Vous êtes sur la page 1sur 9


Complete Step by Step to Remove an Orphaned Domain Controller - AD and Exchange Quantum Singularity

AD and Exchange Quantum Singularity

Complete Step by Step to Remove an Orphaned Domain Controller

Published Tue, Oct 5 2010 0:14

Complete Step by Step to Remove an Orphaned Domain controller

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA
Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer
Published 10/5/2010
Revamped 11/3/2010 - Changed the steps to make more sense and easier to follow

I think at this time you're probably thinking, "What, another blog on how to remove an Orphaned DC?" I know. There are many out there, and I commend all the ones I've read. I
thought to put together a complete step by step with all the little nuances that are involved with links and explanations. If I've forgotten any, I do hope someone is kind of enough to
post a comment indicating, or even if I've made a mistake. I would do the same.
In a nutshell, I wrote this is in response to questions that have come up numerous times in the AD NNTP newsgroups and Microsoft Social Forums. The question isn't usually asked
directly, because in some cases some may not have realized these steps are required, rather how to remove an orphaned DC is normally a response after diagnosing a specific DC or
replication issue, such as not being able to introduce a new DC with the same name as a failed one, or a DC was lost and there are numerous Event log replication errors, as well as
DCDIAG and other errors, to something simple as having ran the procedure but may have forgotten a step or two.
To point out, many of the steps were taken from the following link, but I've extrapolated the steps and added additional information, links, and explanations.
How to remove completely orphaned Domain Controller

Should I repair the DC or simply dump it and create a new one?

Good question. In many cases, whenever a DC is lost, the easiest and simplest way is to simply dump the machine, cleanup AD and rebuild it using the same name. Compared to
doing a restore, this is the simplest procedure and will save wasted time, because it's much faster. HOwever, just to add, if any application or service is installed on the DC, it adds a
compexity, especially if Exchange was installed on it. Needless to say, which many are aware of or already have heard, it's recommended to never install Exchange on a DC. See the
next section where I posted a link that explains this in greater detail.
Of course the decision to dump the failed DC and rebuild a new one with the same name is a sound and proven popular decision, however this it's assumed there are no applications
or major services installed and running, or files to be restored on the DC. Normally we do not recommend installing additional apps or services, other than DNS, WINS and/or
DHCP. If there are, then of course the apps, services, files, etc, must be reinstalled, reconfigured, or restored.

Was Exchange on the DC?

As mentioned in the Preface , one thing I like to point out that if Exchange is on a DC, well, besides not wanting to reiterate that this is not a recommended option nonetheless,
hopefully you have a full backup of the Exchange Information Store and the DC System State, because both would have to be restored. Hopefully as well you have two separate
backups of each and not together in the same backup job, otherwise you may find the Exchange backup is useless to restore. More about Exchange on a DC in the following link. It's
not a DC/Exchange restore link, rather it explains why you wouldn't want to install Exchange on a DC and the ramifications, as long as it's not SBS, which is designed to allow
Exchange on it. Read more if this applies to your scenario:
Exchange on a Domain Controller - Ramifications and How to Move Exchange off a DC
Published by acefekay on Aug 8, 2009 at 7:00 PM

Were there any applications or services installed?

Was DHCP installed?
If you don't have a backup that you can retrieve the DHCP database, your best bet is to reinstall DHCP services and start from scratch. If you do have a backup and can
restore the DHCP files, follow this link:
How to move a DHCP database from a computer that is running Windows 2003 (Als applies to newer versions)



Complete Step by Step to Remove an Orphaned Domain Controller - AD and Exchange Quantum Singularity

