Hi,
Thank you for posting.
Based on the current status, I think we can try the following methods to
demote the domain controller.
Method 1: Force a replication
============================
1. Open the "Active Directory Sites and Services" snap-in on one domain
controller.
2. Open the current DC's NTDS setting object. In the right pane, try to
force the inbound replication for the current DC by right-clicking the
connections and choosing "Replicate Now". Ensure it finishes successfully.
3. Log on to the other DC and perform the inbound replication as well.
Please then check if you can demote the domain controller. If the problem
still persists, please continue with the steps below.
Method 2: DCPROMO /FORCEREMOVAL
====================================
Please follow the steps listed in the following Knowledge Base article:
332199 Using the DCPROMO /FORCEREMOVAL Command to Force the Demotion of
Active
http://support.microsoft.com/?id=332199
Method 3: Forcefully Demote the Domain Controller
============================================
We can manually edit the registry to boot the server as a normal member
server, then run DCPROMO to build a temporarily domain. We can then demote
the new temporarily domain to remove the previous domain's information.
WARNING: Using Registry Editor incorrectly can cause serious problems that
may require you to reinstall your operating system. Microsoft cannot
guarantee that problems resulting from the incorrect use of Registry Editor
can be solved. Please pay additional attention to these operations.
1. Verify that you remember the Directory Services Restore Mode password.
To do so, please reboot the domain controller into Directory Services
Restore Mode and try to log on to verify that you remember the Directory
Services Restore Mode password. You can also use Setpwd.exe to reset the
Directory Services Restore Mode password. For additional information about
how to use Setpwd.exe to change the Directory Services Restore Mode
password, please refer to:
271641 The Configure Your Server Wizard Sets Blank Recovery Mode Password
http://support.microsoft.com/?id=271641
2. Modify the ProductType value in the registry:
2.1) Start Registry Editor (Regedt32.exe).
2.2) Highlight the ProductType value under the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions
2.3) On the Edit menu, click String, type "ServerNT" (without the quotation
marks) (use the exact case), and then click OK.
NOTE: If the value is not set correctly or is misspelled, you may get the
following error:
System Process - License Violation:
The system has detected tampering with your registered product type. This
is a violation of your software license. Tampering with product type is not
permitted.
2.4) Quit Registry Editor.
3. Restart the computer.
4. After the computer is restarted, log on with the Administrator account
and password used for Directory Service Repair mode.
5. After you restart the computer, it will behave as a member server.
However, there are still some remaining files and registry entries on the
computer that are associated with the domain controller. To remove this
data:
5.1) Run Dcpromo.exe.
5.2) Promote the computer to a domain controller for a new, temporary
domain, such as "temp.deleteme".
NOTE: Ensure to promote the computer to a DIFFERENT forest.
5.3) After the promotion, run Dcpromo.exe again, and then demote the
computer to a standalone server.
6. After forcefully demoting a domain controller, you need to remove some
final metadata that is left in the domain. For additional information about
how to do this, please refer to:
216498 HOW TO: Remove Data in Active Directory After an Unsuccessful Domain
http://support.microsoft.com/?id=216498
I hope the above information helps. Thank you!
Regards,
Joe Wu
Product Support Services
Microsoft Corporation
Get Secure! -
www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
|Content-Class: urn:content-classes:message
|From: "David" <
[email protected]>
|Sender: "David" <
[email protected]>
|Subject: Unable to demote a Domain Controller in my Active Directory
|Date: Fri, 19 Sep 2003 13:43:40 -0700
|Lines: 17
|Message-ID: <
[email protected]>
|MIME-Version: 1.0
|Content-Type: text/plain;
| charset="iso-8859-1"
|Content-Transfer-Encoding: 7bit
|X-Newsreader: Microsoft CDO for Windows 2000
|X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
|Thread-Index: AcN+7rUBYeWxTgLzREm9/2c9pGN30Q==
|Newsgroups: microsoft.public.win2000.active_directory
|Path: cpmsftngxa06.phx.gbl
|Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.active_directory:48568
|NNTP-Posting-Host: TK2MSFTNGXA14 10.40.1.166
|X-Tomcat-NG: microsoft.public.win2000.active_directory
|
|I am trying to demote a Domain Controller to a member
|server, and am getting an error:
|Managing the network session with dc.domain.name failed
|and in the dcpromo.log the message is:
|Failed to establish the session with dc.domain.name: 0x33
|
|Of course there is another DC in this domain, and all
|FSMO's are running on the other DC.
|
|I have recently added a Win2k3 server to the domain, so I
|have done the adprep without incident. I've searched
|support.microsoft.com and found an article about servers
|with 2 nics, and File and Print services running on only
|one nic, so I was careful to set the order nic's are used
|putting the one with file and print on top.
|
|Any suggestions would be greatly appreciated.
|
