Export (0) Print
Expand All
2 out of 3 rated this helpful - Rate this topic

RODC Removal and Reinstallation

Updated: April 10, 2009

Applies To: Windows Server 2008, Windows Server 2008 R2

This topic describes the different options and steps for removing a read-only domain controller (RODC) from a domain. The following are the basic methods for removing Active Directory Domain Services (AD DS) from an RODC:

  • You can remove AD DS and the RODC computer account in a single operation by using an account that is a member of the Domain Admins or Enterprise Admins groups.

  • You can remove AD DS and the RODC computer account by using a two-stage operation, in which an RODC delegated administrator removes AD DS from the RODC and then a member of Domain Admins or Enterprise Admins removes the RODC computer account.

  • A delegated RODC administrator can remove AD DS from a computer—to repair the software installation or even replace the hardware—and then reinstall the RODC without intervention from a member of Domain Admins or Enterprise Admins.

noteNote
If the RODC was compromised or stolen, see Securing Accounts After an RODC Is Stolen.

All of these procedures use the Active Directory Domain Services Installation Wizard (Dcpromo.exe), which you can complete by using graphical, command-line, or answer file options. The following sections describe how to perform each of these operations.

To remove an RODC from the domain completely, you can use the Active Directory Domain Services Installation Wizard. If you use an account that is a member of Domain Admins to perform the procedure, you can remove AD DS from the RODC and remove the RODC computer account in one operation (as opposed to using a two-stage approach). Because this procedure is identical to removing a typical Windows Server 2008 domain controller, see Removing a Domain Controller from a Domain for the procedure.

noteNote
If you run the Active Directory Domain Services Installation Wizard to remove AD DS from an RODC using an account that is a member of Enterprise Admins or Domain Admins, the RODC account (including all related metadata) is removed without any prompting.

A delegated RODC administrator has the ability to remove AD DS from an RODC. However, to remove an RODC computer account from the directory, membership in Domain Admins or Enterprise Admins (or equivalent permissions) is required. The following sections describe three methods that an RODC administrator can use to remove AD DS from the RODC, after which a domain administrator can remove the RODC account from the directory.

The following three sections describe the different methods that a delegated RODC administrator can use to remove AD DS from an RODC.

To remove AD DS from the RODC, you can use a delegated RODC administrator account or an account that is a member of Domain Admins or Enterprise Admins. To learn more about delegated RODC administrator accounts, see Delegating local administration of an RODC.

Perform the following procedure on the RODC in order to remove AD DS by using the Active Directory Domain Services Installation Wizard.

  1. Open an elevated Command Prompt window on the RODC that you want to remove. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  2. At the command prompt, type dcpromo /RetainDCMetadata:yes, and then press ENTER.

  3. Click Next. If the RODC is functioning as a global catalog server, you must click OK to confirm to confirm its removal.

    noteNote
    If you remove an RODC by using the Active Directory Domain Services Installation Wizard, you do not specify whether to retain domain controller metadata, and you are using a delegated RODC administrator account that is not a member of the Domain Admins or Enterprise Admins groups, you can click Yes to remove AD DS without removing metadata when you are prompted to do so, as shown in the following illustration.

    RODCRetainMetadataPrompt
  4. On the Delete the Domain page, click Next.

  5. On the Administrator Password page, enter and then confirm the password that you want to set for the Administrator account after the RODC is removed from the domain. Click Next.

  6. On the Summary page, click Next. An additional dialog box indicates the progress of the removal operation. You can select the Reboot on completion check box, and the RODC will restart when AD DS is removed. If you do not select this check box, you will be prompted to click Finish when the domain controller demotion is complete and you will be prompted to restart. You must restart the computer to complete the removal of AD DS.

Perform the following procedure on the RODC in order to remove AD DS by using the command line or an answer file. If you are running the RODC on the Server Core installation option of Windows Server 2008 you must remove AD DS by using the command line or an answer file.

  1. Open an elevated Command Prompt window on the RODC that you want to remove. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  2. Type dcpromo /unattend /administratorpassword:<password>, and then press ENTER. Replace <password> with the password that you want to use for the administrator account when AD DS is removed.

If you want to include an answer file in the process, you can create one. The answer file requires only two lines: [DCInstall] and administratorpassword=<password>. For example, if you want to have the administrator password become Tmgr@t09hJ after AD DS is removed, you can create the following entries in the answer file:

[DCInstall]
administratorpassword= Tmgr@t09hJ

Assuming that you placed the answer file in a folder named AnswerFiles on the C: drive, use the following command to remove AD DS from the RODC: dcpromo /unattend:C:\answerfiles\rodcremove.txt. If you are using an account that is a member of Domain Admins or Enterprise Admins and you want the RODC computer account and metadata to be retained (so that the same account and name can be used for a future RODC installation), you should also type /retainDCMetadata:yes at the command line or add a line that reads retainDCMetadata=yes into the answer file: otherwise, the RODC computer account and metadata will be removed. If you are using a delegated RODC administrator account, you cannot remove the RODC computer account or metadata.

If a delegated RODC administrator account is used to remove AD DS from the RODC, the /retainDCMetadata:yes command is used at the command line, or retainDCMetadata=yes is used in an answer file during RODC removal, the computer account and metadata are retained. The RODC computer account can be removed as a separate operation (stage two of the two-stage process).

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete these procedures. As a security best practice, consider using Runas to perform this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

If AD DS is already removed from the RODC computer, you can easily remove the computer account by using the Active Directory Users and Computers or Active Directory Sites and Services snap-ins.

  1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

  2. Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct domain. To connect to the appropriate domain or domain controller, in the details pane, right-click the Active Directory Users and Computers object, and then click Change Domain or Change Domain Controller, respectively.

