How to remove orphaned domains from Active Directory

Typically, when the last domain controller for a domain is demoted, the administrator selects the This server is the last domain controller in the domain option in the DCPromo tool, which removes the domain meta-data from Active Directory. This article describes how to remove domain meta-data from Active Directory if this procedure is not used or if or all domain controllers are taken offline but not demoted first. CAUTION: The administrator must verify that replication has occurred since the demotion of the last domain controller before manually removing the domain meta-data. Using the NTDSUTIL tool improperly can result in partial or complete loss of Active Directory functionality.

Removing Orphaned Domains from Active Directory

1. Determine the domain controller that holds the Domain Naming Master Flexible Single Master Operations (FSMO) role. To identify the server holding this role:
   1. Start the Active Directory Domains and Trusts Microsoft Management Console (MMC) snap-in from the Administrative Tools menu.
   2. Right-click the root node in the left pane titled Active Directory Domains and Trusts, and then click Operations Master.
   3. The domain controller that currently holds this role is identified in the Current Operations Master frame.NOTE: If this changed recently, not all computer may have received this change yet due to replication.For more information about FSMO roles, click the following article number to view the article in the Microsoft Knowledge Base:
      197132 (http://support.microsoft.com/kb/197132/ ) Windows 2000 Active Directory FSMO Roles
2. Verify that all servers for the domain have been demoted.
3. Click Start, point to Programs, point to Accessories, and then click Command Prompt.
4. At the command prompt, type: ntdsutil.
5. Type: metadata cleanup, and then press ENTER.
6. Type: connections, and then press ENTER. This menu is used to connect to the specific server on which the changes will occur. If the currently logged-on user is not a member of the Enterprise Admins group, alternate credentials can be supplied by specifying the credentials to use before making the connection. To do so, type: set creds domainname username password , and then press ENTER. For a null password, type: null for the password parameter.
7. Type: connect to server servername (where servername is the name of the domain controller holding the Domain Naming Master FSMO Role), and then press ENTER. You should receive confirmation that the connection is successfully established. If an error occurs, verify that the domain controller being used in the connection is available and that the credentials you supplied have administrative permissions on the server.
8. Type: quit, and then press ENTER. The Metadata Cleanup menu is displayed.
9. Type: select operation target, and then press ENTER.
10. Type: list domains, and then press ENTER. A list of domains in the forest is displayed, each with an associated number.
11. Type: select domain number, and then press ENTER, where number is the number associated with the domain to be removed.
12. Type: quit, and then press ENTER. The Metadata Cleanup menu is displayed.
13. Type: remove selected domain, and then press ENTER. You should receive confirmation that the removal was successful. If an error occurs, please refer to the Microsoft Knowledge Base for articles on specific error messages.
14. Type: quit at each menu to quit the NTDSUTIL tool. You should receive confirmation that the connection disconnected successfully.

Domain controllers do not demote gracefully when you use the Active Directory Installation Wizard to force demotion in Windows Server 2003

Windows Server 2003 domain controllers

1. By default, Windows Server 2003 domain controllers support forced demotion. Click Start, click Run, and then type the following command:
   dcpromo /forceremoval
2. Click OK.
3. At the Welcome to the Active Directory Installation Wizard page, click Next.
4. At the Force the Removal of Active Directory page, click Next.
5. In Administrator Password, type the password and confirmed password that you want to assign to the Administrator account of the local SAM database, and then click Next.
6. In Summary, click Next.
7. Perform a metadata cleanup for the demoted domain controller on a surviving domain controller in the forest.

If you removed a domain from the forest by using the remove selected domain command in Ntdsutil, verify that all the domain controllers and the global catalog servers in the forest have removed all the objects and the references to the domain that you just removed before you promote a new domain into the same forest with the same domain name. Windows 2000 Service Pack 3 (SP3) and earlier global catalog servers are noticeably slower to remove objects and naming contexts than Windows Server 2003 is.

If resource access control entries (ACEs) on the computer that you removed Active Directory from were based on domain local groups, these permissions may have to be reconfigured, because these groups will not be available to member or stand-alone servers. If you plan to install Active Directory on the computer to make it a domain controller in the original domain, you do not have to configure access control lists (ACLs) any more. If you prefer to leave the computer as a member or stand-alone server, any permissions that are based on domain local groups must be translated or replaced. For more information about how permissions are affected after you remove Active Directory from a domain controller, click the following article number to view the article in the Microsoft Knowledge Base:

320230 (http://support.microsoft.com/kb/320230/ ) Permissions are affected after you demote a domain controller

If the domain controller cannot start in normal mode

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows

Important Follow these steps only as a last resort if the domain controller cannot start in normal mode.

