You cannot simply remove a domain controller (DC) from an existing domain structure, since the information about it will remain in the Active Directory. The process known as demotion allows you to properly remove Active Directory from a DC and automatically update all relative directory information (if this DC is not the last one in the forest). If the DC is corrupted or has failed, and you cannot successfully perform this operation, you must manually cleanup the Active Directory (see Chapter 10, "Diagnosing and Maintaining Domain Controllers").
After removing Active Directory, the last DC in any domain becomes a standalone server that belongs to the WORKGROUP workgroup. If a DC is not the last controller, it will become a member server in the same domain. The DNS suffix of the computer will not be changed in either case.
As during Active Directory installation, the other domains (parent or root) must be accessible (otherwise, the demotion will not start). The Active Directory cannot be removed if replication of directory partitions from the demoted server to other DCs fails. If the demoted DC is an operations master, you will also need to consider transferring the FSMO roles to other servers. Otherwise, the system itself will try to find the appropriate candidates for these roles.
If the last DC in a domain is demoted, this means the removal of the entire domain. You can only delete a leaf domain, i.e., a domain that has no child domains and is not the forest root domain (which can only be deleted last).
A Windows .NET domain controller cannot be demoted if it stores the last replica of one or more application directory partitions. You should first either delete these partitions manually or allow the Active Directory Installation Wizard to remove them.
To remove Active Directory from a DC, start the Active Directory Installation Wizard.
You may get the message shown in Fig. 5.8.
Fig. 5.8: Do not delete the last Global Catalog server without creating another GC server
Make sure that another GC server exists in the forest. If necessary, designate a new GC server, wait until it will be advertised, and only then continue the demotion process.
On the next step of Active Directory Installation Wizard you must set or reset the This server is the last domain controller in the domain flag. To delete the last DC in a child domain (i.e., to delete this child domain) or in a tree root domain (i.e., to delete the tree), you must provide the credentials of a member of the Enterprise Admin group. To delete the last DC in a forest (i.e., to destroy the entire forest), you must be logged on as the local administrator or as a member of the Domain Admins group. To delete an additional DC, it is sufficient to be logged on as a member of the Domain Admins group.
If the demoted DC runs Windows .NET and stores the last replica of one or more application directory partitions, you need to manually delete these partitions (by using the NTDSutil.exe or DnsCmd.exe utilities). If the DC holds one or more last partition replicas, you will see a window similar to that shown in Fig. 5.9. In such a case, the system itself can completely remove all partitions if you set the Delete all application directory partitions on this domain controller checkbox on the next wizard's page. Otherwise, the demotion will be stopped.
Fig. 5.9: Deleting application directory partitions
When the Active Directory has been deleted from a DC, and the demotion process has been completed (after the server reboot), all appropriate DNS records (a domain controller's records, sub-domains with names starting with "_", or an entire authoritative zone) will be deleted from the preferred DNS server (obviously, if the server allows dynamic registration) and the netlogon.dns file will be cleared.