Step-By-Step: Manually Removing A Domain Controller Server
Published Oct 31 2018 10:03 PM 580K Views
Microsoft

Use of DCPROMO is still the proper way to remove a DC server in an Active Directory infrastructure. Certain situations, such as server crash or failure of the DCPROMO option, require manual removal of the DC from the system by cleaning up the server's metadata. The following detailed steps will help you accomplish this:

Step 1: Removing metadata via Active Directory Users and Computers

  1. Log in to DC server as Domain/Enterprise administrator and navigate to Server Manager > Tools > Active Directory Users and Computers
     
  2. Expand the Domain > Domain Controllers 

    meta1 
  3. Right click on the Domain Controller you need to manually remove and click Delete
     
    Manually-Removing-A-Domain-Controller-Windows-Server-2.png

     

     

  4. Click Yes to confirm within the Active Directory Domain Services dialog box
     
    Manually-Removing-A-Domain-Controller-Windows-Server-3.png

     

  5. In next dialog box, select This Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation Wizard (DCPROMO) and click Delete 
     
    Manually-Removing-A-Domain-Controller-Windows-Server-4.png

     

     

  6. If the domain controller is global catalog server, in next window click Yes to continue with deletion
     
  7. If the domain controller holds any FSMO roles in next window, click Ok to move them to the domain controller which is available

Step 2: Removing the DC server instance from the Active Directory Sites and Services

  1. Go to Server manager > Tools > Active Directory Sites and Services
     
  2. Expand the Sites and go to the server which need to remove
     
  3. Right click on the server you which to remove and click Delete 
     
    Manually-Removing-A-Domain-Controller-Windows-Server-5.png

     

     

  4. Click Yes to confirm

    Manually-Removing-A-Domain-Controller-Windows-Server-6.png

     

Step 3: Remove metadata via ntdsutil 

  1. Right Click on Start > Command Prompt (admin)
     
  2. Type ntdsutil and enter 
     
    Manually-Removing-A-Domain-Controller-Windows-Server-7.png

     

  3. You are then presented with the metadata cleanup prompt
     meta8
     

  4. Next type remove selected server <servername>
    NOTE: Replace <servername> with domain Controller server you wish to remove
     
    Manually-Removing-A-Domain-Controller-Windows-Server-9.png

     

  5. Click Yes to proceed when presented with the warning window 

     

  6. Execute the quit command twice to exit out of the console

NOTE: This post was originally posted on CANITPRO.NET and was co-authored by Microsoft MVP Dishan Francis

 

The following video provides examples of other ways to monitor on-premises and in cloud servers:

 

 

 

15 Comments
Copper Contributor

Good day,

The steps to perform the deletion of a server were followed to the letter and did not work.
It must have started from step 2, Sites and services of the active directory, unprotecting the connections to the other servers, then unprotecting the server and finally eliminating the server, being automatically removed from Users and computers in the active directory.
And then you go to step 3 with the ndsutil command and you do not see it anymore, so it does not do anything.
Therefore, I request that this manual be rectified.

Thank you

Microsoft

Curious @Engineer80. What version of server are you attempting to remove?

Copper Contributor

Step three was not required for me, either. The DCs I was removing were 2008 R2, and I was removing them via a 2012 DC. I got the error: 

 

(The object name has bad syntax.) Unable to determine the domain hosted by the Active Directory Domain Controller (5). Please use the connection menu to specify it.

Regardless, it seems to have all been successful as far as I can tell (is there a way to verify metadata was successfully removed?).  I followed the steps and the removed DCs were not in the list when I executed "list servers in site" so I think it's fine. I subsequently ran the AD Replication Status Tool and the servers were also nowhere to be found. 

 

Copper Contributor

Just to note, the steps to run ntdsutil in this guide seem to be truncated.

 

However, I had the same issue noted above. When it came time to select the DC for metadata cleanup, it was already gone after removing the server from AD Users and Computers and AD Sites and Services. Is there another way to verify full metadata removal?

 

Thanks

Copper Contributor

When you use Remote Server Administration Tools (RSAT) or the Active Directory Users and Computers console (Dsa.msc) that is included with Windows Server to delete a domain controller computer account from the Domain Controllers organizational unit (OU), the cleanup of server metadata is performed automatically. Before Windows Server 2008, you had to perform a separate metadata cleanup procedure.

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup

Copper Contributor

I think this info is a little obsolete.the cleanup of server metadata is performed automatically as mentioned above.