How to migrate a DHCP database from Windows 2000 Server to Windows, Nov 9, 2009
Was WINS installed?
If you don't have a backup that you can retrieve the WINS database, your best bet is to reinstall WINS services and start from scratch. If the WINS server had a partner,
you can possibly use that to reinitiate the database. If you do have a backup and can restore the WINS files, follow this link:
How to migrate a WINS Database from Windows 2000-based WINS server (Applies to all Windows 2000 and newer Windows versions)
Was DNS installed?
No worries as long as the zones were AD Integrated. They'll just replicate over from another DC automatically. No need to manually create the zones. If you do try to
manually create the zones and they are AD Integrated, you'll introduce a duplicate zone issue in the AD database, which is another topic to clean them up.
Any other applications or services installed?
Dep[ending on the application or service installed, hopefully you'll have either a backup that you can retrieve the files, or you'll have to reinstall. For any third party
application, you'll need to refer to the documentation or contact the vendor for assistance.

Basic High-Level steps

1. Run a Metadata Cleanup
2. Remove the old computer in "Active Directory Sites and Services."
3. Remove old DNS and WINS records of the orphaned Domain Controller.
4. If Windows 2000, use "ADSIEdit" to remove old computer records from the Active Directory.
5. Force Active Directory replication

Steps Broken Down with a Low-Level Description

1. Make sure at least one of the current live DCs is a GC. It's actually recommended to make all DCs GCs, whether in a single domain or multi-domain forest. This way it alleviates
issues with the IM/GC conflict. Many large installations have been using this design successfully without issues. Matter of fact, Exchange likes it.
Global Catalog vs. Infrastructure Master:
"If a single domain forest, you can have all DCs a GC. If multiple domains, it is recommended for a GC to not be on the FSMO IM Role, unless you make all DCs GCs"
Enable or disable a global catalog: Active Directory
Jan 21, 2005 ... Select the Global Catalog check box to enable the global catalog, or clear the check box to disable the global catalog. ...
How to create or move a global catalog in Windows Server 2003 (same in 2008 & 2008 R2)

2. Use the following knowledgebase to run a Metadata Cleanup to remove common Domain Controller objects and settings from Active Directory.
A. For Windows 2003
NTDSUTIL in 2003 and newer automatically removes the Computer Account and FRS Objects from Active Directory, but if you like, you can still use these steps to
insure the objects were removed.
How to remove data in Active Directory after an unsuccessful domain controller demotion

B. For Windows 2000, you must use ADISEdit to remove the Computer Account and the FRS Object from Active Directory.
Use ADSIEdit to delete the computer account. To do this, follow these steps:



Complete Step by Step to Remove an Orphaned Domain Controller - AD and Exchange Quantum Singularity


Click Start, click Run, type adsiedit.msc in the Open box, and then click OK.
Expand the Domain NC container.
Expand DC=Your Domain Name, DC=COM, PRI, LOCAL, NET.
Expand OU=Domain Controllers.
Right-click CN=domain controller name, and then click Delete.

If you receive the "DSA object cannot be deleted" error message when you try to delete the object, change the UserAccountControl value. To change the
UserAccountControl value, right-click the domain controller in ADSIEdit, and then click Properties. Under Select a property to view, click
UserAccountControl. Click Clear, change the value to 4096, and then click Set. You can now delete the object.
Note The FRS subscriber object is deleted when the computer object is deleted because it is a child of the computer account.
Use ADSIEdit to delete the FRS member object. To do this, follow these steps:

Click Start, click Run, type adsiedit.msc in the Open box, and then click OK
Expand the Domain NC container.
Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET.
Expand CN=System.
Expand CN=File Replication Service.
Expand CN=Domain System Volume (SYSVOL share).
Right-click the domain controller you are removing, and then click Delete.

