How to Remove a Domain Controller That No Longer Exists

Removing a domain controller (DC) that’s no longer in use is a crucial task for keeping your Active Directory (AD) environment running smoothly. When you have orphaned domain controllers hanging around, they can lead to replication errors, authentication problems and unnecessary clutter in AD Sites and Services.

Why Remove a Non-Existing Domain Controller?

1. Prevent Replication Errors: Orphaned DCs can cause replication failures throughout the domain.
2. Enhance Active Directory Health: By removing outdated objects, you ensure your AD data stays accurate.
3. Streamline Administration: A cleaner domain structure means less administrative hassle.

Pre-Requisites

1. Administrator Access: Make sure you have either Enterprise Admin or Domain Admin rights.
2. Backup Active Directory: Always create a backup of AD before making any major changes. Check Domain Controller Status:
3. Use tools like ping, dcdiag or repadmin to confirm that the DC is indeed inactive.

Steps to Remove a Domain Controller That No Longer Exists

Step 1: Check for Replication Failures

Start by running this command to see if there are any replication issues:

repadmin /replsummary

Make a note of any errors that point to the orphaned domain controller.

Step 2: Identify the Orphaned Domain Controller

1. Open Active Directory Users and Computers (ADUC).
2. Go to the Domain Controllers container.
3. Find the name of the domain controller that’s no longer around.

Step 3: Clean Up Metadata

If the domain controller was removed incorrectly, you’ll need to manually clean up its metadata using ntdsutil:

1. Open Command Prompt with admin rights.
2. Start the ntdsutil utility:

   • ntdsutil

3. Enter metadata cleanup mode:

   • metadata cleanup 

4. Connect to the domain where the orphaned DC is located:

   • connections 
     
     connect to server <existing-DC-name> 
     
     quit 

5. Choose the orphaned DC you want to remove: 

   • select operation target 
     
     list domains 
     
     select domain <domain-number> 
     
     list sites 
     
     select site <site-number> 
     
     list servers in site 
     
     select server <server-number>

6. Now, remove the DC:

   • remove selected server

7. Exit ntdsutil:

   • quit

Step 4: Remove DNS Entries

1. Open the DNS Manager.
2. Look for zones (like _msdcs.domainname and domainname) under Forward Lookup Zones.
3. Delete any DNS records for the orphaned domain controller, including:
   • Host (A) records.
   • SRV records (like _ldap, _kerberos).

Step 5: Clean Up Active Directory Sites and Services

1. Open Active Directory Sites and Services.
2. Expand the Sites container.
3. Find the orphaned DC in its respective site.
4. Right-click on the DC and choose Delete.

Step 6: Verify Cleanup

1. Run this command to make sure the domain no longer references the orphaned DC:

   • repadmin /showrepl

2. Check DNS and ADUC to confirm that the DC has been successfully removed.

Troubleshooting Tips

1. Having trouble connecting to an existing DC in ntdsutil?
   • First, make sure you have a solid network connection to the active DC.
   • Double-check that your credentials have the necessary permissions.
2. If metadata cleanup fails:
   • Use Active Directory Users and Computers to forcefully remove the orphaned DC object.
   • Restart the AD services and give the metadata cleanup another shot.
3. Stale DNS entries hanging around?
   • Go ahead and manually delete them, then flush the DNS cache by running ipconfig /flushdns.

Conclusion

It's crucial to remove any domain controllers that are no longer in existence to keep your Active Directory environment running smoothly. By following these steps, you can ensure that all traces of the orphaned DC are cleaned up, helping to avoid any replication or administrative headaches.