To remove Active Directory from a domain controller, follow these steps:

1. Restart the computer, and then press F8 to display the Windows 2000 Advanced Options menu.
2. Choose Directory Services Restore Mode, press ENTER, and then press ENTER again to continue restarting.
3. Modify the ProductType entry in the registry. To do this, follow these steps:
   1. Click Start, click Run, type regedit, and then click OK.
   2. Locate the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions
   3. In the right-pane, double-click ProductType.
   4. Type ServerNT in the Value data box, and then click OK.Note If this value is not set correctly or is misspelled, you may receive the following error message:
      System Process – License Violation: The system has detected tampering with your registered product type. This is a violation of your software license. Tampering with product type is not permitted.
   5. Quit Registry Editor.
4. Restart the computer.
5. Log on with the administrator account and password that is used for Directory Service Repair mode.The computer will behave as a member server. However, there are still some remaining files and registry entries on the computer that are associated with the domain controller.
6. Start Registry Editor and locate the following registry entry:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

   If there is an entry for Src Root Domain Srv, right-click the value and then click Delete. This value must be deleted so that the domain controller sees itself as the only domain controller in the domain after promotion.

   Important The above step is critical. Without it the re-promotion into the temporary AD forest will not complete and you will not be able to log on to the domain controller.

7. Remove the remaining files and registry entries. To do this, follow these steps:
   1. Start the Active Directory Installation Wizard.
   2. Install Active Directory to make the computer a domain controller for a new, temporary domain, such as “psstemp.deleteme.”Note Make sure that you make the computer a domain controller in a different forest.
   3. After you install Active Directory, start the Active Directory Installation Wizard again, and then remove Active Directory from the domain controller.
8. After you remove Active Directory from a domain controller, remove metadata that is left in the domain. For more information about how to remove this metadata, click the following article number to view the article in the Microsoft Knowledge Base:
   216498 (http://support.microsoft.com/kb/216498/ ) How to remove data in Active Directory after an unsuccessful domain controller demotion

Domain controllers do not demote gracefully when you use the Active Directory Installation Wizard to force demotion in Windows Server 2003

Step By Step Guide for Windows Server 2003 Domain Controller and DNS Server Setup

Windows Server 2003 includes all the functionality customers expect from a mission critical Windows Server operating system, such as security, reliability, availability, and scalability. In addition, Microsoft has improved and extended the Windows server product family to enable organizations to experience the benefits of Microsoft .NET—a set of software for connecting information, people, systems, and devices.

This tutorial will explain how to create a first domain controller(DC) in your network or company includes DNS server setup in windows server 2003 .You have to install DNS server for DC without DNS the client computers wouldn’t know which one is DC.You can host DNS on a different server than DC.

Before Starting the DC installation process you need to make sure the following points

• You have installed Basic windows server 2003 installation

• Make sure you have assigned a static ip address to your server

Now start DC and DNS Setup process

First you need to go to Start–>All Programs–>Administrative Tools–>Manage Your Server

Here you need to select Add or remove a role

Verify the following steps click on Next

Select Server Role as Domain Controller option click on Next

Summary of Your Selections click on Next

Active Directory Installation Wizard click on Next

Click “Next” on the compatibility window

Next window select the default option of “Domain Controller for a new domain” and click “Next”

In this tutorial we will create a domain in a new forest, because it is the first DC, so keep that option selected

Now we have to think of a name for our domain. If you have a domain like windowsreference.com”, you can use it, but it isn’t suggested because computers nside of your domain may not be able to reach the company website. Active directory domains don’t need to be “real” domains like the one above – they can be anything you wish. So i will create “windowsreference.int”.

Now in order to keep things simple, we will use “windowsreferenc”, which is the default selection, as the NetBIOS name of the domain.

The next dialog suggests storing the AD database and log on separate hard disks and you can just leave the default settings.

The SYSVOL folder is a public share, where things like .MSI software packages can be kept when you will distribute packages and you can just leave the default settings or you can change the path.

Next Screen basically says that you will need a DNS server in order for everything to work the way we want it (i.e., our “windowsreference.int” to be reachable).we will install the DNS server on this machine or if you want you can installed else where select “Install and Configure…” and click next.

Here you need to select the permissions for win 2000 or win 2003 server if you have any NT4 select first option otherwise select second option and click next

The restore mode password is the single password that all administrators hope to never use, however they should also never forget it because this is the single password that might save a failed server.click next

Now we will see a summary of what will happen click next

Active directory installation process started this can take several minutes. It’s likely that you will be prompted for your Windows Server 2003 CD (for DNS) so have it handy.

Active directory Installation finish screen click Finish.

Now you need to select “Restart Now” option to reboot your server.

After rebooting you can see new option for logon

After logging in you can see similar to the following screen saying your server is now domain controller.

That’s it now your server is configured as domain controller and DNS server.

If you want Step by step guide how to install windows server 2003 check here