force the removal of this domain controller option:
Figure 2.17 – The Credentials screen of the Active Directory Domain Services Configuration Wizard

Figure 2.17 – The Credentials screen of the Active Directory Domain Services Configuration Wizard

  1. Click Next >.
  2. On the Removal options screen, select the Proceed with removal option and click Next >.
  3. On the New administrator password screen, enter the new password for the built-in administrator account.
  4. Click Next > to proceed to the next screen.
  5. On the Review Options screen, click Demote.
  6. When configuration of the Active Directory Domain Services server role is done, click Close to close the Remove Roles and Features Wizard.

Using manual steps

Sometimes, the Active Directory Domain Services Configuration Wizard cannot be used, such as in the following situations:

  • You can no longer sign in interactively or remotely to the domain controller.
  • The physical hardware of the domain controller has been damaged beyond repair.
  • The domain controller is no longer reachable for other domain controllers.
  • The domain controller, for some reason, can no longer be trusted to provide Active Directory Domain Services in a meaningful way.

In these scenarios, the following manual steps can be performed to remove the domain controller from Active Directory.

Performing metadata cleanup

Perform these steps to perform metadata cleanup:

  1. Sign in interactively to the domain controller that is known to be good. The domain controller holding the Domain Naming Master is preferred.
  2. Press Start.
  3. Search for Command Prompt, right-click its search result, and choose Run as administrator from the context menu. Alternatively, run cmd.exe, but instead of running it by pressing Enter, press Ctrl, Shift, and Enter.
  4. Run the following command to start the NTDS utility in interactive mode:
    ntdsutil.exe
  5. Type the following command in interactive mode to start the metadata cleanup:
    metadata cleanup
  6. Type the following command to remove the DC04.lucernpub.com server:
    remove selected server "CN=DC04,CN=Servers,CN=RemoteLocation,CN=Sites,CN=Configuration,DC=LucernPub,DC=com"
  7. Type the following command in interactive mode to exit the metadata cleanup context:
    quit
  8. Type the following command in interactive mode to exit the NTDS utility itself:
    quit
  9. Close the Command Prompt window.

Deleting the domain controller from DNS

After the metadata cleanup, the DNS records for the domain controller may still be present. Use the DNS MMC Snap-in to remove the DNS A, AAAA, PTR, and SRV records for the domain controller.

Deleting the computer object for the domain controller

To delete the computer object for the domain controller, use the Active Directory Administrative Center:

  1. Press Start.
  2. Search for Active Directory Administrative Center and click its corresponding search result, or run dsac.exe. The Active Directory Administrative Center window appears.
  3. In the main Welcome to Active Directory Administrative Center pane, in the GLOBAL SEARCH field, enter the search criteria of the desired object and then click the Search button:
Figure 2.18 – Searching for an object using Global Search in the Active Directory Administrative Center

Figure 2.18 – Searching for an object using Global Search in the Active Directory Administrative Center

  1. From the search results, locate the domain controller object.
  2. Right-click it and then click Delete.
  3. Confirm you want to delete the domain controller.
  4. Close the Active Directory Administrative Center window.

To delete the computer object for the domain controller, alternatively, run the following line of Windows PowerShell:

Remove-ADComputer -Identity DC04

Replace DC04 with the name of the domain controller you want to remove.

Deleting the SYSVOL replication membership

The domain controller was also a member of the replication group for the Active Directory SYSVOL.

Perform these steps to remove the domain controller:

  1. Press Start.
  2. Search for Active Directory Administrative Center and click its corresponding search result, or run dsac.exe. The Active Directory Administrative Center window appears.
  3. At the top of the left navigation pane, switch to Tree view from List view.
  4. Expand the Active Directory domain.
  5. Expand the System container.
  6. Expand the DFSR-GlobalSettings container.
  7. Expand the Domain System Volume container.
  8. Expand the Topology container.
  9. In the main window, right-click the object for the domain controller you want to delete from the Topology container:
Figure 2.19 – Deleting the SYSVOL replication membership in the Active Directory Administrative Center

Figure 2.19 – Deleting the SYSVOL replication membership in the Active Directory Administrative Center

  1. Select Delete.
  2. In the Delete Confirmation pop-up window, click Yes to acknowledge that you are sure you want to delete msDFSR-Member.
  3. Close the Active Directory Administrative Center window.

Deleting the domain controller from Active Directory Sites and Services

To delete the domain controller from Active Directory Sites and Services, perform these steps:

  1. Press Start.
  2. Search for Active Directory Sites and Services and click its corresponding search result, or run dssite.msc. The Active Directory Sites and Services window appears:
Figure 2.20 – The Active Directory Sites and Services window

Figure 2.20 – The Active Directory Sites and Services window

  1. In the left navigation pane, expand Sites.
  2. Expand the Active Directory site where the domain controller resides.
  3. Expand the Servers node.
  4. Right-click the object for the domain controller you want to delete from the Servers node and select Delete.
  5. In the Active Directory Domain Services pop-up window, click Yes to acknowledge that you are sure you want to delete the server.
  6. Close Active Directory Sites and Services.

