Recipe15.3.Uninstalling Active Directory


Recipe 15.3. Uninstalling Active Directory

Problem

You want to demote a domain controller or completely tear down a domain or forest because you no longer need it.

Solution

Do the following to demote a domain controller to be a member server:

  1. Run the dcpromo command from a command line or Start

    Click Next.

  2. If the server is the last domain controller in the domain, check the box beside This server is the last domain controller in the domain.

  3. Click Next.

  4. Type and confirm the password for the local Administrator account.

  5. Click Next twice to begin the demotion.

If you want to completely remove a domain, you have to demote each domain controller in the domain, which is accomplished by running dcpromo on the domain controllers and following the steps outlined above. For the last domain controller in the domain, be sure to select This server is the last domain controller in the domain in the dcpromo wizard so that the objects associated with the domain get removed.

If the domain you want to remove has subdomains, you must remove the subdomains before proceeding.


After all domain controllers have been demoted and depending on how your environment is configured, you may need to remove WINS and DNS entries that were associated with the domain controllers and domain unless they were automatically removed via WINS deregistration and DDNS during the demotion process. The following commands can help determine if all entries have been removed:

> netsh wins server \\<WINSServerName> show name <NetbiosName> 1c > nslookup <DomainControllerName> > nslookup -type=SRV _ldap._tcp.dc._msdcs.<DomainDNSName> > nslookup <DomainDNSName>

You will also want to remove any trusts that have been established for the domain (see Recipe 15.20 for more details).

To remove a forest, you need to follow this process for all domains in that forest.

Discussion

Before you demote a domain controller, ensure that all of the FSMO roles have been transferred to other servers (see Recipe 15.19); otherwise, they will be transferred to random domain controllers as part of the demotion process, which may not be optimal for your installation. Also, if the server is a global catalog, ensure that other global catalog servers exist in the forest and can handle the load. If the DC was also a DNS server, make sure clients are pointed to an alternate server.

It is important to demote a server before decommissioning or rebuilding it so that its associated objects in Active Directory are removed, its DNS locator resource records are dynamically removed, and replication with the other domain controllers is not interrupted. If a domain controller does not successfully demote, or if you do not get the chance to demote it because of failed hardware, see MS KB 216498 for manually removing a domain controller from Active Directory. With Windows Server 2003, there is a new dcpromo command-line option called /forceremoval that provides a cleaner way to forcefully remove a broken domain controller from Active Directory. See MS KB 332199 for more information.

You can use a brute force method to remove a forest by simply reinstalling the operating system on all domain controllers in the forest. This method is not recommended except in lab or test environments. The brute force method is not a clean way to do it because the domain controllers are unaware the forest is being removed and may generate errors until they are rebuilt. You'll also need to make sure any DNS resource records for the domain controllers are removed from your DNS servers, since the domain controllers will not dynamically remove them as they do during the demotion process.

The "brute force" method for removing a forest is also messy because it leaves all the domain controller and server objects, along with the domain object and associated domain naming context in the forest. If you use that approach you will eventually see a bunch of replication and NTFRS errors in the event log from failed replication events. If this happens to you, see MS KB 230306 for how to remove an orphaned domain.

See Also

Recipe 15.20, MS KB 216498 (HOW TO: Remove Data in Active Directory After an Unsuccessful Domain Controller Demotion), MS KB 230306 (HOW TO: Remove Orphaned Domains from Active Directory), MS KB 238369 (HOW TO: Promote and Demote Domain Controllers in Windows 2000), MS KB 255229 (Dcpromo Demotion of Last Domain Controller in Child Domain Does Not Succeed), MS KB 307304 (HOW TO: Remove Active Directory with the Dcpromo Tool in Windows 2000), and MS KB 332199 (Using the DCPROMO /FORCEREMOVAL Command to Force the Demotion of Active Directory Domain Controllers)



Windows Server Cookbook
Windows Server Cookbook for Windows Server 2003 and Windows 2000
ISBN: 0596006330
EAN: 2147483647
Year: 2006
Pages: 380
Authors: Robbie Allen

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net