This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 50%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
Hello,
We have couple of Windows Server 2008 R2 Domain Controller in my Domain, out of which one DC is failed & we unable to bring it back to the network.
I came to know some articles where it has been stated to delete the DC object directly from ADUC & ADSS. I just want to understand what are the right steps to follow so we can remove the failed DC with no metadata footprint.
Thanks.
Hi
Make sure that DC is offline, and will stay offline first.
After that you can delete the computer account from the ADUC's console, it will prompt you a message, that if you forcelly remove it, say yes. It will remove reference to it from ntdsutil.
You will need to clean the DNS's zone afterhand, as some entry might still reference it.
Make sure your DHCP no longer give that DC IP.
Except that, it should be clean after.
Thanks
If I delete the DC object from AD users-computers & AD site-Services, I don't need to do the metadata cleanup from NTDSUTIL, right? (as we are having Windows Server 2008 DC)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
These operations are one and the same.
--please don't forget to upvote and Accept as answer if the reply is helpful--
One more question, Do I need to first seize the FSMO roles owned by this failed DC before deleting the failed DC object from ADUC & ADS&S or Do the deletion of failed DC object directly from ADUC-ADS&S console will transfer the roles hold by that failed DC to available DC?
Yes, seize roles to another healthy domain controller
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/transfer-or-seize-fsmo-roles-in-ad-ds
then do the cleanup (links above)
before standing up a replacement.
I'd use dcdiag / repadmin tools to verify health correcting all errors found before starting any operations. Then stand up the new one, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health.
--please don't forget to upvote and Accept as answer if the reply is helpful--
You can follow along here to do the cleanup.
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-manually-removing-a-domain-controller-server/ba-p/280564
--please don't forget to upvote and Accept as answer if the reply is helpful--
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--
Hello Raj A,
This step-by-step guide will help you achieve it completely:
Hope this answers your query,
Best regards,