C. For Windows 2008 and WIndows 2008 R2:

It's all GUI based in 2008 and 2008 R2. However, you'll still want to follow the rest of the steps to seize FSMOs, force replication, checking DNS & WINS, etc.
Cleanup Server Metadata Windows 2008 (GUI Based)
Active Directory Metadata Cleanup (For Windows 2008 or newer - with screen shots)
By Meinolf Weber, MVP

Optional Script For Windows 2000, 2003, 2008, and 2008 R2

If you don't like to use the command line tools, you can use a script that was developed to do this part for you:
You can also use Microsoft's Script written specifically to run a Metadata Cleanup if reluctant to use ntdsutil in a command line:
Remove Active Directory Domain Controller Metadata (Microsoft) - Applies to all Windows Server Versions (2000, 2003, 2003 R2, 2008, 2008 R2, SBS 2003 &
SBS 2008)

3. If the failed DC held any of the FSMO Roles, you need to seize the FSMO to alternative Domain Controller
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
How to view and transfer FSMO roles in Windows Server 2003 using the GUI

4. If the failed DC held the PDC Emulator Role, you need to configure a new authoritative timeserver in the domain. The first link is my blog with complete steps. It was compiled
using the following two Microsoft KBs, among other links.
Configuring the Windows Time Service for Windows Server
Scroll down to the section "Transferring the PDC Emulator Role"
Published by acefekay on Sep 18, 2009 at 8:14 PM 3050 1
How to configure an authoritative timerver in Windows 2000
How to configure an authoritative time server in Windows Server 2003

5. Remove old computer account by using "Active Directory Sites and Services" tool.



Complete Step by Step to Remove an Orphaned Domain Controller - AD and Exchange Quantum Singularity

Open Active Directory Sites and Services

Expand the Sites folder
Select the site the old DC was in
Expand Servers
Delete the old DC name

6. Remove any old WINS records of the orphaned Domain Controller from the WINS database. If there are WINS replication partners, when you delete them, choose the
"Tombstone" option.
Deletion of WINS Database Records
If WINS records deleted this way have been replicated to other WINS servers, these additional records will not be removed fully. The records on other WINS ...
Deleting and tombstoning records: Windows Internet Name Service (WINS)
Jan 21, 2005 ... If the WINS records deleted in this way exists in WINS data replicated to other WINS servers on your network, these additional records are ...

7. Force Active Directory replication by using "Repadmin.exe" tool.

Repadmin examples:
Repadmin /syscall - to initiate a replication for all partners
repadmin /syncall /A /e /P (/A Synchronizes all partitions on the DC you're running it on, /e Synchronizes partitions across all Sites, /P Forces a "Push" that pushes changes
outwards instead of the default to pull changes)
Also, to check replication status:
To see if anything is in the queue waiting for replication:
Run "repadmin /queue *"
Find out what the replication latency is, if any. If it's less than a few minutes, you're fine.
Run "repadmin /showutdvec server-name dc=mydomain,dc=lab /latency"
You can also use the Replmon Gui version for Windows 2000 and 2003, but it's no longer available for 2008 or newer.
Getting Over Replmon - Ask the Directory Services Team - Site Home ...Jul 1, 2009 ...
With the release of Window Server 2008 Replmon was not included ...

Repadmin: More info as well as explanations on the specific repadmin switches

Updated: August 22, 2005
A complete list of switches with details and usage.
Applies To: Windows Server 2003 R2 (However, the switches apply to 2008 and 2008 R2 as well.)
Using Repadmin.exe to troubleshoot Active Directory replication
Initiating Replication Between Active Directory Direct Replication Partners
Written for Windows 2000, but works for Windows 2003, 2008 and 2008 R2
This article shows how to use repadmin and the necessary switches to force replication between specific or all partners in the infrastructure
Troubleshooting replication
Updated: April 4, 2008
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Updated: July 13, 2010
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2008
Repadmin: Microsoft Technical Whitepaper (download link):

8. Go through DNS with a fined-toothed comb to delete all references for the old DC. You'll need to delete records such as such as SRV, host, LdapIPddress, and GcIpAddress.



