Sunday, November 22, 2015

Remove a Read-Only domain Controller Server 2008

To remove an RODC from the domain completely, you can use the Active Directory Domain Services Installation Wizard. If you use an account that is a member of Domain Admins to perform the procedure, you can remove AD DS from the RODC and remove the RODC computer account in one operation (as opposed to using a two-stage approach). Because this procedure is identical to removing a typical Windows Server 2008 domain controller, see Removing a Domain Controller from a Domain for the procedure.

Two-stage removal of an RODC

A delegated RODC administrator has the ability to remove AD DS from an RODC. However, to remove an RODC computer account from the directory, membership in Domain Admins or Enterprise Admins (or equivalent permissions) is required. The following sections describe three methods that an RODC administrator can use to remove AD DS from the RODC, after which a domain administrator can remove the RODC account from the directory.

Stage one: removing AD DS from an RODC

The following three sections describe the different methods that a delegated RODC administrator can use to remove AD DS from an RODC.
To remove AD DS from the RODC, you can use a delegated RODC administrator account or an account that is a member of Domain Admins or Enterprise Admins. To learn more about delegated RODC administrator accounts, see Delegating local administration of an RODC.

Removing AD DS from an RODC by using the Windows interface

Perform the following procedure on the RODC in order to remove AD DS by using the Active Directory Domain Services Installation Wizard.
remove AD DS from an RODC by using the Active Directory Domain Services Installation Wizard
  1. Open an elevated Command Prompt window on the RODC that you want to remove. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. At the command prompt, type dcpromo /RetainDCMetadata:yes, and then press ENTER.
  3. Click Next. If the RODC is functioning as a global catalog server, you must click OK to confirm to confirm its removal.
  1. RODCRetainMetadataPrompt
  2. On the Delete the Domain page, click Next.
  3. On the Administrator Password page, enter and then confirm the password that you want to set for the Administrator account after the RODC is removed from the domain. Click Next.
  4. On the Summary page, click Next. An additional dialog box indicates the progress of the removal operation. You can select the Reboot on completion check box, and the RODC will restart when AD DS is removed. If you do not select this check box, you will be prompted to click Finish when the domain controller demotion is complete and you will be prompted to restart. You must restart the computer to complete the removal of AD DS.

Removing an RODC by using the command line and an unattended answer file

Perform the following procedure on the RODC in order to remove AD DS by using the command line or an answer file. If you are running the RODC on the Server Core installation option of Windows Server 2008 you must remove AD DS by using the command line or an answer file.
  1. Open an elevated Command Prompt window on the RODC that you want to remove. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. Type dcpromo /unattend /administratorpassword:<password>, and then press ENTER. Replace <password> with the password that you want to use for the administrator account when AD DS is removed.
If you want to include an answer file in the process, you can create one. The answer file requires only two lines: [DCInstall] and administratorpassword=<password>. For example, if you want to have the administrator password become Tmgr@t09hJ after AD DS is removed, you can create the following entries in the answer file:
Note:
[DCInstall]
administratorpassword= Tmgr@t09hJ


Assuming that you placed the answer file in a folder named AnswerFiles on the C: drive, use the following command to remove AD DS from the RODC: dcpromo /unattend:C:\answerfiles\rodcremove.txt. If you are using an account that is a member of Domain Admins or Enterprise Admins and you want the RODC computer account and metadata to be retained (so that the same account and name can be used for a future RODC installation), you should also type /retainDCMetadata:yes at the command line or add a line that reads retainDCMetadata=yes into the answer file: otherwise, the RODC computer account and metadata will be removed. If you are using a delegated RODC administrator account, you cannot remove the RODC computer account or metadata.



Stage two: removing the RODC computer account









If a delegated RODC administrator account is used to remove AD DS from the RODC, the /retainDCMetadata:yes command is used at the command line, orretainDCMetadata=yes is used in an answer file during RODC removal, the computer account and metadata are retained. The RODC computer account can be removed as a separate operation (stage two of the two-stage process).



Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete these procedures. As a security best practice, consider usingRunas to perform this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups(http://go.microsoft.com/fwlink/?LinkId=83477).





Removing the RODC computer account using the graphical interface









If AD DS is already removed from the RODC computer, you can easily remove the computer account by using the Active Directory Users and Computers or Active Directory Sites and Services snap-ins.





To remove an RODC computer account with Active Directory Users and Computers








    

  1. 
Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
    

    2. 

  2. 
Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct domain. To connect to the appropriate domain or domain controller, in the details pane, right-click the Active Directory Users and Computers object, and then click Change Domain or Change Domain Controller, respectively.
    

    3. 

  3. 
In the console tree, expand the domain object, and then select the Domain Controllers organizational unit (OU).
    

    4. 

  4. 
In the details pane, right-click the RODC computer account, and then click Delete.
    

    5. 

  5. 
When you are prompted, click Yes to continue with the removal of the RODC account. At this point, the Deleting Domain Controller dialog box appears. If the RODC was not compromised or stolen, you can clear all the check boxes in this dialog box and then click Delete. If the RODC was compromised or stolen, seeSecuring Accounts After an RODC Is Stolen.
    

    6. 

  6. 
Next, another Delete Domain Controller dialog box appears, asking you to confirm metadata deletion. Click OK to continue with the RODC computer account removal.
    

    7. 

  7. 
If the domain controller was also a global catalog server, you are asked again to confirm that you want to continue the deletion. Click Yes to continue.
    

    8. 





































Posted by



at






















Labels:


















No comments:















Post a Comment


















        

      









Subscribe to:
Post Comments (Atom)