The only caveat with removing the last domain
controller for the domain or the forest is that you will be asked to perform a series of
security tasks that remove the cryptographic keys and then decrypt the Encrypted File
System (EFS) before proceeding. This is necessary only if you want to keep any of the
data that has been encrypted using these methods.
Hands-On Exercise: Removing Active Directory Domain Service from
the Last Domain Controller in a Domain and a Forest
In this exercise, we will remove AD DS from the last domain controller in a domain and
a forest. When this process completes, the Active Directory forest you are removing will
cease to exist. If you follow along, make sure you do this exercise in a test lab first, since
the only way back would be a complete restore of Active Directory.
1. Launch the Active Directory Domain Services Installation Wizard by running
dcpromo from the command prompt.
2. Click Next at the Welcome screen. Click OK if you are prompted about the
server being a global catalog server.
Figure 4-22. DNS Server _msdcs zone after Active Directory is installed
128 Microsoft Windows Server 2008 Administration
3. Since this is the last domain controller in the domain, check the Delete The
Domain Because this Server Is the Last Domain Controller in the Domain
checkbox and click Next, as shown in Figure 4-23.
NOTE Prior to deleting the domain, it is a good idea to export all cryptographic keys and decrypt
any EFS-encrypted files or e-mails, because once this process completes, you will be unable to
access them.
Pages:
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174