Removing an Orphan (inactive) Active Directory Domain

Removing an Orphan (inactive) Active Directory Domain

One of my customers has a forest with several domains, one of which hasn’t been used in a while (call it domain “RedShirt”). The 2 Domain Controllers in the domain, “RedShirt” both tombstoned. Yes, I know, how does that happen? ALWAYS monitor your environment. Since the domain hasn’t been used in a while, it was decided to clean up the domain (remove it).  However, with both DCs tombstoned, one can’t just DCPromo down a domain DC and select “last DC in the domain”.

Microsoft provided information on how to “metadata cleanup” the dead “RedShirt” domain, though the process was not performed 100% properly (always connect to the Domain Naming Master for this process). This process is documented in KB 230306  (How to remove orphaned domains from Active Directory); however, this doesn’t work on a 2008 R2 DC.

Confirm the domain is still listed in the forest by listing the Naming Contexts using Powershell:

Import-Module activedirectory ; (Get-ADRootDSE).namingContexts 

Here’s the correct process to clean-up an orphan domain on a 2008 R2 Domain Controller:

  1. Log onto the Domain Naming Master for the forest
  2. Open a command prompt as Administrator
  3. run ntdsutil
  4. activate instance ntds
  5. partition management
  6. connections
  7. connect to server <DOMAIN NAMING MASTER>
  8. q
  9. List
  10. Note the number & DN of the Domain DNS zone for the orphan domain (in this instance it is #6). The Domain DNS zone needs to be removed first.
  11. Delete NC DC=DomainDNSZones,DC=RedShirt,DC=Metcorp,DC=Org
  12. List
  13. Note the number of the Domain partition for the orphan domain (in this instance it is #5)
  14. Delete NC DC=RedShirt,DC=Metcorp,DC=org
  15. qqq
  16. Force replication by running “repadmin /syncall”
(Visited 3,187 times, 1 visits today)