Forcefully demote a Windows Server 2003 domain controller
Under some circumstances, a domain controller cannot be gracefully demoted due to the required dependency or operation failing. These include network connectivity, name resolution, authentication, Active Directory service replication, or the location of a critical object in Active Directory. As a last resort, we can perform a forced removal of a domain controller from Active Directory to avoid having to reinstall the operating system on a domain controller that has failed and cannot be recovered. When a domain controller can no longer function in a domain (that is, it is offline), you cannot remove Active Directory in the normal way, which requires connectivity to the domain. Forced removal is not intended to replace the normal Active Directory removal procedure in any way. It is virtually equivalent to permanently disconnecting the domain controller.
Here let's go through the procedure to forcefully demote a domain controller (using Windows 2003 SP1 as an example).
Scenario 1: If the domain controller can boot into normal mode:
1. Click Start, click Run, and then type the following command:
dcpromo /forceremoval
2. Click OK. If Certificate Services is not removed, you will get a message to remove it first. If FSMO roles/GC are not seized from the DC, you will get a message to transfer the roles to another DC.
3. At the Welcome to the Active Directory Installation Wizard page, click Next.
4. At the Force the Removal of Active Directory page, click Next.
5. In Administrator Password, type the password and confirmed password that you want to assign to the Administrator account of the local SAM database, and then click Next.
6. In Summary, click Next.
7. When it finishes, click Finish and reboot the computer.
Scenario 2: If the domain controller cannot start in normal mode:
1. Restart the computer, and then press F8 to display the Windows Advanced Options menu.
2. Choose Directory Services Restore Mode, press ENTER, and then press ENTER again to continue restarting.
3. Modify the ProductType entry in the registry. To do this, follow these steps:
a. Click Start, click Run, type regedit , and then click OK.
b. Locate the following registry subkey:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlProductOptions
c. In the right-pane, double-click ProductType.
d. Type ServerNT in the Value data box, and then click OK.
Note If this value is not set correctly or is misspelled, you may receive the following error message:
System Process - License Violation: The system has detected tampering with your registered product type. This is a violation of your software license. Tampering with product type is not permitted.
e. Quit Registry Editor.
4. Restart the computer.
5. Log on with the administrator account and password that is used for Directory
Service Repair mode.
The computer will behave as a member server. However, there are still some
remaining files and registry entries on the computer that are associated with the
domain controller. If the domain controller cannot start in normal mode do the
following:
- disjoin domained (joined new workgroup)
- install DNS Server and point to itself
6. Start Registry Editor and locate the following registry entry:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
NTDSParameters
If there is an entry for Src Root Domain Srv , right-click the value and then
click Delete. This value must be deleted so that the domain controller sees itself
as the only domain controller in the domain after promotion. Go through the
following keys to delete reference to the old domain controller:
HKEY_LOCAL_MACHINESoftwareMicrosoftADSLDAPCN=....
HKEY_LOCAL_MACHINESystemCCSDNS
Parameters|PreviousLocalHostName
HKEY_LOCAL_MACHINESystemTCP
ServicesTCPIPParameters|Domain and NV Domain
7. Remove the remaining files and registry entries. To do this, follow these steps:
a. Start the Active Directory Installation Wizard.
b. Install Active Directory to make the computer a domain controller for a new, temporary domain, such as "psstemp.deleteme."
Note Make sure that you make the computer a domain controller in a different forest.
c. After you install Active Directory, start the Active Directory Installation Wizard again, and then remove Active Directory from the domain controller.
Perform a metadata cleanup for the demoted domain controller on a surviving domain controller in the forest. Active Directory stores a considerable amount of metadata about a domain controller. During the normal process of uninstalling Active Directory on a domain controller, this metadata is removed from Active Directory through a connection to another domain controller in the domain. A forced removal assumes that there is no connectivity to the domain; therefore, it does not attempt any metadata removal (cleanup).
Consequently, forced removal of Active Directory from a domain controller should always be followed by the metadata cleanup procedure, which removes all references to the domain controller from the domain and forest. For more details, view the following KB article:
How to remove data in Active Directory after an unsuccessful domain controller demotion
-End-
Author:Pearson Peng