Repair demotion Problems with Win2000 and Win2003 AD

Domain controllers do not demote gracefully when you use the Active Directory Installation Wizard to force demotion in Windows Server 2003 and in Windows 2000 Server.

Microsoft Windows 2000 or Microsoft Windows Server 2003 domain controllers may not gracefully demote by using the Active Directory Installation Wizard (Dcpromo.exe). Or using dcpromo in command prompt.

CAUSE

This behavior may occur if a required dependency or operation fails. These include network connectivity, name resolution, authentication, Active Directory directory service replication, or the location of a critical object in Active Directory

DETERMINE CAUSE IF POSSIBLE

To resolve this behavior, determine what is preventing the graceful demotion of the Windows 2000 or the Windows Server 2003 domain controller, and then try to demote the domain controller by using the Active Directory Installation Wizard again.

IF CAUSE CANNOT BE DETERMINED OR CANNOT BE REPAIRED

If you cannot resolve the behavior, you can use the following workarounds to perform a forced demotion of the domain controller to preserve the installation of the operating system and of any applications on it.

BACKUP YOUR SERVER

BACKUP YOUR SERVER BEFORE YOU DEMOTE IT

Windows 2000 domain controllers

  1. If it's no already installed, install Windows 2000 Service Pack 4 (SP4). SP2 and later versions support forced demotion. Then, restart your computer.
  2. Click Start, click Run, and then type the following command:
    dcpromo /forceremoval
  3. Click OK.
  4. At the Welcome to the Active Directory Installation Wizard page, click Next.
  5. If the computer that you are removing is a global catalog server, click OK in the message window.

    Note Promote additional global catalogs in the forest or in the site if the domain controller that you are demoting is a global catalog server, as needed.
  6. At the Remove Active Directory page, make sure that the This server is the last domain controller in the domain check box is cleared "UNCHECKED", and then click Next.
  7. At the Network Credentials page, type the name, password, and domain name for a user account with enterprise administrator credentials in the forest, and then click Next.
  8. In Administrator Password, type the password and confirmed password that you want to assign to the Administrator account of the local SAM database, and then click Next.
  9. On the Summary page, click Next.
  10. Perform a metadata cleanup for the demoted domain controller on a surviving domain controller in the forest.
If you removed a domain from the forest by using the remove selected domain command in Ntdsutil, verify that all the domain controllers and the global catalog servers in the forest have removed all the objects and the references to the domain that you just removed before you promote a new domain into the same forest with the same domain name. Tools such as Replmon.exe or Repadmin.exe from Windows 2000 Support Tools may help you determine whether end-to-end replication has occurred. Windows 2000 SP3 and earlier global catalog servers are noticeably slower to remove objects and naming contexts than Windows Server 2003 is.

READ BELOW FOR WINDOWS 2003 NOTE

Warning Before you use either of the following workarounds, make sure that the you can successfully start in Directory Services Restore mode. Otherwise, you will not be able to log on after you forcefully demote the computer. If you do not remember the Directory Services Restore mode password, you can reset the password by using the Setpwd.exe utility that is located in the Winnt\System32 folder. In Windows Server 2003, the functionality of the Setpwd.exe utility has been integrated into the Set DSRM Password command of the NTDSUTIL tool. For more information how to perform this procedure, click the following article Directory services Restore Mode Password Recovery.

Windows Server 2003 domain controllers

  1. By default, Windows Server 2003 domain controllers support forced demotion. Click Start, click Run, and then type the following command:
    dcpromo /forceremoval
  2. Click OK.
  3. At the Welcome to the Active Directory Installation Wizard page, click Next.
  4. At the Force the Removal of Active Directory page, click Next.
  5. In Administrator Password, type the password and confirmed password that you want to assign to the Administrator account of the local SAM database, and then click Next.
  6. In Summary, click Next.
  7. Perform a metadata cleanup for the demoted domain controller on a surviving domain controller in the forest.
If you removed a domain from the forest by using the remove selected domain command in Ntdsutil, verify that all the domain controllers and the global catalog servers in the forest have removed all the objects and the references to the domain that you just removed before you promote a new domain into the same forest with the same domain name. Windows 2000 Service Pack 3 (SP3) and earlier global catalog servers are noticeably slower to remove objects and naming contexts than Windows Server 2003 is.

If resource access control entries (ACEs) on the computer that you removed Active Directory from were based on domain local groups, these permissions may have to be reconfigured, because these groups will not be available to member or stand-alone servers. If you plan to install Active Directory on the computer to make it a domain controller in the original domain, you do not have to configure access control lists (ACLs) any more. If you prefer to leave the computer as a member or stand-alone server, any permissions that are based on domain local groups must be translated or replaced. For more information about how permissions are affected after you remove Active Directory from a domain controller, click the following article: Permissions are affected after you demote a domain controller

Windows Server 2003 Service Pack 1 enhancements

Windows Server 2003 SP1 enhances the dcpromo /forceremoval process. When dcpromo /forceremoval is executed, a check is made to determine whether the domain controller hosts an operations master role, is a Domain Name System (DNS) server, or is a global catalog server. For each of these roles, the administrator receives a popup warning that advises the administrator to take appropriate action.

OFFICIAL MS WEBSITE

Official Website