Windows Tip Sheet
Decommissioning Domain Controllers
Even after removing your old DCs, the event logs might be lying about. Here's how to kick them out.
I've been working with a company that's redoing their infrastructure. As part of the redesign, they're doing away with a lot of old domain controllers (DCs) and putting new ones online (and they just
realized they'll do this again when Windows Longhorn Server comes out, because they plan to deploy all domain controllers under Server Core...but that's late next year at best, so on with the show...).
However, many of the old DCs were performing other functions, too, so the computers won't be going away. After running Dcpromo to remove Active Directory (why can't that tool be called Dcdemo, as in "demote?"), and removing the DNS Server software (which several of the DCs run), they realized the computers still had the old DnsEvent, NTDS and NtFrs event logs. They weren't doing any technical harm by leaving the logs there, but it was confusing their auditors, who kept trying to treat the machines as DCs just because those logs were present.
The first step to removing those logs is to stop the EventLog service...which, er, you can't stop. So the first thing to do is modify the registry (be careful!) by changing HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog. Change the DWORD value named Start to have a value of 4. Restart the computer (it'll complain mightily about service failures; ignore ‘em). Now you can delete the event logs: They're under \Windows\System32\Config, named DnsEvent.evt, NTDS.evt and NtFrs.evt. Delete their registry keys, too: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog; delete the subkeys named Directory Service, DNS Server and File Replication Service.
Finally, go back to that original registry key and change the Start value back to 2, and reboot. That should do the trick. Of course, be sure this action gets logged for the auditors: Messing about with event logs is the kind of thing that needs to be documented, especially if your organization is subject to security-related legislation or industry requirements.
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author/Evangelist for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.