Recipe 2.2 Removing a Forest

2.2.1 Problem

You want to tear down a forest and decommission any domains contained within it because you no longer need it.

2.2.2 Solution

To remove a forest, you need to demote, using dcpromo, all the domain controllers in the forest. When you run dcpromo on an existing domain controller, you will be given the option to demote the machine to a member server. After that is completed and depending on how your environment is configured, you may need to remove WINS and DNS entries that were associated with the domain controllers and domains unless they were automatically removed via WINS deregistration and dynamic DNS (DDNS) during demotion. The following commands can help determine if all entries have been removed:

> netsh wins server \\<WINSServerName> show name <ForestDNSName> 1c > nslookup <DomainControllerDNSName> > nslookup -type=SRV _ldap._tcp.gc._msdcs.<ForestDNSName> > nslookup <ForestDNSName>

You will also want to remove any trusts that have been established for the forest (see Recipe 2.22 for more details). For more information on how to demote a domain controller, see Recipe 3.3.

2.2.3 Discussion

The method described in the solution is the graceful way to tear down a forest. You can also use a brute force method to remove a forest by simply reinstalling the operating system on all domain controllers in the forest. This method is not recommended except in lab or test environments. The brute force method is not a clean way to do it because the domain controllers are unaware the forest is being removed and may generate errors until they are rebuilt. You'll also need to make sure any DNS resource records for the domain controllers are removed from your DNS servers since the domain controllers will not dynamically remove them like they do during the demotion process.

2.2.4 See Also

Recipe 2.19 for viewing the trusts for a domain, Recipe 2.22 for removing a trust, and Recipe 3.3 for demoting a domain controller