How to Force Remove Windows Server from Defunct Domain When Domain Controller is Unavailable


3 views

When a domain controller becomes permanently unavailable and you've established a new domain, traditional domain removal methods fail because they require authentication against the old domain. Here's how to break free from the defunct domain when you can't contact the original DC.

The most reliable approach when you have local admin credentials:

netdom remove %COMPUTERNAME% /domain:OldDomain /UserD:OldDomain\AdminUser /PasswordD:*

If that fails (which it likely will without DC contact), proceed with:

netdom reset %COMPUTERNAME% /Server:NewDC /UserO:OldDomain\AdminUser /PasswordO:*

For Windows Server 2008 Core without GUI access:

reg add "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" /v "SysvolReady" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" /v "UseDCName" /t REG_SZ /d "" /f
net stop netlogon
net start netlogon

Critical steps before joining the new domain:

ipconfig /flushdns
nltest /dsregdns

Here's a full sequence I've used in production:

:: Force remove from old domain
netdom remove SRV01 /domain:OLD_DOMAIN /UserD:OLD_DOMAIN\admin /PasswordD:* /Force /REBoot

:: Clean up orphaned records
nltest /sc_reset:NEW_DOMAIN.COM

:: Prepare for new domain join
dcdiag /fix

:: Join new domain
netdom join SRV01 /domain:NEW_DOMAIN /UserD:NEW_DOMAIN\admin /PasswordD:*

Common errors and fixes:

Error 1355: Run "nltest /dsgetdc:NEW_DOMAIN" first
Error 1909: Verify network connectivity to new DC
Error 2697: Check time synchronization with "w32tm /resync"

When a domain controller is lost and replaced with a new one under a different domain, workstations/servers previously joined to the old domain become orphaned. Attempting to remove them via standard methods (net computer \\name del or sconfig) fails because:

  • net computer only works from a domain controller (which no longer exists)
  • sconfig requires authentication against the old domain (impossible)

Here's how to break the domain trust without contacting the old DC:

netdom remove %COMPUTERNAME% /Domain:OldDomainName /UserD:LocalAdminUser /PasswordD:*

Example for a machine named "SRV-APP01" with local admin "admin":

netdom remove SRV-APP01 /Domain:contoso.local /UserD:admin /PasswordD:*

You'll be prompted for the local admin password. The /PasswordD:* forces local authentication.

If the above fails due to system corruption, manually clear domain membership:

reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "Domain" /t REG_SZ /d "" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "NV Domain" /t REG_SZ /d "" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "DefaultDomainName" /t REG_SZ /d "" /f

Reboot after executing these commands.

Once removed from the old domain, join the new one:

netdom join %COMPUTERNAME% /Domain:NewDomain.local /UserD:NewDomainAdmin /PasswordD:*

Or using PowerShell (if available):

Add-Computer -DomainName NewDomain.local -Credential (Get-Credential) -Restart
  • Backup the registry before manual edits
  • For Server Core, ensure DNS settings point to the new domain's DC
  • Some services may require reconfiguration after domain change