Removing a Broken Domain Controller

removing broken domain controller

In the process of upgrading to Windows 2008R2 domains, I normally shutdown the
older 2003 servers for a week, to validate that nothing important remains on
them, before demoting them from domain controllers to member servers. This
process works great as long as one remembers to turn these shutdown servers back
on and demote them before they tombstone. Unless you have changed the setting,
the default tombstone time is 60 days. But, sometimes people get busy, and what
should be done if a shutdown DC has been tombstoned already? How do you cleanup
the resulting mess, without resorting to unnecessarily resyncing it with the
domain?

Well, recently, I had to remove a shutdown DC because it had been deleted before
it could be demoted. Obviously, I did not want to restore it from backups, as I
had no actual use for it. But, the domain level and forest level could not be
updated as long as the new 2008R2 server thought there was a 2003 DC in the domain.

Here are the steps that worked for me:

  1. Validate the Sites and Services settings:
    • Login to a domain controller (DC) with administrative rights.
    • Run Administrative Tools | Active Directory Sites and Services.
    • Expand the various sites, until you see the shutdown DC (DC3 in our example).
    • Note the exact name of the shutdown DC and its site name.
  2. Run ntdsutil at the DOS prompt:
    • Open a DOS window with administrative rights (Run As Administrator).
    • Type: ntdsutil
  3. Remove the shutdown DC:
    • Type: metadata cleanup
    • Type: connections
    • Type: connect to server SERVER-NAME
      (Note: in my example screen shot, DC1 and DC2 are valid server names)
    • Type: quit
    • Type: select operation target
    • Type: list domains
    • Type: select domain 0
      (Note: if you have only one domain, this is correct. For more than one domain,
      select numeric from listing.)
    • Type: list sites
    • Type: select sites 0
      (Note: if you are using the default site, this is correct. For more than one
      site, select numeric from listing.)
    • Type: list servers in site
    • Type: select server SERVER-NUMBER
      (Note: in my example, the numeric was 3, but yours will differ.)
    • Type: quit
    • Type: remove selected server
    • Respond to the popup by clicking the “Yes” button.
    • Quit the ntdsutil and exit from the DOS prompt.
  4. Remove the DC from Sites and Services:
    • Run Administrative Tools | Active Directory Sites and Services.
    • Expand the site name you jotted down in step 1.
    • Highlight the shutdown DC, right-click, and select the Delete menu item.
    • Respond positively to any confirmation prompts.
    • Validate that the shutdown DC is no longer listed in the active list of domain
      controllers.

Now, if you are removing the last DC in the site, you will need to use ADSI edit
to remove the site. This was not my case, as I already had two perfectly good
2008R2 servers in my default site. Refer to Microsoft’s article for more
information: http://support.microsoft.com/kb/216498 about this necessity.

Finally, you should follow the steps already documented in a previous blog to
remove this defunct server from the list of active name servers, see
https://www.orionscache.com/2012/01/incorrect-name-servers-can-make-the-network-crawl/
for more information.