At any stage you can add and remove domain controllers from Active Directory. This video looks at how to remove the last domain controller from a child domain. When this occurs, the Active Directory database will be removed and with it anything that was stored in it. This video looks at how to remove a child domain; however, the same process could be used to remove the last domain controller in the forest.
Demo at 03:46
If you need to remove a domain controller that has failed from Active Directory, refer to video http://itfreetraining.com/70-640/seizing-roles/.
Operational Master Roles
If the domain controller is holding any operational master roles, these can be moved manually or DCPromo will automatically move them to another domain controller when the domain controller is demoted. Refer to our video on moving operation master roles for information on how to move operational master roles: http://itfreetraining.com/70-640/moving-operation-roles/.
If you want to check if your domain controller is holding any operational master roles you can run the following command from the command prompt:
NetDom Query FSMO
Global Catalog Servers
If you are removing a domain controller that is a global catalog server, you should consider the effect that this will have on your domain. Even in a single forest, single domain environment global catalog servers are used by applications for performing searches in Active Directory. For this reason you should always have at least one domain controller in your domain. Refer to http://itfreetraining.com/70-640/global-catalog-servers/ for information about the role a global catalog server has on your network.
Effects of removing the database
Before removing the last domain controller and thus Active Directory, you should consider what is stored in Active Directory and thus what you are losing. Removing the database will remove any accounts in that domain but will also remove any certificates that are stored in Active Directory as well. Before removing the last domain controller it is recommended that the domain controller be shut down for a period of time before it is demoted. If no problems are found, start the domain controller back up and then demote it.
To check if the domain controller is holding any operational master roles run the command:
Run NetDemo Query FSMO
To demote the server run the command DCPromo. The wizard will ask you if this is the last domain controller in the domain. If this domain controller is the last domain controller, tick this box. If you still have other functional domain controllers on the network you should remove these before ticking this box to ensure the domain is removed cleanly. If there are domain controllers that are still in the domain but are not operational and thus will not be used on the network again, tick the option this is the last domain controller in the domain. Ticking this box will remove the domain even if there are domain controllers that are still registered in the Active Directory database.
If you are getting errors in DCPromo, run DCPromo with the /forceremoval switch and it will ignore these errors.
DCPromo will ask you to set a local administrator password. When Active Directory has been removed you will need this password to login locally to the server. If you still have a domain controller left in the domain, the server will become a member server and you can still use a domain account to login to the server.