  3. In the console tree, expand the domain object, and then select the Domain Controllers organizational unit (OU).

  4. In the details pane, right-click the RODC computer account, and then click Delete.

  5. When you are prompted, click Yes to continue with the removal of the RODC account. At this point, the Deleting Domain Controller dialog box appears. If the RODC was not compromised or stolen, you can clear all the check boxes in this dialog box and then click Delete. If the RODC was compromised or stolen, see Securing Accounts After an RODC Is Stolen.

  6. Next, another Delete Domain Controller dialog box appears, asking you to confirm metadata deletion. Click OK to continue with the RODC computer account removal.

  7. If the domain controller was also a global catalog server, you are asked again to confirm that you want to continue the deletion. Click Yes to continue.

noteNote
Unlike previous versions of Active Directory, Windows Server 2008 AD DS also removes metadata when a domain controller’s computer account is removed.

Although it requires a bit more typing, you can use the ntdsutil to remove the RODC computer account. To do so, complete the following steps:

  1. Open an elevated Command Prompt window on any Windows Server 2008 domain controller in the forest of the RODC that you want to remove. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

    If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  2. Type ntdsutil and press ENTER.

  3. Type metadata cleanup and press ENTER.

  4. Type connections and press ENTER.

  5. Type connect to domain <domainname> and press ENTER. Substitute the actual domain name to which you want to connect for <domainname>. For example, if you want to connect to a domain named hq.cpandl.com, you would type connect to domain hq.cpandl.com and press ENTER.

  6. Type connect to server <servername> and press ENTER. Substitute the actual server name for the server to which you want to connect. For example, if you want to connect to a domain controller named WS2008A in the hq.cpandl.com domain, you would type connect to server ws2008a.hq.cpandl.com and press ENTER.

  7. Type quit and press ENTER to the metadata cleanup prompt.

  8. Type select operation target and press ENTER.

  9. Type list domains and press ENTER. Note the sequential numbers that appear next to the domains that are listed. You must select the domain that contains the RODC account that you want to remove in the next step. To do so, you will need to know the number that represents that domain.

  10. Type select domain <number> and press ENTER. Substitute the actual number for the domain you want to select for <number>. For example, if the number assigned to the domain you want to select is 0, then type select domain 0 and press ENTER.

  11. Type list sites and press ENTER. Take note of the sequential numbers that appear next to the listed sites. You will need to select the site that contains the RODC account that you want to remove by the number assigned to that site in the next step.

  12. Type select site <number> and press ENTER. Substitute the number assigned to the site in which the RODC resides for <number>. For example, if the site where the RODC resides is numbered 5, then you would type select site 5 and press ENTER.

  13. Type list servers in site and press ENTER. Note the sequential number listed for the RODC account that you want to remove.

  14. Type select server <number> and press ENTER. Substitute the number listed for the RODC account you want to remove for <number>. For example, if the RODC you want to remove is listed as 1, you would type select server 1 and press ENTER.

  15. Type list naming contexts and press ENTER. Note the sequential numbers that appear next to the listed data partitions. You will select the domain naming context that contains the RODC account in the next step. This is the naming context that represents the domain from which you want to remove the RODC. For example, if you are trying to remove an RODC from the hq.cpandl.com domain, you would select the naming context that is listed as DC=hq,DC=cpandl,DC=com.

  16. Type select naming context <number> and press ENTER. Substitute the actual number assigned to the naming context that contains the RODC account you want to remove for <number>. For example, if you want to remove an RODC account from a naming context that is assigned number 3, then you would type select naming context 3 and press ENTER.

  17. Type quit and press ENTER to return to the metadata cleanup prompt.

  18. Type remove selected server and press ENTER.

  19. On the Server Remove Confirmation Dialog dialog box, review the information presented. Click Yes, if the RODC account you want to remove is specified in the dialog box. If not, click No, and perform the appropriate steps above to connect to the correct RODC account.

Once you have clicked Yes to remove the account, you should see confirmation of the removal in the ntdsutil application. You can type quit twice to exit the ntdsutil prompt and then type exit to close the Command Prompt Window.

A delegated RODC administrator or a member of the Domain Admins or Enterprise Admins groups can reinstall an RODC using the same account name, as long as the account was retained after AD DS was removed from an RODC. The RODC computer account is retained in the following circumstances:

  1. If AD DS was removed by a delegated RODC administrator who was not a member of Domain Admins or Enterprise Admins.

  2. If a member of Domain Admins or Enterprise Admins specified set RetainDCMetadata to yes in an answer file or at the command line.

Conversely, if a member of Domain Admins or Enterprise Admins removed AD DS from the RODC using any method without specifying RetainDCMetadata and setting it equal to yes, the RODC computer account was not retained.

noteNote
Unlike other dcpromo options, the /UseExistingAccount:Attach option is available only at the command line and it cannot be placed in an answer file.

To reinstall an RODC, complete the following steps:

  1. Open an elevated Command Prompt window. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  2. At the command prompt, type dcpromo /UseExistingAccount:Attach, along with any other options that you want to specify, and then press ENTER. For information about the options, see the section titled Performing a Staged RODC Installation by Using an Answer File in Performing a Staged RODC Installation (http://go.microsoft.com/fwlink/?LinkId=129193) and Demotion Operation (http://go.microsoft.com/fwlink/?LinkId=129194).

    noteNote
    If you run dcpromo without specifying /UseExistingAccount:Attach, you will eventually receive a prompt asking you whether you want to use the existing computer account. Conversely, if you are performing an unattended installation and you do not specify /UseExistingAccount:Attach, an error message appears. The error indicates that an existing account was detected and that you must attach to that account at the command line.

    RODC existing account detected

See Also

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.