Using the DCPROMO /FORCEREMOVAL Command to Force the Demotion of Active Directory Domain Controllers

View products that this article applies to.

This article was previously published under Q332199

SYMPTOMS

Microsoft Windows 2000 or Microsoft Windows Server 2003 domain controllers may not gracefully demote by using the Active Directory Installation Wizard (Dcpromo.exe).

CAUSE

This behavior may occur if a required dependency or operation fails. These include network connectivity, name resolution, authentication, Active Directory directory service replication, or the location of a critical object in Active Directory.

RESOLUTION

To resolve this behavior, determine what is preventing the graceful demotion of the Windows 2000 or the Windows Server 2003 domain controller, and then try to demote the domain controller by using the Active Directory Installation Wizard again.

WORKAROUND

If you cannot resolve the behavior, you can use the following workarounds to perform a forced demotion of the domain controller to preserve the installation of the operating system and of any applications on it.

Warning Before you use either of the following workarounds, make sure that the user can successfully boot into Directory Services Restore mode. If not, the user will be unable to log on after forcefully demoting the computer. If the user does not remember the Directory Services Restore mode password, the user can reset the password by using the Setpwd.exe utility that is located in the Winnt\System32 folder. For additional information how to perform this procedure, click the following article number to view the article in the Microsoft Knowledge Base:

271641 The Configure Your Server Wizard Sets Blank Recovery Mode Password

Windows 2000 Domain Controllers

  1. Install the Q332199 hotfix on a Windows 2000 domain controller that is running Service Pack 2 (SP2) or later, or install Windows 2000 Service Pack 4 (SP4). SP2 and later support forced demotion. Then, restart your computer.
  2. Click Start, click Run, and then type the following command:

    dcpromo /forceremoval

  3. Click OK.
  4. At the Welcome to the Active Directory Installation Wizard page, click Next.
  5. If the computer that you are removing is a global catalog server, click OK in the message window.

    Note Promote additional global catalogs in the forest or in the site if the domain controller that you are demoting is a global catalog server, as required.
  6. At the Remove Active Directory page, make sure that the This server is the last domain controller in the domain check box is cleared, and then click Next.
  7. At the Network Credentials page, type the name, password, and domain name for a user account with enterprise administrator credentials in the forest, and then click Next.
  8. In Administrator Password, type the password and confirmed password that you want to assign to the Administrator account of the local SAM database, and then click Next.
  9. On the Summary page, click Next.
  10. Perform a metadata cleanup for the demoted domain controller on a surviving domain controller in the forest.

    If you removed a domain from the forest by using the remove selected domain command in Ntdsutil, verify that all the domain controllers and the global catalog servers in the forest have completely removed all the objects and the references to the domain that you just removed before you promote a new domain into the same forest with the same domain name. Tools such as Replmon.exe or Repadmin.exe from Windows 2000 Support Tools may help you determine if end-to-end replication has occurred. Windows 2000 SP3 and earlier global catalog servers are noticeably slower to remove objects and naming contexts than Windows Server 2003 is.

Windows Server 2003 Domain Controllers

  1. Windows Server 2003 domain controllers support forced demotion by default. Click Start, click Run, and then type the following command:

    dcpromo /forceremoval

  2. Click OK.
  3. At the Welcome to the Active Directory Installation Wizard page, click Next.
  4. At the Force the Removal of Active Directory page, click Next.
  5. In Administrator Password, type the password and confirmed password that you want to assign to the Administrator account of the local SAM database, and then click Next.
  6. In Summary, click Next.
  7. Perform a metadata cleanup for the demoted domain controller on a surviving domain controller in the forest.

    If you removed a domain from the forest by using the remove selected domain command in Ntdsutil, verify that all the domain controllers and the global catalog servers in the forest have completely removed all the objects and the references to the domain that you just removed before you promote a new domain into the same forest with the same domain name. Windows 2000 Service Pack 3 (SP3) and earlier global catalog servers are noticeably slower to remove objects and naming contexts than Windows Server 2003 is.