Complete Step by Step to Remove an Orphaned Domain Controller - AD and Exchange Quantum Singularity

Drill down into every record under both domain.local and _msdcs.domain.local.
Under the domain.local zone:
Delete the A (host record) for the failed DC
Delete the LdapIpAddress: Under domain.local, you will see a record such as (same as parent) A (using this IP as an example). Delete it.
Delete any reference in the DomainDnsZones. If the DomainDnsZones folder exists, expand it. Check and delete any reference to the failed DC's FQDN and IP
Delete any reference in the ForestDnsZones. If the ForestDnsZones folder exists, expand it. Check and delete any reference to the old DC's FQDN and IP address.
To make sure all records are gone, fully expand each folder under the domain.local zone, and delete any references you see such as for the kerberos and ldap SRV
references. The subfolders are:
Under the _msdcs.domain.local zone:
Delete the GcIpAddress: Click on the _gc._msdcs.domain.local folder. Delete the IP Address for the old DC.
Delete the DC's GUID ALIAS: Click on _msdcs.domain.local. You will see an ALIAS record with a long GUID number as the name pointing to the old DC's FQDN.
Delete it.
To make sure all records are gone, fully expand each subfolder under the _msdcs.domain.local zone. Make sure you do not see any references to the failed DC. If so,
please delete them. The subfolders are:
9. Delete the NameServer reference in all DNS zones' properties, Nameserver tab.
Right-click DNS server name, properties
Nameserver Tab
Remove the old DC FQDN and/or IP
Repeat for every zone that exists
10. Run a DNSLINT report. Make sure the old DC is no longer listed anywhere in DNS. If it still does, go back to Steps #8 and #9.
Here are some links to understand how to use it.
Dnslint Overview: Domain Name System(DNS)
Prior to the development of DNSLint, the nslookup utility was frequently ...
Support WebCast: Microsoft Windows: Using the DNSLint Utility
Description of the DNSLint utility
Dec 3, 2007 ... DNSLint is a Microsoft Windows utility that helps you to diagnose common DNS name resolution issues.
How to use DNSLint to troubleshoot Active Directory replication issues
This article describes how to use the DNSLint utility to troubleshoot Active ...

Manually altering a DC to turn it into a non-DC

Last but not least, years ago before the /forceremoval switch, when a DC could not be removed yet wanting to keep the machine intact after demotion, there was a method posted
the steps to manually rip out the pieces that make a DC a DC. FWIW, here they are:

14 easy manual steps to make a DC a non-DC

Some have posted this as 12 steps, 13 steps or 14 steps. They are the same steps. Some have combined multiple tasks, but they are the same.
Keep in mind, unless it was changed, this is not supported by Microsoft. I believe there was a KB on it at one time, but I don't have the KB#. If you follow this, keep in mind, this



Complete Step by Step to Remove an Orphaned Domain Controller - AD and Exchange Quantum Singularity

posting is AS-IS and offers no guarantees and confers no rights from Microsoft or myself. Here are a couple of links explaining the steps, as well as the steps posted below.
This was archived at this site from an old Newsgroup post I made back in 3/11/2003:
Remove failed DC from AD manually Never been easier (step by step with screen shots)
Unlike Windows 2000 and 2003, Windows 2008 & Windows 2008 R2 have new GUI tools to remove a failed DC from the AD database.

1) On another DC in the domain run NTDSUTIL to move the FSMO's, er seize them! DOH. (If this is the only DC, then don't worry about it)
2) Make sure DNS is 100% solid on the working DC. (If only one DC, don't worry about it for now, but configure it correctly before promoting it to a new DC).
3) Make sure working DC is also a GC. (If just one DC, don't worry about it).
4) Boot corrupted DC into DSRM, edit the registry change HKLM\SYSTEM\CCS\Control\ProductOptions change the ProductType value from LanmanNT to ServerNT. This key
dictates if the machine is a DC or just a server. ServerNT means it's not a DC.
5) Command prompt > net stop ntfrs to stop FRS.
6) Delete the Winnt\Sysvol and NTDS directories.
7) Reboot the now former DC
8) Log into the now member server. Change it to a stand alone, by joining a workgroup (My Computer Properties, Network ID tab, remove it from the old domain).
9) Reboot the now stand alone server.
10) If there is only one DC in the domain, skip this step, otherwise, on the good DC delete the disabled computer account for the old, now defunct DC.
11) Now on this new stand alone machine, set the Primary DNS Suffix to the new domain name that you want (In My Computer. Properties, Network ID Tab, Properties, More,).
12) Make sure that DNS is configured with the new domain name and updates set to YES.
13) Run DCPROMO to create a new domain or join the domain/tree/forest again.
14) Reboot

Comments, suggestions and corrections are welcomed!

