Forcibly Removing a Domain Controller

Summary

We ran into the need for this document when one of our client’s server was powered down non-gracefully.  This caused the Active Directory database to become corrupted.  This domain controller was not the Primary Domain Controller and held no FSMO roles.  The problem that was occurring was that the domain controllers were not replicating back and forth.

Solution

1. Verify the domain controller (DC) does not contain the FSMO roles
   1. On the domain controller in question, open a command prompt and run the following command.
      1.                                                                i.      Netdom query fsmo
   2. In our case the result showed that all the FSMO roles were contained on another server

 

1. Verify that you have communication errors between domain controllers
   1. On all the domain controllers run the following commands from a command prompt
      1.                                                                i.      Repadmin /syncall
      2.                                                              ii.      Repadmin /syncall /AePqd
   2. You should get errors showing that there are communication issues

 

1. Check the event logs to see other errors that are logged
   1. We had Journal Wrap errors and File Replication errors

 

1. DC Promo the corrupt server
   1. Verify that you have a local user and password that you know.  Verify that this user is a member of the local administrator group.
   2. Run DCPROMO and demote this server
   3. It should prompt you to reboot
   4. Once rebooted, log into the server with the local admin and password
   5. Verify that the SYSVOL and NETLOGON shares are not present

1. Clean up Active Directory (*Done from a Server 2003 Domain Controller)
   1. Open ADSIEdit.msc
      1.                                                                i.      If nothing appears on the left, do the following
      2.                                                              ii.      Right click on ADSI Edit and select Connect to…
      3.                                                             iii.      Click the radio button next to Select a well known naming context
      4.                                                            iv.      For this exercise, we will need both Default naming context and Configuration
      5.                                                              v.      Click OK
   2. Browse to Default Naming Contect à DC=DOMAIN, DC=local
      1.                                                                i.      Then CN=Domain Controllers
         1. Delete any references to the corrupt DC here
      2.                                                              ii.      Then CN=System à CN=File Replication Service à CN=Domain System Volume
         1. Delete any references to the corrupt DC here
   3. Browse to Configuration à CN=Sites à CN=Default à CN=Servers
      1. Delete any reference to the corrupt DC here

 

1. Clean up DNS
   1. Go through the DNS on all server that have it installed and clean out any reference to the corrupt server and its IP address
   2. Go through DNS and remove any references in the Name Servers as well
   3. Run the following commands from a command prompt
      1.                                                                i.      Ipconfig /flushdns
      2.                                                              ii.      Ipconfig /registerdns
      3.                                                             iii.      Net stop netlogon
      4.                                                            iv.      Net start netlogon

 

1. DC Promo the corrupt server
   1. On the DC that had the problem, join the computer to the domain and reboot
   2. Run DCPromo and add the server as an additional domain controller
   3. Reboot as necessary
   4. Log back in and make sure the SYSVOL and NETLOGON shares are present

 

1. Test the new configuration
   1. Repeat steps 1. – 3. and verify the problems have been resolved.