When Using Force Domain Controller Removal
Tommye Hope
Unlike Server Manager or the ADDSDeployment module for Windows PowerShell, DISM is a native servicing system that has no inherent knowledge of AD DS or its configuration. Do not use Dism.exe or the Windows PowerShell DISM module to uninstall the AD DS role unless the server is no longer a domain controller.
-LocalAdministratorPassword-Confirm-Credential-DemoteOperationMasterRole-DNSDelegationRemovalCredential-Force-ForceRemoval-IgnoreLastDCInDomainMismatch-IgnoreLastDNSServerForZone-LastDomainControllerInDomain-Norebootoncompletion-RemoveApplicationPartitions-RemoveDNSDelegation-RetainDCMetadataUninstall-WindowsFeature/Remove-WindowsFeature-Name-IncludeManagementTools-Restart-Remove-Force-ComputerName-Credential-LogPath-VhdNote
The -credential argument is only required if you are not already logged on as a member of the Enterprise Admins group (demoting last DC in a domain) or the Domain Admins group (demoting a replica DC).The -includemanagementtools argument is only required if you want to remove all of the AD DS management utilities.
The Server Selection dialog enables you to choose from one of the servers previously added to the pool, as long as it's accessible. The local server running Server Manager is always automatically available.
Clear the Active Directory Domain Services check box to demote a domain controller; if the server is currently a domain controller, this doesn't remove the AD DS role and instead switches to a Validation Results dialog with the offer to demote. Otherwise, it removes the binaries like any other role feature.
Don't remove any other AD DS-related roles or features - such as DNS, GPMC, or the RSAT tools - if you intend to promote the domain controller again immediately. Removing additional roles and feature increases the time to re-promote, as Server Manager reinstalls these features when you reinstall the role.
Demoting an additional domain controller requires Domain Admin credentials. Selecting Force the removal of this domain controller demotes the domain controller without removing the domain controller object's metadata from Active Directory.
Do not select this option unless the domain controller cannot contact other domain controllers and there is no reasonable way to resolve that network issue. Forced demotion leaves orphaned metadata in Active Directory on the remaining domain controllers in the forest. In addition, all un-replicated changes on that domain controller, such as passwords or new user accounts, are lost forever. Orphaned metadata is the root cause in a significant percentage of Microsoft Customer Support cases for AD DS, Exchange, SQL, and other software.
Demoting the last domain controller in a domain requires Enterprise Admins group membership, as this removes the domain itself (if the last domain in the forest, this removes the forest). Server Manager informs you if the current domain controller is the last domain controller in the domain. Select the Last domain controller in the domain check box to confirm the domain controller is the last domain controller in the domain.
If you previously selected Force the removal of this domain controller on the Credentials page, then the Warnings page shows all Flexible Single Master Operations roles hosted by this domain controller. You must seize the roles from another domain controller immediately after demoting this server. For more information on seizing FSMO roles, see Seize the Operations Master Role.
Select Change to specify alternate DNS administrative credentials. Select View Partitions to view additional partitions the wizard removes during the demotion. By default, the only additional partitions are Domain DNS and Forest DNS Zones. All other partitions are non-Windows partitions.
The New Administrator Password page requires you to provide a password for the built-in local computer's Administrator account, once the demotion completes and the computer becomes a domain member server or workgroup computer.
Providing or storing a clear text password is not recommended. Anyone running this command in a script or looking over your shoulder knows the local administrator password of that computer. With that knowledge, they have access to all of its data and can impersonate the server itself.
The Confirmation page shows the planned demotion; the page doesn't list demotion configuration options. This is the last page the wizard shows before the demotion begins. The View Script button creates a Windows PowerShell demotion script.
Use the optional Whatif argument with the Uninstall-ADDSDomainController and cmdlet to review configuration information. This enables you to see the explicit and implicit values of a cmdlet's arguments.