Ace Fekay
by acefekay
Filed under: removing Exchange, Exchange 2003, Active Directory, exchange 2007, Application Partitions, exchange on a domain controller, exchange dsaccess does not fail over to
another dc if exchange installed on a domain controller, exchange on a DC, exchange dsaccess will not failover if installed on a dc, Time Convergence Hierarchy, Windows Time
Service, Windows time hierarchy, Time Service, AD, Exchange 2010, AD Sites, Active Directory Sites, remove a failed DC, reinstall a DC with the same name, dead DC, orphaned
domain controller, reinstall a domain controller with the same name, lingering objects, dead domain controller, Orphaned DC, remove a failed domain controller, replication errors
# Ace Fekay's Active Directory, Exchange and Windows Infrastructure Services Blog said on Sunday, January 16, 2011 10:36 AM
Active Directory FSMO Roles Explained Ace Fekay, MCT, MCTIP EA, MCTS Windows 2008 & Exchange 2007
# Jim H said on Saturday, May 14, 2011 8:18 PM
You are right about two things:
1. There are at least twenty-gazillion articles out there on this topic.
2. This has to be the most comprehensive and concice description of this process I have seen so far. I have had to do this on several occasions and - invariably - I'd miss a
step or two because many of the articles out there assume you do this every day for a living. . . . Your article leaves nothing to the imagination - complete, even includes crosreferences for more information.
Have you considered putting this up on Wikipedia?
I am definitely going to book-mark this one!
Jim H.
# Johnny L said on Monday, July 11, 2011 12:01 PM
My situation is simple: I have a remote location in East Coast and the office has closed for good and of course before I got the chance to use dcpromo to take it out of my
directory the server is dead (hardware failure). The server over in NY is 2003 Server R2 SP2. At HQ, I have the 2008 Server AD R2 and I want to delete/remove the NY
AD server for good - keep in mind that I don't need to install or re-install the new AD server since the office is closed for good thanks. I still have 3 other sites which is running
perfectly right now. Only at HQ is the main DC. Please help thanks.
# acefekay said on Wednesday, December 14, 2011 10:08 PM
Jim H, thanks for the feedback! I would have responded sooner, but I don't receive email updates when comments are left!




Complete Step by Step to Remove an Orphaned Domain Controller - AD and Exchange Quantum Singularity

