Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases now! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Active Directory Administration Cookbook, Second Edition

You're reading from   Active Directory Administration Cookbook, Second Edition Proven solutions to everyday identity and authentication challenges for both on-premises and the cloud

Arrow left icon
Product type Paperback
Published in Jul 2022
Publisher Packt
ISBN-13 9781803242507
Length 696 pages
Edition 2nd Edition
Languages
Tools
Arrow right icon
Author (1):
Arrow left icon
Sander Berkouwer Sander Berkouwer
Author Profile Icon Sander Berkouwer
Sander Berkouwer
Arrow right icon
View More author details
Toc

Table of Contents (18) Chapters Close

Preface 1. Chapter 1: Optimizing Forests, Domains, and Trusts 2. Chapter 2: Managing Domain Controllers FREE CHAPTER 3. Chapter 3: Managing Active Directory Roles and Features 4. Chapter 4: Managing Containers and Organizational Units 5. Chapter 5: Managing Active Directory Sites and Troubleshooting Replication 6. Chapter 6: Managing Active Directory Users 7. Chapter 7: Managing Active Directory Groups 8. Chapter 8: Managing Active Directory Computers 9. Chapter 9: Managing DNS 10. Chapter 10: Getting the Most Out of Group Policy 11. Chapter 11: Securing Active Directory 12. Chapter 12: Managing Certificates 13. Chapter 13: Managing Federation 14. Chapter 14: Handling Authentication in a Hybrid World (AD FS, PHS, PTA, and DSSO) 15. Chapter 15: Handling Synchronization in a Hybrid World (Azure AD Connect) 16. Chapter 16: Hardening Azure AD 17. Other Books You May Enjoy

Demoting a domain controller forcefully

It's also an option to forcefully remove a domain controller from Active Directory. While graciously demoting should be the preferred option, you might have to resort to this option.

The process of demoting a domain controller forcefully consists of these steps:

  • Performing a metadata cleanup
  • Deleting the domain controller from DNS
  • Deleting the computer object for the domain controller
  • Deleting the SYSVOL replication membership
  • Deleting the domain controller from Active Directory Sites and Services
  • Seizing any FSMO roles that were hosted by the domain controller (you can do this first to ensure there are no impacts on domain members)
  • Taking care of the existence of global catalog servers

If the domain controller was the last domain controller for a domain in an existing forest, the domain will need to be removed, as it is now an orphaned domain.

Getting ready

Although you would demote a domain controller forcefully when it no longer replicates, you should ensure that the remaining domain controllers are replicating properly.

How to do it...

This recipe describes two ways to do it:

  • Using the Active Directory Domain Services Configuration Wizard
  • Using manual steps

Using the Active Directory Domain Services Configuration Wizard

The Active Directory Domain Services Configuration Wizard can be used to forcefully demote a domain controller when the Windows Server installation is still bootable and you are able to sign in to it with administrative credentials.

Perform these steps:

  1. Press Start.
  2. Search for Server Manager and click its corresponding search result, or run servermanager.exe. The Server Manager window appears.
  3. In the gray top bar of Server Manager, click Manage.
  4. Select Remove Server Roles and Features from the menu.
  5. On the Before you begin screen, click Next >.
  6. On the Select destination server screen, select the local Windows Server installation from the server pool list.
  7. Click Next >.
  8. On the Select server roles screen, deselect the Active Directory Domain Services role from the list of installed roles.
  9. In the pop-up window, click the Remove Features button to remove features that are required for Active Directory Domain Services.
  10. On the Validation Results screen, follow the Demote this domain controller link to acknowledge that the domain controller needs to be demoted before the Active Directory Domain Services role can be removed.
  11. On the Credentials screen, select the Force the removal of this domain controller option:
Figure 2.17 – The Credentials screen of the Active Directory Domain Services Configuration Wizard

Figure 2.17 – The Credentials screen of the Active Directory Domain Services Configuration Wizard

  1. Click Next >.
  2. On the Removal options screen, select the Proceed with removal option and click Next >.
  3. On the New administrator password screen, enter the new password for the built-in administrator account.
  4. Click Next > to proceed to the next screen.
  5. On the Review Options screen, click Demote.
  6. When configuration of the Active Directory Domain Services server role is done, click Close to close the Remove Roles and Features Wizard.

Using manual steps

Sometimes, the Active Directory Domain Services Configuration Wizard cannot be used, such as in the following situations:

  • You can no longer sign in interactively or remotely to the domain controller.
  • The physical hardware of the domain controller has been damaged beyond repair.
  • The domain controller is no longer reachable for other domain controllers.
  • The domain controller, for some reason, can no longer be trusted to provide Active Directory Domain Services in a meaningful way.

In these scenarios, the following manual steps can be performed to remove the domain controller from Active Directory.

Performing metadata cleanup

Perform these steps to perform metadata cleanup:

  1. Sign in interactively to the domain controller that is known to be good. The domain controller holding the Domain Naming Master is preferred.
  2. Press Start.
  3. Search for Command Prompt, right-click its search result, and choose Run as administrator from the context menu. Alternatively, run cmd.exe, but instead of running it by pressing Enter, press Ctrl, Shift, and Enter.
  4. Run the following command to start the NTDS utility in interactive mode:
    ntdsutil.exe
  5. Type the following command in interactive mode to start the metadata cleanup:
    metadata cleanup
  6. Type the following command to remove the DC04.lucernpub.com server:
    remove selected server "CN=DC04,CN=Servers,CN=RemoteLocation,CN=Sites,CN=Configuration,DC=LucernPub,DC=com"
  7. Type the following command in interactive mode to exit the metadata cleanup context:
    quit
  8. Type the following command in interactive mode to exit the NTDS utility itself:
    quit
  9. Close the Command Prompt window.

