2.2. Removing a Forest
Problem
You want to tear down a forest and decommission any domains contained within it because you no longer need it.
Solution
To remove a forest, you need to demote, using
dcpromo
, all the domain controllers in the forest.
When you run dcpromo
on an existing domain
controller, you will be given the option to demote the machine to a
member server. After that is completed and depending on how your
environment is configured, you may need to remove WINS and DNS
entries that were associated with the domain controllers and domains
unless they were automatically removed via WINS deregistration and
dynamic DNS (DDNS) during demotion. The following commands can help
determine if all entries have been removed:
> netsh wins server \\<WINSServerName
> show name <ForestDNSName
> 1c > nslookup <DomainControllerDNSName
> > nslookup -type=SRV _ldap._tcp.gc._msdcs.<ForestDNSName
> > nslookup <ForestDNSName
>
You will also want to remove any trusts that have been established for the forest (see Recipe 2.22 for more details). For more information on how to demote a domain controller, see Recipe 3.3.
Discussion
The method described in the solution is the graceful way to tear down a forest. You can also use a brute force method to remove a forest by simply reinstalling the operating system on all domain controllers in the forest. This method is not recommended except in lab or test environments. The brute force method is not a clean way to do it because the domain controllers are unaware ...
Get Active Directory Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.