DCpromo

[Amin]

When I run DCpromo to uninstall active directory on one of
my DC's, it fails. It gives me this message:
"Failed finding a suitable domain controllerfor the domain
xxxxx.com"
"the security data base on the server does not have a
computer account for the workstation trust relationship".

I checked on the PDC and all the DC's in my domain and
found no listing for this Domain controller. So what I
don't understand is how AD on this server is still
working when the rest of the domain controllers don't
see it as a domain controller!

Is there any other way to remove active directory from
this server other than dcpromo?

Thanks.

Amin

 

[Paul McGuire]

Windows 2000 Domain Controllers
1.. Install the Q332199 hotfix on a Windows 2000 domain controller that is
running Service Pack 2 (SP2) or later, or install Windows 2000 Service Pack
4 (SP4), when it becomes available. SP2 and later support forced demotion.
Then, restart your computer.
2.. Click Start, click Run, and then type the following command:
dcpromo /forceremoval

3.. Click OK.
4.. At the Welcome to the Active Directory Installation Wizard page, click
Next.
5.. If the computer that you are removing is a global catalog server,
click OK in the message window.

Note Promote additional global catalogs in the forest or site if the
domain controller that you are demoting is a global catalog server, as
required.
6.. At the Remove Active Directory page, make sure that the This server is
the last domain controller in the domain check box is cleared, and then
click Next.
7.. At the Network Credentials page, type the name, password, and domain
name for a user account with enterprise administrator credentials in the
forest, and then click Next.
8.. In Administrator Password, type the password and confirmed password
that you want to assign to the Administrator account of the local SAM
database, and then click Next.
9.. On the Summary page, click Next.
10.. Perform a metadata cleanup for the demoted domain controller on a
surviving domain controller in the forest.

If you removed a domain from the forest by using the remove selected
domain command in Ntdsutil, verify that all the domain controllers and the
global catalog servers in the forest have completely removed all the objects
and the references to the domain that you just removed before you promote a
new domain into the same forest with the same domain name. Tools such as
Replmon.exe or Repadmin.exe from Windows 2000 Support Tools may help you
determine if end-to-end replication has occurred. Windows 2000 SP3 and
earlier global catalog servers are noticeably slower to remove objects and
naming contexts than is Windows Server 2003
HTH

Paul McGuire

 

[Herb Martin]

I checked on the PDC and all the DC's in my domain and

found no listing for this Domain controller. So what I
don't understand is how AD on this server is still
working when the rest of the domain controllers don't
see it as a domain controller!

How did you check the DC? (There is no "PDC" but one
of them is the "PDC Emulator".)

NTDSUtil or one of the LDAP tools (much harder) is the
way but that doesn't matter....

AD is multimastered so a disconnected DC will continue to
work after a fashion (probably forever) but it will not longer
receive or send updates with the other DCs.

If you merely found it missing from DNS that is likely a
reason it wasn't replicating and the reason it could not
find another DC to help with the removal.

Is there any other way to remove active directory from
this server other than dcpromo?

If you upgrade through SP4 (or some particular qfix
whose number I don' recall is sufficient) then you can just
run DCPromo thus:

DCPromo /forceremoval