Forceful Demotion of a Dead Domain Controller

If one of your domain controllers dies on you, then you cannot gracefully demote it. So, when this happens there are a few things that you need to do to remove it from the domain and cleanup the mess that this failure created.

The first step is to jump on one of your remaining domain controllers that's running Windows 2003 SP1 or newer.

Make sure that you are a member of the "enterprise admins" group. If you weren't a member already, add yourself to the group, then log off of the domain controller and back onto it.
Open up a command prompt, and enter ntdsutil.

At the ntdsutl: prompt type metadata cleanup and hit enter.

At the metadata cleanup: prompt, type remove selected server <distinguished name of DC you want to remove> and hit enter. The distinguished name of the domain controller object in the configuration partition of Active Directory, not the directory services partition.

If you get a message like this, your probably pointing to the wrong object in Active Directory.

Binding to localhost ...

Connected to localhost using credentials of locally logged on user.

LDAP error 0x20(32 (No Such Object).

Ldap extended error message is 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:

        'CN=DC-Name,OU=Domain Controllers,DC=domain,DC=local'

Win32 error returned is 0x208d(Directory object not found.)

)

Unable to determine the domain hosted by the DC (5). Please use the connection menu to specify it.

Disconnecting from localhost...
 

Look at the distinguished name and make sure it is something like this and try the command again:
CN=<DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<Domain>,DC=<suffix>

When you do this correctly, it should look like this:

Binding to localhost ...

Connected to localhost using credentials of locally logged on user.

Transferring / Seizing FSMO roles off the selected server.

Removing FRS metadata for the selected server.

Searching for FRS members under "CN=<DC Name>,OU=Domain Controllers,DC=<domain>,DC=<suffix>".

Removing FRS member "CN=<DC name>,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=<domain>,DC=<suffix>".

Deleting subtree under "CN=<DC Name>,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=<domain>,DC=<suffix>".

Deleting subtree under "CN=<DC Name>,OU=Domain Controllers,DC=<domain>,DC=<suffix>".

The attempt to remove the FRS settings on CN=<DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<domain>,DC=<suffix> failed because "Element not found.";

metadata cleanup is continuing.

"CN=<DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<domain>,DC=<suffix>" removed from server "localhost"

 Yes, there is a line in there that says:

The attempt to remove the FRS settings on CN=<DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<domain>,DC=<suffix> failed because "Element not found."

This can be ignored. Microsoft actually says "Even though there was an error reported, the operation was successful. The error reported is misleading as the object in question was deleted by NTDSUTIL."

Now, go into Active Directory Sites and Services and delete the server object for the DC you are decommissioning. If it is the last DC in a particular site, you may need to reassign the subnets from that site to another site, depending on whether you are replacing that DC or not.

The DC should already be gone from the Domain Controllers OU in AD Users and Computers, but it's a good idea to check it anyway.

You will probably need to do some DNS cleanup too. Remove the “(same as parent folder)” Host(A) record from DNS for the IP address of the DC you removed. If that DC was a DNS server, there will probably be an NS record that you need to get rid of as well. Then, remove the A record for the computer name of the DC you removed. And finally, you will probably need to remove the A record for (same as parent folder) ender _msdcs > gs.