Johnny, you'll need to manually rip out the failed DC from the AD database. That's what this article addresses. I know it's a bit late responding, but have you ever resolved
# Ace Fekay's Active Directory, Exchange and Windows Infrastructure Services Blog said on Friday, January 06, 2012 9:27 AM
Active Directory Lingering Objects, Journal Wraps, Tombstone Lifetime, and Event IDs 13568, 13508, 1388
# Moneer said on Tuesday, March 13, 2012 8:31 AM
Great article. Dumb question: would this work for a server that has been physically removed from the domain but keeps showing up in Group Policy Management? I thought it
was correctly removed but it is causing us some problems, and it is now physically removed.
# Neilrahc said on Monday, October 22, 2012 3:12 PM
Very helpful and satisfying that you took the time and care to create a great resource which comprehensively covers this task. Thanks!
# Yan Shtulberg said on Monday, March 25, 2013 8:34 AM
Perfect admin guide - thank you
# maidilu*@gmail.com said on Tuesday, April 16, 2013 6:01 AM
Paul hit two 3-pointers, Bryant made a layup, and his block of James led to Durant's dunk that made it 136-126. Griffin had one last forceful dunk to help close it out, throwing
a pass to himself off the backboard and climbing high in his neon green sneakers to slam it home and make it 142-134.Harden had 15 points in his home arena, where the
sights of the game were on the floor and the sounds were at the rim ?which shook repeatedly after thunderous dunks for most of the game before, as usual, players tried to
make some stops down the stretch.
# tstqfaxh@gmail.com said on Wednesday, April 17, 2013 3:21 AM
Les gens, les coureurs et les non-coureurs semblables, peuvent prendre beaucoup plus que nous pensons que nous pouvons. Nous pouvons continuer mme quand nos jambes
sont lancinante et nos curs sont briss. Cette journe horrible d'vnements ne faiblira pas l'endurance de courage collectif de l'Amrique. Nous allons seulement finir fort.
# pysbiws@gmail.com said on Wednesday, April 17, 2013 5:19 AM
Les attentats la ligne d'arrive du marathon de Boston a secou la nation. Beaucoup d'enfants entendirent leurs parents en parler, ou pris un coup d'il sur la couverture de
nouvelles. Comment un parent peut discuter effectivement le cas?
# Wayne said on Thursday, June 20, 2013 9:52 AM
This is excellent, I only have one question for now, Is there any point during this process that I would have continued service issues on the existing DC's, potential slowdown
when running the forced replication maybe. I know I should do this off hours but didn't know if I needed to plan a maintenance window and alert the user population.
# Dave said on Tuesday, June 25, 2013 3:00 PM
Hi there, thanks for all the effort to detail this. Unfortunately I find it a bit confusing. I assume that most of the steps above are to be undertaken on another DC? If so what do I
need to do, if anything on the tombstoned DC? At the end there is a section about manually altering a DC, I take it these are things I should be doing on the broken DC to
make it not a DC, but they allude to a method >>"/forceremoval switch" as being easier than the manual one detailed, but if this easier method is something I can use, what is it?
dcpromo /forceremoval maybe? If so, do I run that on the dead DC before doing all the steps detailed above on the live DCs and do I do that with it still attached to the
network? I have gleaned from the rest of the net that once it gets tombstoned to disconnect it's network card quickly, so do I need to connect that again and do the "...
/forceremeoval" thing and then run through the main steps in your article?
Leave a Comment
Title (required)
re: Complete Step by Step to Remove an Orphaned Domain Controller

Name: (required)
Website: (optional)
Comments (required)

Remember Me?
Enter the numbers above:




Complete Step by Step to Remove an Orphaned Domain Controller - AD and Exchange Quantum Singularity


This Blog

Active Directory
Active Directory DNS domain name
Active Directory Groups
Active Directory Sites
AD Integrated Zones
AD Sites
client side resolver
Client side resolver service
dead DC
DNS & WINS Resolution Process
DNS domain name
DNS resolver
Duplicate Zones
exchange on a DC
remove a failed DC
removing Exchange
single label name
windows 2003


August 2012 (1)
June 2012 (1)
February 2012 (3)
January 2012 (2)
December 2011 (2)
November 2011 (1)
August 2011 (1)
February 2011 (2)
January 2011 (1)
December 2010 (1)
October 2010 (7)
August 2010 (1)
May 2010 (3)
February 2010 (1)
January 2010 (1)
November 2009 (4)
September 2009 (6)
August 2009 (7)

RSS for Posts
RSS for Comments

Email Notifications
Your Email Address





Complete Step by Step to Remove an Orphaned Domain Controller - AD and Exchange Quantum Singularity

Questions? Contact Susan at Susan-at-msmvps.com. Each post's copyright held by the original author. All rights reserved. Blog site is an independent site not sponsored by
Our servers would like to thank www.ownwebnow.com and www.exchangedefender.com. We wouldn't be here without the generosity of Vlad Mazek and his companies.