How to Unregister (Remove) a Crashed Domain Controller from Active Directory
Steps to Unregister a Crashed Domain Controller
Applies To
- Windows Server (All versions with Active Directory Domain Services)
- Active Directory Environments
Issue Description
A Domain Controller (DC) has crashed or is permanently offline and cannot be recovered. The server still exists in Active Directory, causing potential issues such as:
- Replication failures
- DNS inconsistencies
- Authentication delays
- Lingering objects
Cause
Improper shutdown or permanent failure of a Domain Controller without proper demotion leaves stale metadata in Active Directory.
Resolution Overview
Perform metadata cleanup to completely remove the failed Domain Controller from:
- Active Directory Users and Computers
- Active Directory Sites and Services
- DNS
- Replication topology
Resolution Steps
Step 1: Remove DC from Active Directory Users and Computers
- dsa.msc
Navigate to: <Domain Name> → Domain Controllers
Right-click the crashed DC
When prompted: Enable: ✅ Delete this Domain Controller anyway -> Confirm deletion
Step 2: Remove DC from Active Directory Sites and Services
Open -> dssite.msc
Navigate: Sites → <Your Site> → Servers
Locate the failed DC
- Expand the DC → Right-click NTDS Settings → Delete
- Then right-click the Server Object → Delete
Step 3: Clean Up DNS Records
Open DNS Manager:dnsmgmt.msc
Remove all records associated with the failed DC:
Forward Lookup Zone: A (Host) record | AAAA record (if IPv6 used)
Reverse Lookup Zone: PTR record
Under _msdcs.<domain>: CNAME records | SRV records
Run -> ntdsutil
Execute:
metadata cleanup
connections
connect to server <Healthy_DC_Name>
quit
select operation target
list domains
select domain <number>
list sites
select site <number>
list servers in site
select server <number>
quit
Confirm deletion when prompted
Step 5: Verify and Force Replication
- Run: repadmin /syncall /AdeP | repadmin /replsummary
Step 6: Verify Active Directory Health
Run: dcdiag /v
Confirm:
- No lingering references
- Services are healthy
Step 7: Verify or Seize FSMO Roles
Check FSMO roles: netdom query fsmo
If roles were on the failed DC, seize them:
ntdsutil
roles
connections
connect to server <Healthy_DC>
quit
Related Articles
How to recover a deleted user from Active Directory
Step1: Check if Active Directory Recycle Bin is Enabled Open the Active Directory Administrative Center (ADAC). In the left pane, navigate to your domain name and click it. Look for Enable Recycle Bin in the Tasks pane. If you see Enable Recycle Bin, ...
To resolve the communication issue while joining the Child domain controller
Root Cause: Follow the below steps to resolve the communication issue between Active Directory and the Child Domain controller Turn off all the firewall profile Domain Profile Private Profile Public Profile Once all the profiles are turned off, check ...
NPS + WiFi Domain Authentication
1. PURPOSE To configure secure WiFi authentication using Microsoft Network Policy Server integrated with Active Directory, enabling domain-based access control. 2. SCOPE Domain-joined client machines Wireless Access Points (e.g., EnGenius, Aruba) NPS ...
How to Enable Remote Desktop on Windows Server
Launch the Start menu and open Server Manager. You can also type in Server Manager if it doesn’t simply show up on the Start window. It is important to note, however, that Server Manager automatically opens up when you log in to the GUI. Click on ...
How to Enable "Read and Manage" Permissions for a Mailbox in Microsoft 365
Permissions Scope: The "Read and Manage" permissions provide the user with access to read emails and manage the calendar but do not allow them to send emails on behalf of the mailbox owner unless granted additional permissions (e.g., "Send As" or ...