After demoting a domain controller, the related event logs (DNS Server, File Replication Service, and Directory Service) are not removed. While this is technically not an issue, it can potentially confuse monitoring systems (SCOM inadvertently detects a DNS server while there is none). Or, perhaps you should want to be tidy.

1. Open regedit.
2. Navigate to:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
3. This key contains a subkey, one for each event log. Remove the following keys to remove the event logs:
   • Directory Service
   • File Replication Service
   • DNS Server
   You do not need to reboot the server. The logs are immediately removed from the Event Viewer.

Although the change is effective immediately, the underlying event log files are still in use. If you wish to remove these, you'll need to reboot the server in order to have the Event Log restarted (you cannot manually restart the service).

1. After the reboot, navigate to the folder:
   %windir%\system32\config
2. Remove the following files:
   • DnsEvent.Evt
   • NTDS.Evt
   • NtFrs.Evt