Removing an Orphan (inactive) Active Directory Domain
One of my customers has a forest with several domains, one of which hasn’t been used in a while (call it domain “RedShirt”). The 2 Domain Controllers in the domain, “RedShirt” both tombstoned. Yes, I know, how does that happen? ALWAYS monitor your environment. Since the domain hasn’t been used in a while, it was decided to clean up the domain (remove it). However, with both DCs tombstoned, one can’t just DCPromo down a domain DC and select “last DC in the domain”.
Microsoft provided information on how to “metadata cleanup” the dead “RedShirt” domain, though the process was not performed 100% properly (always connect to the Domain Naming Master for this process). This process is documented in KB 230306 (How to remove orphaned domains from Active Directory); however, this doesn’t work on a 2008 R2 DC.
Confirm the domain is still listed in the forest by listing the Naming Contexts using Powershell:
Import-Module activedirectory ; (Get-ADRootDSE).namingContexts
Here’s the correct process to clean-up an orphan domain on a 2008 R2 Domain Controller:
- Log onto the Domain Naming Master for the forest
- Open a command prompt as Administrator
- run ntdsutil
- activate instance ntds
- partition management
- connect to server <DOMAIN NAMING MASTER>
- Note the number & DN of the Domain DNS zone for the orphan domain (in this instance it is #6). The Domain DNS zone needs to be removed first.
- Delete NC DC=DomainDNSZones,DC=RedShirt,DC=Metcorp,DC=Org
- Note the number of the Domain partition for the orphan domain (in this instance it is #5)
- Delete NC DC=RedShirt,DC=Metcorp,DC=org
- Force replication by running “repadmin /syncall”