The prompt to restart is your last opportunity to cancel this operation when using ADDSDeployment Windows PowerShell. To override that prompt, use the -force or confirm:$false arguments.
Since Uninstall-ADDSDomainController and Uninstall-WindowsFeature only have one action apiece, they're shown here in the Confirmation phase with the minimum required arguments. Pressing ENTER starts the irrevocable demotion process and restarts the computer.
Here's an example of forcibly demoting with its minimal required arguments of -forceremoval and -demoteoperationmasterrole. The -credential argument isn't required because the user logged on as a member of the Enterprise Admins group:
Here's an example of removing the last domain controller in the domain with its minimal required arguments of -lastdomaincontrollerindomain and -removeapplicationpartitions:
A domain controller must have connectivity to other domain controllers in the domain in order to demote the domain controller and successfully remove Active Directory Domain Services. If a domain controller has no connectivity to other domain controllers, the standard removal process will fail, and you will need to connect the domain controller to the domain and then restart the removal process. In a limited number of situations, however, you might not want or be able to connect the domain controller to the domain and instead might want to force the removal of the domain controller.
Before you can forcibly remove Active Directory Domain Services, you must restart the domain controller in Directory Services Restore Mode. Restarting in this mode takes the domain controller offline, meaning it functions as a member server, not as a domain controller. During installation of Active Directory Domain Services, you set the Administrator password for logging on to the server in Directory Services Restore Mode.
You can restart a domain controller in Directory Services Restore Mode manually by pressing the F8 key during domain controller startup. You must then log on by using the Directory Services Restore Mode password for the local Administrator account. A disadvantage of this technique is that if you accidentally restart the domain controller, you might forget to put it back into Directory Services Restore Mode.
If the domain controller hosts any operations master roles, is a DNS server, or is a global catalog server, warnings similar to the one shown in Figure 3-14 are displayed to explain how the forced removal of the related function will affect the rest of the environment. After you review the recommendations and take appropriate actions (if possible), click Yes to continue.
On the Force The Removal Of Active Directory Domain Services page, shown in Figure 3-15, review the information about forcing the removal of Active Directory Domain Services and the required metadata cleanup operations, and then click Next.
When the command-line execution completes, Dcpromo exits with a return code. A return code of 1 to 10 indicates success. A return code of 11 to 100 indicates failure. Note the related error text and take appropriate corrective action as necessary.
When you force the removal of a disconnected domain controller, the Active Directory forest metadata is not updated automatically as it is when a domain controller is removed normally. Because of this, you must manually update the forest metadata after you remove the domain controller.
You perform metadata cleanup on a domain controller in the domain of the domain controller that you forcibly removed. During metadata cleanup, Active Directory automatically performs the following tasks:
On domain controllers that are running Windows Server 2008, you can use Active Directory Users and Computers to clean up server metadata. Deleting the computer object in the Domain Controllers organizational unit (OU) initiates the cleanup process, and all related tasks are performed automatically. Using Active Directory Users and Computers, you can clean up metadata by completing the following steps:
If the domain controller currently holds one or more operations master roles, click OK to move the role or roles to the domain controller that is shown. Although you cannot change this domain controller at the present time, you can move the role once the metadata cleanup procedure is completed.
On domain controllers that are running Windows Server 2003 with Service Pack 1 (SP1), Windows Server 2003 with Service Pack 2 (SP2), Windows Server 2003 R2, or Windows Server 2008, you also can perform metadata cleanup by using the Ntdsutil command-line tool. Using Ntdsutil, you can clean up server metadata by completing the following steps:
At the metadata cleanup prompt, enter the following command if you are logged on to the domain of the domain controller that you forcibly removed: remove selected server RetiredServer where RetiredServer is the distinguished name of the retired domain controller. Otherwise, enter the following command: remove selected server RetiredServer on TargetServer where RetiredServer is the distinguished name of the retired domain controller and where TargetServer is the DNS name of a domain controller in the domain of the domain controller that you forcibly removed.
bcf7231420