Windows 7

Uninstalling Active Directory

When you uninstall Active Directory, you demote the domain controller and make it a workgroup server. You uninstall Active Directory Domain Services by following these steps:

  1. In Server Manager, tap or click Manage and then tap or click Remove Roles And Features. This starts the Remove Roles And Features Wizard. If the wizard displays the Before You Begin page, read the Welcome message and then tap or click Next.
  2. On the Select Installation Type page, select Role-Based Or Feature-Based Installation and then tap or click Next.
  3. On the Select Destination Server page, the server pool shows servers you added for management. Tap or click the server you are configuring, and then tap or click Next.
  4. On the Remove Server Roles page, clear Active Directory Domain Services. An additional prompt is displayed warning you about dependent features, such as Group Policy Management and the AD DS management tools. If you tap or click the Remove Features button, the wizard removes the dependent features as well as Active Directory Domain Services. If you want to keep related management tools, clear the Remove Management Tools check box and then click Continue.
  5. Next, you see the Validation Results dialog box. Tap or click Demote This Domain Controller. This starts the Active Directory Domain Services Wizard.

When the Active Directory Domain Services Configuration Wizard starts, you'll see the Credentials page. You must be a member of the Domain Admins group to remove an additional domain controller in a domain and a member of the Enterprise Admins group to remove the last domain controller from a domain. If you are logged on with an account that has appropriate permissions for uninstalling Active Directory, you can use your current logged-on credentials. Otherwise, tap or click Change and then use the options in the Windows Security dialog box to enter the user name and password for an account that does have the appropriate permissions.

If this is the last domain controller in the domain and you want to permanently remove the domain from the forest, select the Last Domain Controller In The Domain check box before you continue. After you remove the last domain controller in the domain, you can no longer access any application partition data, domain accounts, or encrypted data. Therefore, before you uninstall the last domain controller in a domain, you should examine domain accounts and look for encrypted files and folders.

Note:
Because the deleted domain no longer exists, its accounts and cryptographic keys are no longer applicable, and this results in the deletion of all domain accounts and all certificates and cryptographic keys from the server. You must decrypt any encrypted data on the server, including data stored using the Encrypting File System (EFS), before removing Active Directory or the data will be permanently inaccessible.
FORCING THE REMOVAL OF A DOMAIN CONTROLLER
You also have the option of forcing the removal of the domain controller. Force a removal only when the domain controller cannot contact other domain controllers and you cannot resolve the network problems that are preventing communications. If you force removal, you need to clean up orphaned metadata from the directory.
Forcing removal demotes the domain controller without removing the domain controller object's metadata from Active Directory. As a result, the metadata remains in Active Directory on other domain controllers in the forest. Any unreplicated changes on the domain controller-such as new user accounts, modified settings, or changed passwords-are lost as well.

When you are ready to continue, tap or click Next. The Active Directory Domain Services Configuration Wizard then examines the Active Directory forest, checking the credentials you provided and attempting to determine related functions that the domain controller performs, such as DNS Server and Global Catalog. If additional functions are found, you must select Proceed With Removal to continue.

REMOVING GLOBAL CATALOGS
If you run the Active Directory Domain Services Configuration Wizard on a domain controller that is also a global catalog server, you see a warning prompt about this because you don't want to remove the last global catalog from the domain accidentally. If you remove the last global catalog from the domain, users won't be able to log on to the domain. A quick way to check to determine the global catalog servers in a domain is to type the following command at a command prompt:
dsquery server -domain DomainName | dsget server -isgc -dnsname
Here, DomainName is the name of the domain you want to examine. Consider the following example:
dsquery server -domain cpandl.com | dsget server -isgc -dnsname
Here, you are examining the cpandl.com domain to obtain a list of the global catalog servers according to their DNS names. The output is shown in two columns, for example:
dnsname                 isgc
corpsvr15.cpandl.com    no
corpsvr17.cpandl.com    yes
The first column is the DNS name of each domain controller in the domain. The second column is a flag that indicates whether the domain controller is also a global catalog. Thus, if the isgc value is set to yes for a domain controller, it is also a global catalog server.

On the Removal Options page, you have several additional removal options. If this domain controller also is hosting the last DNS Server for the zone, you can select Remove This DNS Zone to force the removal of DNS Server. You also can elect to remove application partitions. Tap or click View Partitions to confirm which application partitions should be deleted.

Next, you are prompted to type and confirm the password for the local Administrator account on the server. This is necessary because domain controllers don't have local accounts but member or standalone servers do, so this account will be re-created as part of the Active Directory removal process. Tap or click Next.

On the Review Options page, review your selections. Optionally, tap or click Export Settings to export the settings to a PowerShell script that you can use to perform an automated demotion of other domain controllers. When you tap or click Demote, the wizard uses the options you selected to demote the domain controller. This process can take several minutes. Keep the following in mind:

  • If there are updates to other domains in the forest that have not been replicated, the domain controller replicates these updates and then the wizard begins the demotion process.
  • If the domain controller is also a DNS server, the DNS data in the ForestDnsZones and DomainDnsZones partitions is removed. If the domain controller is the last DNS server in the domain, this results in the last replica of the DNS information being removed from the domain. All associated DNS records are lost and might need to be re-created.

At this point, the actions the Active Directory Domain Services Configuration Wizard performs depend on whether you are removing an additional domain controller or removing the last domain controller from a domain. If you are removing an additional domain controller from a domain, the wizard does the following:

  • Removes Active Directory and all related services from the server, and makes it a member server in the domain
  • Changes the computer account type, and moves the computer account from the Domain Controllers container in Active Directory to the Computers container
  • Transfers any operations master roles from the server to another domain controller in the domain
  • Updates DNS to remove the domain controller SRV records
  • Creates a local Security Accounts Manager (SAM) account database and a local Administrator account

If you are removing the last domain controller from a domain, the wizard verifies that there are no child domains of the current domain before continuing. If child domains are found, the removal of Active Directory fails with an error telling you that you cannot remove Active Directory. When the domain being removed is a child domain, the wizard notifies a domain controller in the parent domain that the child domain is being removed. For a parent domain in its own tree, a domain controller in the forest root domain is notified. Either way, the domain object is either tombstoned or logically deleted, and this change is then replicated to other domain controllers. The domain object and any related trust objects are also removed from the forest.

As part of removing Active Directory from the last domain controller in a domain, all domain accounts, all certificates, and all cryptographic keys are removed from the server. The wizard creates a local SAM account database and a local Administrator account. It then changes the computer account type to a standalone server and puts the server in a new workgroup.

[Previous] [Content] [Next]