How to do it...

To render the read-only domain controller useless to an attacker or thief, perform these steps:

Open Active Directory Users and Computers (dsa.msc).
In the left navigation pane, expand the domain name.
In the left navigation pane, expand the Domain Controllers OU.
Right-click the compromised read-only domain controller and select Delete.
On the Deleting Active Directory Domain Controller screen, select the Reset all passwords for user accounts that were cached on this read-only domain controller option.
Since the persons associated with the user accounts will be forced to have their passwords reset by service desk personnel, it's recommended practice to also check Export the list of accounts that were cached on this read-only domain controller to this file: and to specify a file. This way, the service desk may proactively approach affected colleagues.
Click Delete.