Solved

How do you forcibly remove a DC ?

Posted on 2014-02-04
3
274 Views
Last Modified: 2014-03-07
Hi guys

Can you tell me your procedure of removing a DC ? I'm pretty sure there can be a situation when its not possible to even power on a DC - broken mobo for example - and every serious admin should have a ready plan for that scenario.

I'm talking about an environment where the highest ver of Win Server is 2008 R2.

Here is what I would do:

1. change IP settings of other DC(s) so they don't point to that failed DC for DNS.
2. Seize roles if it was FSMO role holder
3. clear DNS of any IP addresses of failed DC
4. remove DC object from users and computers
5. Set a different DC as a time server if necessary.

Is there anything you would change, skip, add ?

Please let me know. Unfortunately, as always - I need to add that I'm only interested in first hand experience.
0
Comment
Question by:tp-it-team
3 Comments
 
LVL 22

Assisted Solution

by:Joseph Moody
Joseph Moody earned 166 total points
ID: 39833290
In addition to what you have, see this KB:

http://support.microsoft.com/kb/555846/en-us
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 167 total points
ID: 39833301
The above is basically what you need to do. If the other suggestions i would have is ensure that there are no SRV records present anywhere under the _msdcs folder under your internal domain zone. If you see any IP's in there you should simply delete them.

Make sure that Sites and Services have the correct replication partners as well once you have removed the domain. If the computer objects still reside in there you can delete those as well.

You only need to perform a metadata cleanup when the DC has had any roles assigned to it. If the DC fails and there are no roles assigned at that time you can just delete the computer object (if you are at a 2008 level). 2003 will require a metadata cleanup.

Metadata Cleanup

Will.
0
 
LVL 9

Assisted Solution

by:rawinnlnx9
rawinnlnx9 earned 167 total points
ID: 39833307
I just did this very thing.

http://www.petri.co.il/understanding_fsmo_roles_in_ad.htm 
http://www.petri.co.il/transferring_fsmo_roles.htm
http://www.petri.co.il/determining_fsmo_role_holders.htm
http://www.petri.co.il/configure_a_new_global_catalog.htm

At the end on your new PDC run dcdiag and make sure everything passes. If anything fails google and the solutions are usually simple.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question