Copper Contributor

Yes I confirm the observations of the respondents here:  After removing the server from ADUC and ADS&S the ntdsutil step is not needed.  It was probably from the Windows 2000/2003 days.

 

C:\Users\Administrator>ntdsutil
ntdsutil: metadata cleanup
metadata cleanup: remove selected server DC2
Binding to localhost ...
Connected to localhost using credentials of locally logged on user.
LDAP error 0x22(34 (Invalid DN Syntax).
Ldap extended error message is 0000208F: NameErr: DSID-031001F7, problem 2006 (BAD_NAME), data 8350, best match of:'CN=Ntds Settings,DC2'

Win32 error returned is 0x208f(The object name has bad syntax.)
)
Unable to determine the domain hosted by the Active Directory Domain Controller
(5). Please use the connection menu to specify it.
metadata cleanup:

Copper Contributor

Hi there

 

I somehow clicked on force removal during the removal process , then ended up with a dangling mess

 

now I am trying to manually clean 

 

I got the same problem at step 3;

 

anyway, it is good to know the AD can be manually cleaned

 

C:\>ntdsutil
ntdsutil: metadata cleanup
metadata cleanup: remove selected server KKDC
Binding to localhost ...
Connected to localhost using credentials of locally logged on user.
LDAP error 0x22(34 (Invalid DN Syntax).
Ldap extended error message is 0000208F: NameErr: DSID-0310022D, problem 2006 (BAD_NAME), data 8350, best match of:
'CN=Ntds Settings,KKDC'

Win32 error returned is 0x208f(The object name has bad syntax.)
)
Unable to determine the domain hosted by the Active Directory Domain Controller (5). Please use the connection menu to specify it.

Copper Contributor

These comments are a hoot. Folks - the instructions listed here are step 1 OR step 2 OR step 3. 

Granted, it should have been worded better and never listed in this way to begin with, but each "step" is actually just 3 options that all do the same thing. 

 

Brass Contributor

It seems that after Windows Server 2008, you may either

  • Perform step 1, then 2 and skip 3
  • Or perform step 3, then 2 (and skip 1)
Steel Contributor

I found it was necessary to remove the SYSVOL replication membership after performing these steps:

  1. Open the Active Directory Administrative Center (dsac.exe).
  2. At the top of the left navigation pane, switch to Tree view from List view.
  3. Expand the Active Directory domain.
  4. Expand the System container.
  5. Expand the DFSR-Global Settings container.
  6. Expand the Domain System Volume container.
  7. Expand the Topology container.

Described in this article: https://www.oreilly.com/library/view/active-directory-administration/9781789806984/2dda7ed1-ca4b-40e...

Copper Contributor

happy day

Even though the instructions for deleting a server were strictly followed, it did not succeed.

It must have started with step 2, Active Directory Sites and Services, unprotecting the connections to other servers, then unprotecting the server, and lastly removing the server, which resulted in the server being automatically deleted from Active Directory Users and Computers.

When you use the ndsutil command in step 3 after that, you no longer see it, therefore nothing happens.

I thus ask that this manual be updated.

 

Many thanks

Copper Contributor

Good day,

The steps to perform the deletion of a server were followed to the letter and did not work.
It must have started from step 2, Sites and services of the active directory, unprotecting the connections to the other servers, then unprotecting the server and finally eliminating the server, being automatically removed from Users and computers in the active directory.
And then you go to step 3 with the ndsutil command and you do not see it anymore, so it does not do anything.
Therefore, I request that this manual be rectified.

Thank you

Copper Contributor

Hi all, just demoted a Windows Server 2012 R2 DC in our domain because of a system crash.

Step 3 seems to be not needed, but in case of DFS Replication of the DC's the deleted domain controller has to be also deleted in Active Directory -> System -> DFSR-GlobalSettings -> Domain System Volume -> Topology.
Otherwise there is an object with an error in DFS Management.

Please correct me if i missed something.

 

Best regards

Andreas

Copper Contributor

Don't forget to update DNS, article should be updated to reflect this. I've done this a few times and always have to go in and amend manually, maybe it does update over time but I've never seen it. I would delete the offline server then check all references to the offline server on the properties of your name servers have also been removed. Btw, I've also done this before via Dcpromo and even that doesn't update DNS. Step three wasn't needed for me, think this goes back to server 2003. 

Co-Authors
Version history
Last update:
‎Dec 23 2021 08:12 AM
Updated by: