When deleting a domain controller from Active Directory, it is advisable to use the DCPromo (demote) procedure, which allows you to correctly delete all records about the old domain controller from the Active Directory database (the computer object, NTDS Settings, site settings, cross-site links and replication metadata).
If for some reason your controller fails and it is not planned to return it, you can perform forced removal of the failed domain controller. This procedure is called Metadata cleanup. When you perform metadata cleanup, you will delete all data about the failed DC from Active Directory Domain Services (AD DS). This correctly cleans replication metadata, including the objects in File Replication Service (FRS) and Distributed File System (DFS).
In a domain with a functional level of Windows Server 2008 R2 and newer, you can clean server metadata using the standard Active Directory Users and Computers (Dsa.msc) graphical console.
To do this, just find the failed DC in the ADUC console and delete it as a regular computer object. Right click on it, select Delete, and confirm the deletion.
In the next dialog box, check the item “This Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation Wizard (DCPROMO)”, and click Delete button.
Hint. If the following error appears when you try to remove a DC “You do not have sufficient privileges to delete DC02, or this object is protected from accidental deletion”, please make sure:
- Your account is a member of the Domain admins group;
- The option “Protect object from accidental deletion” must be disabled in the object properties (ADUC snap-in > DC > Object tab).
Then you need to open the Active Directory Sites and Services snap-in (dssite.msc) and delete the corresponding NTDS Settings object (expand the domain controller site, which forcibly removed, expand Servers > expand the DC name, right click on the NTDS Settings object > Delete ). Confirm the deletion of the object.
Next, ADDS will automatically perform metadata cleanup.
You can also clean up server metadata using the command-line tool ntdsutil (this is the only correct way to force remove failed DC in domains with a functional level of Windows Server 2008 and lower).
Run command prompt as an administrator on any of the remaining domain controllers.
Type ntdsutil on the command line and press Enter.
Enter the following commands one after another:
metadata cleanup remove selected server <failedDCName>
# specify the name of the DC to be removed from the AD database
Press Yes to correctly remove the DC object and metadata.
Verify that the domain controller has been successfully removed:
- Run the ADUC console. Make sure that the domain controller that you deleted has disappeared from the Domain Controllers container.
- Launch Sites and Services snap-in, check if your DC object does not contain an NTDS Settings object. If so, you can delete the server object in the console.