Uninstalling Active Directory

Before you demote a domain controller, ensure that all of the FSMO roles have been transferred to other servers; otherwise, they will be transferred to random domain controllers as part of the demotion process, which may not be optimal for your installation. Also, if the server is a global catalog, ensure that other global catalog servers exist in the forest and can handle the load. If the DC was also a DNS server, make sure clients are pointed to an alternate server.

It is important to demote a server before decommissioning or rebuilding it so that its associated objects in Active Directory are removed, its DNS locator resource records are dynamically removed, and replication with the other domain controllers is not interrupted. If a domain controller does not successfully demote, or if you do not get the chance to demote it because of failed hardware, see MS KB 216498 for manually removing a domain controller from Active Directory. With Windows Server 2003, there is a new dcpromo command-line option called /forceremoval that provides a cleaner way to forcefully remove a broken domain controller from Active Directory. See MS KB 332199 for more information.

You can use a brute force method to remove a forest by simply reinstalling the operating system on all domain controllers in the forest. This method is not recommended except in lab or test environments. The brute force method is not a clean way to do it because the domain controllers are unaware the forest is being removed and may generate errors until they are rebuilt. You’ll also need to make sure any DNS resource records for the domain controllers are removed from your DNS servers, since the domain controllers will not dynamically remove them as they do during the demotion process.

The “brute force” method for removing a forest is also messy because it leaves all the domain controller and server objects, along with the domain object and associated domain naming context in the forest. If you use that approach you will eventually see a bunch of replication and NTFRS errors in the event log from failed replication events. If this happens to you, see MS KB 230306 for how to remove an orphaned domain.

Do the following to demote a domain controller to be a member server:

  1. Run the dcpromo command from a command line or Start Run.
  2. Click Next.
  3. If the server is the last domain controller in the domain, check the box beside This server is the last domain controller in the domain.
  4. Click Next.
  5. Type and confirm the password for the local Administrator account.
  6. Click Next twice to begin the demotion.

If you want to completely remove a domain, you have to demote each domain controller in the domain, which is accomplished by running dcpromo on the domain controllers and following the steps outlined above. For the last domain controller in the domain, be sure to select This server is the last domain controller in the domain in the dcpromo wizard so that the objects associated with the domain get removed.

If the domain you want to remove has subdomains, you must remove the subdomains before proceeding.

After all domain controllers have been demoted and depending on how your environment is configured, you may need to remove WINS and DNS entries that were associated with the domain controllers and domain unless they were automatically removed via WINS deregistration and DDNS during the demotion process. The following commands can help determine if all entries have been removed:

> netsh wins server \\ show name  1c
 > nslookup 
 > nslookup -type=SRV _ldap._tcp.dc._msdcs.
 > nslookup 

You will also want to remove any trusts that have been established for the domain.

To remove a forest, you need to follow this process for all domains in that forest.