Removing Active Directory

Use the same application to remove Active Directory that you use to install it — the Active Directory Installation Wizard. When you start the wizard on a domain controller, the system is identified as a server that contains Active Directory, and the wizard prompts you for the information that is required to remove Active Directory.

note-iconNote

For all domain controllers, the Active Directory Installation Wizard removes the shortcuts to Group Policy security settings, and it restores the shortcut on the Administrative Tools menu to provide access to the local security settings for the member server or for the stand-alone server.

Figure 2.10 shows the pathways that are followed by the wizard to change a computer from a domain controller to either a stand-alone server or a member server.

Cc961770.DSBG10(en-us,TechNet.10).gif

Figure 2.10 Servers That Are Created by Removing Active Directory

Administrative Credentials

To remove Active Directory, you must provide administrative credentials as follows:

  • To remove Active Directory from a domain controller that is the last domain controller in a child domain, you must provide enterprise administrator credentials or be a member of the Enterprise Admins group.

  • To remove Active Directory from a domain controller that is the last domain controller in a tree-root domain, you must provide credentials for or be logged on as a member of the Enterprise Admins group.

  • To remove Active Directory from a domain controller that is the last domain controller in the forest, you must log on to the domain as Administrator or as a member of the Domain Admins group.

  • To remove Active Directory from a domain controller that is not the last domain controller in the domain, you do not have to provide credentials. However, you must be logged on as a member of either the Domain Admins group or the Enterprise Admins group.

Removal from an Additional Domain Controller or the Last Domain Controller

When you remove Active Directory from either an additional domain controller or from the last domain controller in the domain, the following operations are common to both procedures. If any operation fails, the removal of Active Directory cannot proceed.

  • Replication of changes to the configuration directory partition and the schema directory partition. For an additional domain controller, replication of changes to the configuration, schema, and domain directory partitions.

  • Transfer of any single-master roles that the domain controller is holding to another domain controller.

note-iconNote

In the case of the last domain controller in the domain, transfer would apply only to the forestwide, single-master roles of a schema master or a domain-naming master.

  • Removal of the system volume objects from the directory database; removal of the system volume objects from the NtFrs database; and deletion of the Sysvol directory hierarchy (NtFrs). NtFrs requests that Net Logon remove the share from the system volume.

  • Removal the NTDS Settings object and cross-reference objects.

  • Updating of DNS to remove the domain controller Locator records. (When the NTDS Settings object is deleted, the DSA notifies the Net Logon service, and the Net Logon service removes the records.)

  • Creation of the local SAM database in the same manner as during a fresh installation, including creation of the administrator account and setting the password.

  • Modification of the LSA membership policy to distinguish whether the computer is a stand-alone server or a member server.

  • Stopping Net Logon and other services. The same services that were started during the installation of Active Directory procedure are stopped. Services that relate only to the directory service are configured to not start automatically.

Removal of an Additional Domain Controller

The following operations are specific to removing an additional domain controller. If any operation fails, domain controller demotion cannot proceed.

  • Location of a source domain controller in the same domain where the additional domain controller account exists and connecting to it in order to replicate changes.

  • Setting the computer account type to member server and moving the computer account for the additional server from the Domain Controllers container to the Computers container.

Removal of the Last Domain Controller

The following operations are specific to removing the last domain controller in the domain. If any operation fails, domain controller demotion cannot proceed.

  • Checking that no child domains exist. If none is found, Active Directory removal proceeds.

  • Location of a source domain controller in the parent domain and connecting to that source domain controller in order to replicate changes.

  • Removal of Active Directory objects from the forest that are specific to this domain. The wizard contacts the domain naming master and removes the NTDS Settings and cross-reference objects.

  • Removal of trust objects on the parent server. The trustedDomain objects in the System folder are deleted.

  • Placement of the server in a workgroup called "Workgroup."

If the NTDS Settings object is not removed successfully from Active Directory (for example, if a server fails during the removal of Active Directory), you must remove the object manually. For information about removing configuration data when the removal of Active Directory is not successful, see "Active Directory Diagnostics, Troubleshooting, and Recovery" in this book.