Removing a read-only domain controller from a domain

For Active Directory domains, computer account housekeeping is a big chore. IT pro Rick Vanover shows how to remove former domain controllers.

Active Directory is a great product, except that it doesn't natively do housekeeping functions for you. In my home lab, I noticed that I had an obsolete domain controller enumerated in the site (running at Windows Server 2008 R2 level). It may seem risky to delete a domain controller from the Active Directory Sites And Services utility because domain controller accounts are handled differently in Active Directory.

In my example, the domain controller RODC has been decommissioned but not removed from the RWVDEV.INTRA domain (Figure A). Figure A

Click the image to enlarge.
The natural conclusion may be to simply delete the computer account. Active Directory associates a number of special characteristics with a domain controller. In the case of the RODC.RWVDEV.INTRA system, it was a read-only domain controller. Figure B shows the options associated with the deletion of the computer account. Figure B

The first and second options to reset passwords for computer and user accounts cached on the read-only domain controller is a nice security feature, but it will surely create havoc if implemented. If the read-only domain controller was stolen or removed from the control of the infrastructure teams, this is the way to go.

The third option to export the list of the accounts cached on the domain controller can give you a more granular view to the system contents at the time of computer account deletion. Figure C shows the final warning message before this intrusive activity. Figure C

In a default configuration, the read-only domain controller is also a global catalog server; there should be at least one other domain controller with the global catalog role (which should be the case anyway). Once the computer account is deleted from Active Directory Users And Computers, the domain controller should be removed from Active Directory Sites And Services. It will now be enumerated without any roles associated with it (Figure D). Figure D

Click the image to enlarge.

The final step is a simple right-click and delete of the obsolete domain controller in Active Directory Sites And Services. At that point, removing the read-only domain controller is complete.

Did you try the read-only domain controller and back it out? If so, share your comments about the experience.