![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
To demote a domain controller
Tool: dcpromo
Caution
Before you complete this procedure,
verify that this domain controller is not the only global catalog and that it does not hold an operations master role.
If this domain controller is a global catalog,
ensure that another global catalog is available to users before demoting it.
For information about configuring domain controllers to host the global catalog, see Related Topics.
If this domain controller
currently holds one or more operations master roles,
transfer the operations master roles to another domain controller before demoting it.
If this domain controller is the last domain controller in the domain, demoting this domain controller will remove this domain from the forest.
If this is the last domain in the forest, demoting this domain controller will also delete the forest.
If this domain controller holds the last replica of one or more application directory partitions,
you must first remove the last application directory partition replicas from this domain controller before you can demote it.
You can use the Active Directory Installation Wizard to remove all application directory partition replicas from
this domain controller or you can manually remove them using the Ntdsutil command-line tool.
Forced removal
原因
Forced removal of a domain controller from Active Directory is intended to be used as a last resort to avoid having to reinstall the operating system on a domain controller that has failed and cannot be recovered.
When a domain controller can no longer function in a domain (that is, it is offline), you cannot remove Active Directory in the normal way, which requires connectivity to the domain.
Forced removal is not intended to replace the normal Active Directory removal procedure in any way.
It is virtually equivalent to permanently disconnecting the domain controller.
metadata
Active Directory stores a considerable amount of metadata about a domain controller.
During the normal process of uninstalling Active Directory on a domain controller,
this metadata is removed from Active Directory through a connection to another domain controller in the domain.
A forced removal assumes that there is no connectivity to the domain;
therefore, it does not attempt any metadata removal (cleanup).
Task Requirements
The following tools are required to perform the procedures for this task:
- Active Directory Sites and Services
- Dcpromo.exe
- Ntdsutil.exe
==============================
Active Directory Sites and Services
==============================
Open Active Directory Sites and Services.
Expand the Servers folder to display the list of servers in that site.
Double-click NTDSSettings to display the list of Connection objects in the details pane
(these represent inbound connections used for replication).
==============================
To force domain controller removal
==============================
Click Start, click Run, type the following command and then press ENTER:
Dcpromo /forceremoval
This procedure is required only for Active Directory domain controllers that were not successfully demoted using Dcpromo.
==============================
Clean up server metadata
==============================
This procedure does not have to be performed for domain member servers or client computers.
On a domain controller that is running Windows Server 2003 with Service Pack 1 (SP1),
metadata cleanup also removes File replication service (FRS) connections and
attempts to transfer or seize any operations master roles (also known as flexible single master operations or FSMO roles)
that the retired domain controller holds.
These additional processes are performed automatically.
<1> Remove
ntdsutil
metadata cleanup
remove selected <server ServerName>
At this point, Active Directory confirms that the domain controller was removed successfully.
If you receive an error message that indicates that the object cannot be found,
Active Directory might have already removed the domain controller.
<2> To verify that the server was removed
type "list servers" in "site"
Forced removal - Server 2012 R2
Verify 現有 AD 的 operations master role 是否齊整先
netdom query fsmo
Schema master ad01.mydomain.local Domain naming master ad01.mydomain.local PDC ad01.mydomain.local RID pool manager ad01.mydomain.local Infrastructure master ad01.mydomain.local The command completed successfully.
To find only the global catalog servers in a site
CLI
# command with the -isgc option.
dsquery server -isgc -domain "ad01.mydomain.local"
i.e.
"CN=ad01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local" "CN=ad02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local"
GUI
Active Directory Sites and Services > Expand "Sites", expand the "Server" object >
Right-click the "NTDS Settings" object, and then click Properties.
Manually Removing A Domain Controller Server
[1]
Server Manager > Tools > Active Directory Users and Computers > Domain > Domain Controllers
Right click on the DC you need to manually remove and click Delete
In next dialog box, select "This Domain Controller is permanently offline..." and click Delete
[2]
Server manager > Tools > Active Directory Sites and Services > Expand "Sites" >
> Expand "Default-First-Site-Name" > Expand "Server" > Right click on the server & Delete
[3] Cleanup DNS record under
_gc _kerberos _ldap
[4] Check replication health
CMD >
Repadmin
Repadmin /replsummary Repadmin /Queue Repadmin /Showrepl Repadmin /syncall Repadmin /KCC Repadmin /replicate TargetDC SourceDC # starts replication immediately
dcdiag
dcdiag /fix
Server 2003
Method 1: dcpromo
Before you complete this procedure,
verify that this domain controller is not the only global catalog and that it does not hold an operations master role.
Method 2: GUI
Delete DC IN:
Active Directory Users and Computers -> Domain Controllers OU
Active Directory Sites and Services ->
DNS Record
Entries at Forward Lookup Zones
<DC Server Name> (Host A) <IP Address of the dead Domain Controller>
(same as parent folders) (Host A) <IP Address of the dead Domain Controller>
At Reverse Lookup Zones:
<IP Address of the dead Domain Controller> Pointer (PTR) <mydomain.com>
4. Use "ADSIEdit" to remove old computer records from the Active Directory:
a. OU=Domain Controllers,DC=domain,DC=local
b. CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
c. CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=domain,DC=local
5. Force Active Directory replication by using "Repadmin.exe" tool
Method 3: ntdsutil - Windows 2000 (All versions)
ntdsutil
metadata cleanup
connections
connect to server ServerName
quit
select operation target
list domains
Found 1 domain(s) 0 - DC=mydomain,DC=local
select domain <NUM>
list sites
select site <NUM>
--
list servers in site
select server <NUM> # <NUM> associated with the server you want to remove
#
quit
remove selected server
# Now that the NTDS Settings object has been deleted,
DNS
_msdcs container, right-click cname, and then click Delete
remove the reference to this DC under the Name Servers tab
"DSA object cannot be deleted."
The Dcpromo.exe demotion process must delete NTDS Settings from a server.
However, the Dcpromo.exe process may not delete NTDS Settings even if connection objects are deleted.
If you have multiple domain controllers, the Active Directory replication process may not delete NTDS Settings from this domain controller.
adsiedit.msc install:
* Server 2003 CD, open the Support\Tools folder, double-click Suptools.msi <--- C:\Program Files\Support Tools\adsiedit.msc
* 2000 Server CD, open the Support\Tools folder, double-click Setup.exe
Use ADSIEdit to delete the computer account
Expand the Domain NC container.
Expand DC=Your Domain Name, DC=COM, PRI, LOCAL, NET.
Expand OU=Domain Controllers.
Right-click CN=domain controller name, and then click Delete.
Use ADSIEdit to delete the FRS member object
Expand the Domain NC container.
Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET.
Expand CN=System.
Expand CN=File Replication Service.
Expand CN=Domain System Volume (SYSVOL share).
Right-click the domain controller you are removing, and then click Delete.
you can delete the
computer account, the
FRS member object,
the cname (or Alias) record in the _msdcs container, the A (or Host) record in DNS,
the trustDomain object for a deleted child domain, and the domain controller.