Deleting an orphaned domain

When you've removed the last domain controller for a domain, it becomes an orphaned domain. Perform these steps to perform a metadata cleanup for the orphaned domain:

  1. Sign in interactively to the domain controller that is known to be good with an account that is a member of the Enterprise Admins group. A domain controller that hasn't experienced any replication challenges throughout its lifetime might be your best choice. Also, note that performing the following actions on the domain controller holding the Domain Naming Master FSMO role is preferred.
  2. Press Start.
  3. Search for Command Prompt, right-click its search result, and choose Run as administrator from the context menu. Alternatively, run cmd.exe, but instead of running it by pressing Enter, press Ctrl, Shift, and Enter.
  4. Run the following command to start the NTDS utility in interactive mode:
    ntdsutil.exe
  5. Type the following command in interactive mode to start the metadata cleanup:
    metadata cleanup
  6. Type the following commands to specify the current domain controller as the server on which to make the changes, as it is the Domain Naming Master:
    Connections
connect to server localhost
quit
  7. Type the following commands to list the Active Directory domains in the Active Directory forest so that you can select the domain you wish to remove:
    select operation target
list domains
  8. This outputs a list of domains in the forest, denoted by an identifier. Note down the identifier for the orphaned domain you want to remove.
  9. Type the following command in interactive mode to select the domain to remove:
    select domain <ID>
  10. Type the following command to exit the operation target selection context:
    quit
  11. Type the following command to remove the domain:
    remove selected domain
  12. Type the following command in interactive mode to exit the metadata cleanup context and then the NTDS utility itself:
    quit
quit
  13. Close the Command Prompt window.

See also

To seize the FSMO roles, see the Managing FSMO roles recipe in Chapter 3, Managing Active Directory Roles and Features.

To configure domain controllers as global catalog servers, see the Managing global catalogs recipe in Chapter 3, Managing Active Directory Roles and Features.

Previous Page
Chapter 3 of 18, Page 9
Next Page
You have been reading a chapter from
Active Directory Administration Cookbook - Second Edition
Published in: Jul 2022Publisher: PacktISBN-13: 9781803242507
© 2022 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Author (1)

author image
Sander Berkouwer

Sander Berkouwer calls himself an Active Directory aficionado; he's done everything with Active Directory and Azure AD, including decommissioning. He has been MCSA, MCSE, and MCITP-certified for ages, an MCT for the past 5 years and a Microsoft Most Valuable Professional (MVP) on Directory Services and Enterprise Mobility for over a decade. Sander is also decorated with Veeam Vanguard and VMware vExpert awards for his international cross-platform knowledge, experience and passion. As the CTO at SCCT, Sander leads a team of architects performing many projects, most of them identity-related, throughout Europe.
Read more about Sander Berkouwer

Personalised recommendations for you

Based on your interests and search pattern

Et al.

Et al.

Ever wonder why speech recognition systems don't understand the Scottish accent, or what would happen if an astronaut only ate mac 'n' cheese, or other spurious reflections you'd have at a bar? We did, then collated those deliberations into absurd research articles with fake figures and methodologies inspired by even more fictionally absurd studies.

BookAug 2023230 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages4
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages1
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Mastering Tableau 2023

Mastering Tableau 2023

This book is a comprehensive resource to mastering your Tableau skills and becoming a BI expert. As you progress, you will learn how to build advanced dashboards and improve your storytelling to derive key business insight, as well as make you well-versed with advanced functionalities of Tableau in the business intelligence domain.

BookAug 2023684 pages
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages5
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages2
Data Engineering with AWS

Data Engineering with AWS

Embark on a journey to master data engineering pipelines on AWS! Our book offers a hands-on experience of AWS services for ingesting, transforming, and consuming data. Whether you're an absolute beginner or someone with basic data engineering experience, this guide is an indispensable resource.

BookOct 2023636 pages5
Modern Data Architecture on AWS

Modern Data Architecture on AWS

Every organization wants an agile, performant, and cost-effective data platform that meets all their current and future business needs. Purpose-built AWS analytics services and their features play a big part in building such a modern data platform. This book brings to you all the design and architectural patterns that’ll help you achieve this goal.

BookAug 2023420 pages5
Practical Guide to Applied Conformal Prediction in Python

Practical Guide to Applied Conformal Prediction in Python

Discover the power of Conformal Prediction with the "Practical Guide to Applied Conformal Prediction in Python." Master the latest techniques to quantify uncertainty in machine learning and computer vision models, and seamlessly apply them to your industry applications.

BookDec 2023240 pages
TinyML Cookbook

TinyML Cookbook

With over 70 project-based recipes, the TinyML Cookbook is a practical guide that will help you to get the most out of your microcontrollers. It provides a comprehensive understanding of the theoretical foundations while giving you hands-on experience training ML models for deployment on Arduino Nano 33 BLE Sense, Raspberry Pi Pico, and SparkFun RedBoard Artemis Nano microcontrollers.

BookNov 2023664 pages