How to demote DC from Domain?

M

Majstor

Hello,

I have added W2000 server to existing domain as another DC using DCPROMO.
The only obstacle was "Preferred DNS" , I had to change it to point to
another DC and it succeeded.

Now, without any additional configuring DNS or whatever, I wanted to remove
it from Domain to be just member server. But I get:

"The Directory service failed to replicate off changes made locally."
"The DSA operation is unable to proceed because of a DNS lookup failure"

I tried with changing "Preferred DNS" and "Alternate DNS". No change!
I dont know if any of these 2 DCs is "global catalog" or not !
I have an exclamation sign in DNS console on this server, test querys fail.
How to configure additional DC`s DNS to be able to demote it properly? Does
it have to be configured same as another DC DNS?

Or any easier, less sophisticated way to solve this?

Regards,
Vladimir
 
T

Tom Ausburne

You should have the machine you are trying to demote point ONLY to
another DC for DNS. Don't provide an alternate DNS.

If this doesn't work and you just want to demote the machine you can
forcefully demote the machine and then do a Metadata Cleanup of
Active Directory.

332199 Using the DCPROMO /FORCEREMOVAL Command to Force the Demotion
of Active
http://support.microsoft.com/?id=332199

216498 HOW TO: Remove Data in Active Directory After an Unsuccessful
Domain
http://support.microsoft.com/?id=216498



Tom Ausburne (MSFT)
Windows 2000 Directory Services
This posting is provided "AS IS" with no warranties, and confers no
rights.
 
M

Majstor

1) Is this "forcefully" safe for domain?
I don`t want to corrupt domain, i.e. the first DC because it should be
active and online.
Is there a way to protect DC1 from anything I change on DC2 following those
articles?

2) DC1 is "global catalog" and DC2 is not !
) What if I simply reinstall DC2 ? Would DC1 work without mirror DC?

3) Why did I do all this? I planned to install gateway to Internet with ISA
on it. So I misinterpreted that member server is something like BDC on
Windows NT network (it has AD copy and you can only authenticate to it, not
write to it !!!!).
Now, let`s say I give up demoting in order not to corrupt domain. How big is
the risk to put DC exposed to Internet? Some advice how to protect? Can it
be configured to work like BDC in NT network does?

Thanks,
Vladimir
 
T

Tom Ausburne

1. Doing a forcefull demotion will not hurt the domain as long as
you clean up afterwards by doing the Metadata Cleanup. When you
demote DC2, you will need to do the Metadata Cleanup on DC1 so it
needs to be up and running. We do this all the time and it is safe.

2. You would cause more problems in your domain if you tried to
reinstall over top of a domain controller. The best course of action
is to demote (one way or the other), cleanup, and then promote again
if you want it to be a DC>

3. In Windows 2000, all domain controller are Read/Write copies and
do not function like a BDC in NT4. I would never expose your domain
to the Internet by putting a domain controller out there. Why not
build up a seperate Member Server and install ISA on it to do what
you want.


Tom Ausburne (MSFT)
Windows 2000 Directory Services
This posting is provided "AS IS" with no warranties, and confers no
rights.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top