Deleting the domain controller from DNS

After the metadata cleanup, the DNS records for the domain controller may still be present. Use the DNS MMC Snap-in to remove the DNS A, AAAA, PTR, and SRV records for the domain controller.

Deleting the computer object for the domain controller

To delete the computer object for the domain controller, use the Active Directory Administrative Center:

  1. Press Start.
  2. Search for Active Directory Administrative Center and click its corresponding search result, or run dsac.exe. The Active Directory Administrative Center window appears.
  3. In the main Welcome to Active Directory Administrative Center pane, in the GLOBAL SEARCH field, enter the search criteria of the desired object and then click the Search button:
Figure 2.18 – Searching for an object using Global Search in the Active Directory Administrative Center

Figure 2.18 – Searching for an object using Global Search in the Active Directory Administrative Center

  1. From the search results, locate the domain controller object.
  2. Right-click it and then click Delete.
  3. Confirm you want to delete the domain controller.
  4. Close the Active Directory Administrative Center window.

To delete the computer object for the domain controller, alternatively, run the following line of Windows PowerShell:

Remove-ADComputer -Identity DC04

Replace DC04 with the name of the domain controller you want to remove.

Deleting the SYSVOL replication membership

The domain controller was also a member of the replication group for the Active Directory SYSVOL.

Perform these steps to remove the domain controller:

  1. Press Start.
  2. Search for Active Directory Administrative Center and click its corresponding search result, or run dsac.exe. The Active Directory Administrative Center window appears.
  3. At the top of the left navigation pane, switch to Tree view from List view.
  4. Expand the Active Directory domain.
  5. Expand the System container.
  6. Expand the DFSR-GlobalSettings container.
  7. Expand the Domain System Volume container.
  8. Expand the Topology container.
  9. In the main window, right-click the object for the domain controller you want to delete from the Topology container:
Figure 2.19 – Deleting the SYSVOL replication membership in the 
Active Directory Administrative Center

Figure 2.19 – Deleting the SYSVOL replication membership in the Active Directory Administrative Center

  1. Select Delete.
  2. In the Delete Confirmation pop-up window, click Yes to acknowledge that you are sure you want to delete msDFSR-Member.
  3. Close the Active Directory Administrative Center window.

Deleting the domain controller from Active Directory Sites and Services

To delete the domain controller from Active Directory Sites and Services, perform these steps:

  1. Press Start.
  2. Search for Active Directory Sites and Services and click its corresponding search result, or run dssite.msc. The Active Directory Sites and Services window appears:
Figure 2.20 – The Active Directory Sites and Services window

Figure 2.20 – The Active Directory Sites and Services window

  1. In the left navigation pane, expand Sites.
  2. Expand the Active Directory site where the domain controller resides.
  3. Expand the Servers node.
  4. Right-click the object for the domain controller you want to delete from the Servers node and select Delete.
  5. In the Active Directory Domain Services pop-up window, click Yes to acknowledge that you are sure you want to delete the server.
  6. Close Active Directory Sites and Services.

Deleting an orphaned domain

When you've removed the last domain controller for a domain, it becomes an orphaned domain. Perform these steps to perform a metadata cleanup for the orphaned domain:

  1. Sign in interactively to the domain controller that is known to be good with an account that is a member of the Enterprise Admins group. A domain controller that hasn't experienced any replication challenges throughout its lifetime might be your best choice. Also, note that performing the following actions on the domain controller holding the Domain Naming Master FSMO role is preferred.
  2. Press Start.
  3. Search for Command Prompt, right-click its search result, and choose Run as administrator from the context menu. Alternatively, run cmd.exe, but instead of running it by pressing Enter, press Ctrl, Shift, and Enter.
  4. Run the following command to start the NTDS utility in interactive mode:
    ntdsutil.exe
  5. Type the following command in interactive mode to start the metadata cleanup:
    metadata cleanup
  6. Type the following commands to specify the current domain controller as the server on which to make the changes, as it is the Domain Naming Master:
    Connections
    connect to server localhost
    quit
  7. Type the following commands to list the Active Directory domains in the Active Directory forest so that you can select the domain you wish to remove:
    select operation target
    list domains
  8. This outputs a list of domains in the forest, denoted by an identifier. Note down the identifier for the orphaned domain you want to remove.
  9. Type the following command in interactive mode to select the domain to remove:
    select domain <ID>
  10. Type the following command to exit the operation target selection context:
    quit
  11. Type the following command to remove the domain:
    remove selected domain
  12. Type the following command in interactive mode to exit the metadata cleanup context and then the NTDS utility itself:
    quit
    quit
  13. Close the Command Prompt window.

See also

To seize the FSMO roles, see the Managing FSMO roles recipe in Chapter 3, Managing Active Directory Roles and Features.

To configure domain controllers as global catalog servers, see the Managing global catalogs recipe in Chapter 3, Managing Active Directory Roles and Features.

You have been reading a chapter from
Active Directory Administration Cookbook, Second Edition - Second Edition
Published in: Jul 2022
Publisher: Packt
ISBN-13: 9781803242507
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at €18.99/month. Cancel anytime