The Post-Mortem of a Domain Death

The past few days have been busy as we've been performing the tasks to remove our failed domain controller and domain from our Windows 2003 Active Directory forest.  Now that everything is working normally and I can check off that long-standing IT project of "remove child domain" from my task list, I'd like to share a few things we've learned.

• NTDSUTIL will prompt you several times when it comes to removing the last DC in a domain using the steps in KB 216498. It will even hint that since you are removing the DC in the domain, that you are also removing the domain itself.  But you are not.  You must take additional steps in NTDSUTIL to remove the orphaned domain, see KB 230306 to finish up.
• How do you know you have an orphaned domain? Check AD Domains and Trusts.  If you still see a domain in your tree that you can't view the properties of, you aren't done yet.  Also, if your workstations still show the domain as a logon option in the GINA, get back to work.
• You might remember to clean up your DNS, but don't forget to also clean up WINS.  WINS resolution can haunt you and keep your workstations and applications busy looking for something that isn't there anymore.
• Watch your Group Policy links.  If you've cross-linked policies from the child domain to your forest root or other domains, workstations will indicate USERENV errors referencing the missing domain.  Policies from other domains won't show up in your "Group Policy Objects" container the GPMC.  You'll need to expand all your other OUs in the GPMC to find any policy links that report an error. 
• If you are using a version of Exchange that has the infamous Recipient Update Service, remove the service entry that handles the missing domain.  You'll see repeated MSExchangeAL Events 8213, 8250, 8260 and 8026 on your mail server otherwise.

I've used NTDSUTIL in the lab and in production several times to remove failed domain controllers, but removing an orphaned domain happens far less frequently.  While the majority of our Microsoft applications handled the existence of references to the orphaned domain with grace until we completed the clean up, one of our third party applications, ImageRight, was far more sensitive about it. 

We found that a combination of the WINS resolution and the orphaned trust relationship distracted the application enough that it was slow to operate, sometimes refused to load at all, and hung on particular actions.  If you happen to be an ImageRight customer who uses the Active Directory integration features, keep in mind that it likes all the AD ducks to be in a row.

While we had a little a bit of pain getting to this point, I'm really happy that our AD forest is neater and cleaner because of it.  It'll make it much easier to tackle other upgrade projects on the horizon for Active Directory and Exchange.