STATUS

Microsoft has tested and supports the forced demotion of domain controllers that are running Windows 2000 or Windows Server 2003.

MORE INFORMATION

The Active Directory Installation Wizard creates Active Directory domain controllers on Windows 2000-based and Windows Server 2003-based computers. Operations that are performed by the Active Directory Installation Wizard include the installation of new services, changes to the startup values of existing services, and the transition to Active Directory as a security and authentication realm.

With forced demotion, a domain administrator can forcibly remove Active Directory and roll back locally held system changes without having to contact or replicate any locally held changes to another domain controller in the forest.

Because forced demotion results in the loss of any locally held changes, use it only as a last resort in production or test domains. You can forcibly demote domain controllers when connectivity, name resolution, authentication, or replication engine dependencies cannot be resolved so that graceful demotion can be performed. Valid scenarios for forced demotions include:

Forced demotions may be useful in lab and classroom environments where you can remove domain controllers out of existing domains, yet you do not have to demote each domain controller serially.

If you force the demotion of a domain controller, you will lose any unique changes that reside in the Active Directory of the domain controller that you are forcibly demoting, including the addition, deletion, or modification of users, computers, groups, trust relationships, and Group Policy or Active Directory configuration that did not replicate off before you ran the dcpromo /forceremoval command. Additionally, you will lose changes to any of the attributes on these objects, such as passwords for users, computers, and trust relationships and group membership.

However, if you force the demotion of a domain controller, you return the operating system to a state that is the same as the successful demotion of the last domain controller in a domain (service start values, installed services, use of a registry based SAM for the account database, computer is a member of a workgroup). Programs that are installed on the demoted domain controller remain installed.

The System event log identifies forcibly demoted Windows 2000 domain controllers (and instances of the dcpromo /forceremoval operation) by event ID 29234. For example:

Event Type: WARNING
Event Source: lsasrv
Event Category: None
Event ID: 29234
Date: MM/DD/YYYY
Time: HH:MM:SS AM|PM
User: N/A
Computer: computername Description: The server was force demoted. It is no longer a Domain controller.

The System event log identifies forcibly demoted Windows Server 2003 domain controllers by event ID 29239. For example:

Event Type: WARNING
Event Source: lsasrv
Event Category: None
Event ID: 29239
Date: MM/DD/YYYY
Time: HH:MM:SS AM|PM
User: N/A
Computer: computername Description: The server was force demoted. It is no longer a Domain controller.

After you use the dcpromo /forceremoval command, metadata for the demoted computer is not deleted on surviving domain controllers. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

216498 HOW TO: Remove Data in Active Directory After an Unsuccessful Domain Controller Demotion

The following are items that you must address, if applicable, after forcibly demoting a domain controller:

  1. Remove the computer account from the domain.
  2. Verify that DNS records, including A, CNAME, and SRV Records, are removed, and remove them if they are present.
  3. Verify that FRS member objects (FRS and DFS) are removed, and remove them if they are present. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

    296183 Overview of Active Directory Objects That Are Used by FRS

  4. If the demoted computer is a member of any security groups, remove it from those groups.
  5. Remove any DFS references to the demoted server (links or root replicas).
  6. A surviving domain controller must seize any operations master roles (also known as flexible single master operations or FSMO) that were previously held by the forcibly demoted domain controller. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

    255504 Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller

  7. If the domain controller that you are demoting is a DNS Server or Global Catalog server, you must create a new GC or DNS Server to satisfy load balancing, fault tolerance, and configuration settings in the forest.
  8. When you use the remove selected server command in NTDSUTIL, the NTDSDSA object (the parent object for inbound connections to the domain controller that you forcibly demoted) is removed. The command does not remove the parent server objects that appear in the Sites and Services snap-in. Use the Active Directory Sites and Services MMC snap-in to remove the server object if the domain controller will not be promoted into the forest with the same computer name.

The information in this article applies to: