Logo ADS-Training Home   All Libraries and Lists   Site Management   Create (reserved)   Site Help   
Icon
ADS-Training InfoCenter
Knowledge Base and Tips: Using the DCPROMO /FORCEREMOVAL Command to...
   
New New Item
|
Edit Edit Item
|
Delete Delete Item
|
Alert Me
|
Go Back to List
Title:
Using the DCPROMO /FORCEREMOVAL Command to Force the Demotion of Active Directory Domain Controllers
Body:
Using the DCPROMO /FORCEREMOVAL Command to Force the Demotion of Active Directory Domain Controllers

View products that this article applies to.
This article was previously published under Q332199

SYMPTOMS
Microsoft Windows 2000 or Microsoft Windows Server 2003 domain controllers may not gracefully demote by using the Active Directory Installation Wizard (Dcpromo.exe).

CAUSE
This behavior may occur if a required dependency or operation fails. These include network connectivity, name resolution, authentication, Active Directory directory service replication, or the location of a critical object in Active Directory.

RESOLUTION
To resolve this behavior, determine what is preventing the graceful demotion of the Windows 2000 or the Windows Server 2003 domain controller, and then try to demote the domain controller by using the Active Directory Installation Wizard again.

WORKAROUND
If you cannot resolve the behavior, you can use the following workarounds to perform a forced demotion of the domain controller to preserve the installation of the operating system and of any applications on it.
 
Warning Before you use either of the following workarounds, make sure that the user can successfully boot into Directory Services Restore mode.
If not, the user will be unable to log on after forcefully demoting the computer.
 
If the user does not remember the Directory Services Restore mode password, the user can reset the password by using the Setpwd.exe utility that is located in the Winnt\System32 folder.
 
For additional information how to perform this procedure, click the following article number to view the article in the Microsoft Knowledge Base:

271641 The Configure Your Server Wizard Sets Blank Recovery Mode Password
Windows 2000 Domain Controllers

Install the Q332199 hotfix on a Windows 2000 domain controller that is running Service Pack 2 (SP2) or later, or install Windows 2000 Service Pack 4 (SP4). SP2 and later support forced demotion.
Then, restart your computer.
Click Start, click Run, and then type the following command:
dcpromo /forceremoval
Click OK.
At the Welcome to the Active Directory Installation Wizard page, click Next.
If the computer that you are removing is a global catalog server, click OK in the message window.
 
Note Promote additional global catalogs in the forest or in the site if the domain controller that you are demoting is a global catalog server, as required.
At the Remove Active Directory page, make sure that the This server is the last domain controller in the domain check box is cleared, and then click Next.

At the Network Credentials page, type the name, password, and domain name for a user account with enterprise administrator credentials in the forest, and then click Next.
In Administrator Password, type the password and confirmed password that you want to assign to the Administrator account of the local SAM database, and then click Next.

On the Summary page, click Next.
Perform a metadata cleanup for the demoted domain controller on a surviving domain controller in the forest.
 
If you removed a domain from the forest by using the remove selected domain command in Ntdsutil, verify that all the domain controllers and the global catalog servers in the forest have completely removed all the objects and the references to the domain that you just removed before you promote a new domain into the same forest with the same domain name.
 
Tools such as Replmon.exe or Repadmin.exe from Windows 2000 Support Tools may help you determine if end-to-end replication has occurred.
Windows 2000 SP3 and earlier global catalog servers are noticeably slower to remove objects and naming contexts than Windows Server 2003 is.

Windows Server 2003 Domain Controllers
Windows Server 2003 domain controllers support forced demotion by default. Click Start, click Run, and then type the following command:
dcpromo /forceremoval
Click OK.

At the Welcome to the Active Directory Installation Wizard page, click Next.

At the Force the Removal of Active Directory page, click Next.
In Administrator Password, type the password and confirmed password that you want to assign to the Administrator account of the local SAM database, and then click Next.
In Summary, click Next.

Perform a metadata cleanup for the demoted domain controller on a surviving domain controller in the forest.
If you removed a domain from the forest by using the remove selected domain command in Ntdsutil, verify that all the domain controllers and the global catalog servers in the forest have completely removed all the objects and the references to the domain that you just removed before you promote a new domain into the same forest with the same domain name.
 
Windows 2000 Service Pack 3 (SP3) and earlier global catalog servers are noticeably slower to remove objects and naming contexts than Windows Server 2003 is.

STATUS
Microsoft has tested and supports the forced demotion of domain controllers that are running Windows 2000 or Windows Server 2003.

MORE INFORMATION
The Active Directory Installation Wizard creates Active Directory domain controllers on Windows 2000-based and Windows Server 2003-based computers. Operations that are performed by the Active Directory Installation Wizard include the installation of new services, changes to the startup values of existing services, and the transition to Active Directory as a security and authentication realm.
 
With forced demotion, a domain administrator can forcibly remove Active Directory and roll back locally held system changes without having to contact or replicate any locally held changes to another domain controller in the forest.
 
Because forced demotion results in the loss of any locally held changes, use it only as a last resort in production or test domains. You can forcibly demote domain controllers when connectivity, name resolution, authentication, or replication engine dependencies cannot be resolved so that graceful demotion can be performed.
 
Valid scenarios for forced demotions include:
There are no domain controllers currently available in the parent domain when you try to demote the last domain controller in an immediate child domain.

The Active Directory Installation Wizard cannot complete because there is a name resolution, authentication, replication engine, or Active Directory object dependency that you cannot resolve after you perform detailed troubleshooting.

A domain controller has not replicated inbound Active Directory changes in Tombstone Lifetime (Default Tombstone Lifetime is 60 days) number of days for one or more naming contexts.
 
Important Do not recover such domain controllers unless they are the only chance of recovery for a particular domain.

Time does not permit more detailed troubleshooting because you must immediately bring into service the domain controller.
Forced demotions may be useful in lab and classroom environments where you can remove domain controllers out of existing domains, yet you do not have to demote each domain controller serially.
 
If you force the demotion of a domain controller, you will lose any unique changes that reside in the Active Directory of the domain controller that you are forcibly demoting, including the addition, deletion, or modification of users, computers, groups, trust relationships, and Group Policy or Active Directory configuration that did not replicate off before you ran the dcpromo /forceremoval command.
Additionally, you will lose changes to any of the attributes on these objects, such as passwords for users, computers, and trust relationships and group membership.
However, if you force the demotion of a domain controller, you return the operating system to a state that is the same as the successful demotion of the last domain controller in a domain (service start values, installed services, use of a registry based SAM for the account database, computer is a member of a workgroup).
 
Programs that are installed on the demoted domain controller remain installed.
The System event log identifies forcibly demoted Windows 2000 domain controllers (and instances of the dcpromo /forceremoval operation) by event ID 29234. For example:

Event Type: WARNING
Event Source: lsasrv
Event Category: None
Event ID: 29234
Date: MM/DD/YYYY
Time: HH:MM:SS AM|PM
User: N/A

Computer: computername Description: The server was force demoted. It is no longer a Domain controller.
The System event log identifies forcibly demoted Windows Server 2003 domain controllers by event ID 29239. For example:
Event Type: WARNING
Event Source: lsasrv
Event Category: None
Event ID: 29239
Date: MM/DD/YYYY
Time: HH:MM:SS AM|PM
User: N/A

Computer: computername Description: The server was force demoted. It is no longer a Domain controller.
After you use the dcpromo /forceremoval command, metadata for the demoted computer is not deleted on surviving domain controllers.
 
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
216498 HOW TO: Remove Data in Active Directory After an Unsuccessful Domain Controller Demotion
 
The following are items that you must address, if applicable, after forcibly demoting a domain controller:

Remove the computer account from the domain.
Verify that DNS records, including A, CNAME, and SRV Records, are removed, and remove them if they are present.
Verify that FRS member objects (FRS and DFS) are removed, and remove them if they are present.
 
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
296183 Overview of Active Directory Objects That Are Used by FRS
 
If the demoted computer is a member of any security groups, remove it from those groups.

Remove any DFS references to the demoted server (links or root replicas).

A surviving domain controller must seize any operations master roles (also known as flexible single master operations or FSMO) that were previously held by the forcibly demoted domain controller.
 
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

255504 Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller
 
If the domain controller that you are demoting is a DNS Server or Global Catalog server, you must create a new GC or DNS Server to satisfy load balancing, fault tolerance, and configuration settings in the forest.

When you use the remove selected server command in NTDSUTIL, the NTDSDSA object (the parent object for inbound connections to the domain controller that you forcibly demoted) is removed. The command does not remove the parent server objects that appear in the Sites and Services snap-in.
 
Use the Active Directory Sites and Services MMC snap-in to remove the server object if the domain controller will not be promoted into the forest with the same computer name.

The information in this article applies to:
Microsoft Windows Server 2003, 64-Bit Datacenter Edition
Microsoft Windows Server 2003, 64-Bit Enterprise Edition
Microsoft Windows Server 2003, Datacenter Edition
Microsoft Windows Server 2003, Enterprise Edition
Microsoft Windows Server 2003, Standard Edition
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Last Reviewed: 10/31/2003 (5.0) 
Keywords: kbbug KB332199
KB Article by ID Number:
332199
Directory Services Keywords:
Dcpromo W2000DCPROMO
General Services Keywords:
AD GENERAL
Technologies Keywords:
LDAP
Networking Keywords:
N/A
Expires:
Attachments:
 
 
Created at 1/5/2004 11:45 AM by Jean-François APREA
Last modified at 1/5/2004 12:02 PM by Jean-François APREA