How to Remove a Failed Active Directory Domain Controller


One of your domain controllers is pooched and you have better odds of winning the lottery than bringing it back online. Usually, when removing a domain controller you would just demote it, but how do you remove a hopelessly failed domain controller from the domain? Forcefully. There are a couple of methods and this tutorial will show you both. The process hasn’t changed much since Windows Server 2003. It’s also a lot easier than you think, though it may require some command-line-fu.

This method is used only when you have more than one domain controller in the affected domain (best practice). If there is only one and it has failed, you will need to restore your domain from backup instead.

Preparing for Demotion

Before will begin the process of demoting the failed domain controller, we need to do some prep work. This is mostly to protect us from unexpected problems that are unlikely to arise. It’s always better to be prepared for the worst case.

  1. Make sure you know the Directory Services Recovery Password for the domain controller being used to backup the domain and/or forest.  If you do not have a record of it, then you should reset the Directory Services Recovery Mode password.
  2. Perform a system state backup of a working domain controller in the affected domain before demoting the DC.

Forcibly Remove the Failed Domain Controller

If you cannot log onto the failed domain controller, you cannot demote it. Instead, we have to forcibly delete its object and all references to it. By far the easiest way of accomplishing this is by using the Active Directory Users and Computers console.

  1. Log onto a server or desktop with RSAT installed.
  2. Launch the Active Directory Users and Computers.
  3. From the navigation tree on the left side of the console, expand the forest name, and select the Domain Controllers OU.
  4. Right-click the failed domain controller and then select Delete. The domain controller’s object and all references will be removed from Active Directory.

After deleting the domain controller, allow an appropriate amount of time for the deletion to replicate throughout your forest. How long depends on the complexity of your environment. A single domain forest with a few domain controllers will replicate within seconds. A large, multi-site, multi-domain forest may take a few hours or more.

Verify Removal of Failed Domain Controller’s Metadata

It is not often that a deleted domain controller’s metadata remains, but it does happen. You should always verify the deletion is complete.

  1. Log onto a server or desktop with RSAT installed.
  2. Launch the Active Directory Sites and Services console.