Active Directory management demands consistent maintenance, occasionally involving the removal of orphan child domains. These can occur due to an unexpected domain controller disconnection or when a domain controller’s demotion doesn’t proceed as planned, leaving it incorrectly stripped of its role. Understanding how to perform this task accurately is crucial to maintaining the cleanliness of your Active Directory. Follow this step-by-step guide to understand how to force the removal of an orphan child domain.
Steps to remove the corrupted DC of the Orphan Child Domain
Step 1: Identify the Domain Naming Master
Begin by identifying the domain controller that holds the Flexible Single Master Operations (FSMO) role of the Domain Naming Master. Open the Active Directory Domains and Trusts MMC from the Administrative Tools menu. Right-click the root node titled “Active Directory Domains and Trusts”, then select “Operations Master”. The FSMO role holder will be displayed in the Operations Master frame.
Step 2: Ensure Demobilization of Domain Controllers
Verify that all domain controllers have been properly demobilized. This is crucial for confirming that the domain controller is genuinely ready for removal.
Step 3: Utilize the NTDSUTIL Tool
Open a command prompt and type “ntdsutil”. This built-in Windows Server tool is employed to manage domain controllers from the console level.
Step 4: Perform Metadata Cleanup
In the command prompt, type “metadata cleanup” followed by “connections” to prepare for server connection where changes will take place.
Step 5: Establish Connection to the Server
Enter “connect to server servername” in the command prompt, replacing “servername” with the name of the domain controller holding the FSMO role of the Domain Naming Master.
Step 6: Select the Operation
After quitting the previous menu by typing “quit”, input “select operation target”. Follow this by typing “list sites” which will display a list of sites in the forest, each with an assigned number.
Step 7: Choose the Site
Type “select site number”, replacing “number” with the site number that houses the domain controller to be removed.
Step 8: List and Select Domain Controller
By entering “list servers for domain in site”, a list of domain controllers within the domain will appear. Type “select server number”, where “number” corresponds to the domain controller to be removed.
Step 9: Remove the Domain Controller
After quitting the previous menu with “quit”, type “remove selected server”. A successful removal will be confirmed in the command prompt.
Step 10: Quit the NTDSUTIL Tool
Type “quit” at each menu to fully exit the NTDSUTIL tool. A successful disconnection will be confirmed.
Please remember to replace “servername” and “number” with your actual server name and respective numbers as needed throughout the process.
Steps to Remove the Orphan Child Domain
Step 1: Identify the Domain Controller
The first step involves identifying the domain controller that holds the FSMO (Flexible Single Master Operations) role of domain naming master. Start the Active Directory Domains and Trusts Microsoft Management Console (MMC) module from the Administrative Tools menu. Right-click the root node in the left pane titled Active Directory Domains and Trusts, then click on Operations Master. The current holder of this role is identified in the Operations Master frame.
Step 2: Verify the Domain Controllers
Make sure all domain servers have been correctly demobilized. This step is essential to ensure the domain is genuinely orphaned.
Step 3: Use the NTDSUTIL Tool
Open a command prompt and type “ntdsutil”. This tool, included with Windows Server, is used for managing domain controllers at the console level.
Step 4: Clean up the Metadata
In the command prompt, type “metadata cleanup” and press Enter. Then type “connections” and press Enter again. This step allows you to connect to the specific server where changes will occur.
Step 5: Connect to the Server
Type “connect to server servername” where “servername” is the name of the domain controller holding the FSMO role of the domain naming master, then press Enter.
Step 6: Select Operation
After exiting the previous menu by typing “quit”, type “select operation target” and press Enter. You will then need to type “list domains” and press Enter again. A list of forest domains will appear, each with an associated number.
Step 7: Select the Domain to Remove
Type “select domain number”, where “number” is the number associated with the domain to remove, then press Enter.
Step 8: Remove the Domain
After exiting the previous menu by typing “quit”, type “remove selected domain” and press Enter. You should receive a confirmation that the removal was successful.
Step 9: Exit the NTDSUTIL Tool
Type “quit” at each menu to exit the NTDSUTIL tool. You should receive a confirmation that the disconnection was successful.
Command Summary for Domain Controller Removal
In this article, we’ve walked through the step-by-step process of removing a domain controller. The commands involved in this process might seem complex at first glance, but breaking them down into individual steps can make the task more manageable.
For quick reference, here is a summary of all the commands used in the process. This can serve as a handy guide for your future reference.
## Steps to remove the corrupted DC of the Orphan Child Domain
ntdsutil
metadata cleanup
connections
# Replace <servername> with the name of the domain controller that holds the Domain Naming Master FSMO Role
connect to server <servername>
quit
select operation target
list sites
# Replace <number> with the number associated with the site containing the domain to be removed
select site <number>
list domains in site
# Replace <number> with the number associated with the domain to be removed
select domain <number>
list servers for domain in site
# Replace <number> with the number associated with the domain controller to be removed
select server <number>
quit
remove selected server
# Repeat above steps for all domain controllers to be removed
quit
############################################
## Steps to Remove the Orphan Child Domain
ntdsutil
metadata cleanup
connections
# Replace <servername> with the name of the domain controller that holds the Domain Naming Master FSMO Role
connect to server <servername>
quit
select operation target
list domains
# Replace <number> with the number associated with the domain to be removed
select domain <number>
quit
remove selected domain
quit
What to Check in Your Domain Controller after a Forced Demotion?
After the demotion of a child domain, it is crucial to take additional steps to ensure the cleanliness and integrity of your Active Directory environment. Here is a list of generally required cleanup tasks:
- Child Domain DNS Zone Removal: If the DNS zone of the child domain still exists, you must remove it. This action prevents conflicts and confusions in the name resolution system.
- Trust Relationship Removal: If a trust relationship still exists between the parent domain and the just-removed child domain, it’s recommended to remove it.
- Checking and Removing Remaining Domain Controllers: Use the Active Directory Sites and Services tool to check if any domain controllers from the child domain still exist. If so, these objects must be removed.
Active Directory management is a complex task that demands particular attention. However, the method described above has been tried and tested. By following these steps, you should be successful in removing an orphaned child domain.
—
This article is also available in french on: Guide étape par étape pour la suppression d’un domaine enfant orphelin dans l’Active Directory (gautier.it)
[…] Cet article est également disponible en anglais sur IT Pro Tutorial: How to Remove an Orphan Child Domain: A Step-by-Step Guide (itprotutorials.com) […]