Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Removing an orphaned server from Active Directory

Posted on 2010-08-19
Medium Priority
Last Modified: 2012-05-10
Hello all,
I have a Windows 2003 R2 server that is failed in such a way that I cannot logon interactively (either at the console or via remote session) without a Blue Screen. However, it is otherwise operational in the background.
I have added a server and replicated the 5 roles to it and made it a global catalog. A different server is a working DNS replica.

My plan:
I will need to run a repair Windows server installation on the faulty server, rejoin it to the domain, and re-replicate the domain data.
However, I assume I will first need to remove this faulty server from the domain directory before rejoining after a reinstall. Since I cannot login interactively on the host, I cannot uninstall active directory services as would normally be done.

I've never removed an orphaned server and would like a little hand holding.

By the way, I have tape backups and a recent system state backup of the failed server, but the restores of either are what caused this issue of Blue Screens. I think there is a mismatched system file or something of the sort, which is why I feel reinstalling the OS (repairing the install) would be the best route. Since all the \Program Files and data are there, perhaps I can use the backed up software hive and be OK.

Any input appreciated.

Question by:ChrisHelvey
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 2

Accepted Solution

marektech earned 1000 total points
ID: 33475503
If you are talking about removing a failed domain controller, you say server, from a network then this article is a great resource:


Assisted Solution

Joshua1909 earned 1000 total points
ID: 33475740
This is one of the better articles I've seen on removing an orphaned DC:

Used it successfully recently myself.

Author Comment

ID: 33475777
Thanks, I'm following these instructions. (Though they are for Win 2008.)

"Seize naming master" returns with incorrect syntax. Called something else in this version?
Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal


Author Comment

ID: 33475797
Got it "Seize Domain Naming Master"

Author Comment

ID: 33475976
I'm at the metadata cleanup part. I have no option for "list sites."
My domain is named indianawood.com
The bad server is named FPS02
The new replication server is named ADS2
I am at the console of ADS2 using NTDSutil and connected to controller ADS2
I have "Select Operation Target" as an option.

A little help? I'm nervous about what I am about to do. This server is currently operational as an AD controller. I suppose I should shut it off before the next step?
Am I forgetting anything else? I have operating DNS. DHCP is on the old server - I should try to write down that data from an MMC connection remotely as there are some reservations in there.

Expert Comment

ID: 33476099
So you have successfully seized all roles from the old domain controller. That's a good thing.

You can try using the metadata clean up instructions Joshua1909 posted - they are for 2003 if that helps. I can vouch for that guide too.

Anything like this should be done out of hours though as you don't want to affect users. As you mentioned things like DHCP if they are on the DC which is being removed will need to be reconfigured.

Author Comment

ID: 33476325
All roles are seized. I'll look at this guide as well. Thanks.

Author Comment

ID: 33476445
Do you think there will be an issue putting this back in the directory as the same name (FPS02?) Lots of things point to it that I do not want to reconfigure.

Author Comment

ID: 33476524
According to this article:
Perhaps I should just add it in as a member server, wait the 14 day period and then re-replicate. Not a problem for me to do that. I'm trying to anticipate what other problems I may run in to.

Anything else you can think of, let me have it.

Author Comment

ID: 33476614
I am going to do this now as I have a window of time to have it down.

So, just to make sure I am correct in this cleanup:
I am on the ADS2 box running metadata cleanup.
I am currently connected to ADS2.

I'm confused on the syntax. I want to remove FPS02 from the Directory for indianawood.com domain.
"Remove selected Server FPS02" should do it? or do I use "Select Operation Taget" and choose FPS02 first?

Author Comment

ID: 33477235
Found it: http://www.petri.co.il/fix_unsuccessful_demotion.htm 

I am waiting to do this to see how the reinstall goes. If I can use my saved config\software hive to make things like ZetaFax, shares, etc, work properly then I'll follow through with it. I made a copy of the \Windows directory using robocopy so if it all goes to hell, I could get back to this place and the active directory would be OK with it. Permissions might be a problem wth those things until I am rejoined anyway, so we'll see.  

Author Closing Comment

ID: 33496452
The referred documents by both posters were helpful, so I split the points.
In the end, I found a backup tape that worked in restoring the system state. Then I manually changed all the DNS entries to only use the restored server for domain authentication (by removing the name of the second one in all the records.) The main problem was an incompatibility between versions of NovaBackup. The trial version downloaded from the site imported my tape but would not show the system state as an option to restore. As a last ditch effore, I found enough of the original version to run and import. Voiala, it was there.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

598 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question