Forcibly Removing Active Directory from a DC – Retire a Domain Controller
Dcpromo is the Windows 2000 and Windows Server 2003 GUI interface for promoting a server to the role of being a Domain Controller, and if is already a DC, then dcpromo will be the tool to use to demote it back to being a member server. Dcpromo has a specific set of checks it performs before allowing the process to continue. These requirements change based on whether the server is being promoted or demoted. In this article we will deal with demoting issues. Dcpromo might fail when trying to demote a Domain Controller in some cases. These scenarios include, for example:
- There are no domain controllers currently available in the parent domain when you try to demote the last domain controller in a child domain.
- Dcpromo cannot complete because there is a name resolution, authentication, replication engine, or AD object dependency that you cannot resolve.
- A DC has not replicated incoming Active Directory changes in Tombstone Lifetime (Default Tombstone Lifetime is 60 days for Windows 2000 and Windows Server 2003 DCs, and 180 days for Windows Server 2003 SP1 and R2 DCs) number of days for one or more naming contexts.
If you run Dcpromo on an existing DC to demote it and it fails because of one of the above scenarios the best thing you should do is to try to resolve the problem and then restart Dcpromo. However, if Dcpromo still fails you can still demote the DC by running Dcpromo with the /forceremoval switch, which tells the process to ignore errors. Note that the /forceremoval demotion causes the loss of any locally held changes and should be considered a last resort that you should use and only when absolutely necessary.
With /forceremoval, an administrator can forcibly remove Active Directory and roll back the system without having to contact or replicate any locally held changes to another DC in the forest. Note: The /forceremoval switch is only supported on Windows 2000 Servers that either have SP2 with Q332199 hotfix installed on them, or with SP4, and on Windows Server 2003 servers.
Windows Server 2003 SP1 enhances the /forceremoval process. When it is run it checks to determine whether the DC hosts an operations master role (FSMO role – read my “Understanding FSMO Roles in Active Directory” article), is a Domain Name System (DNS) server, or is a global catalog server. For each of these roles, the administrator receives a popup warning that advises the administrator to take appropriate action.
RID Master warning:
PDC Emulator warning:
Infrastructure Master warning:
Naming Master warning:
Schema Master warning:
DNS Server warning:
Global Catalog Server warning:
When you force the demotion of a DC, you return the operating system to a state that is the same as the successful demotion of the last domain controller in a domain (service start values, installed services, use of a registry based SAM for the account database, computer is a member of a workgroup). Note: In Windows 2000, the System event log identifies forcibly demoted DCs and instances of the /forceremoval operation by event ID 29234. In Windows Server 2003 the System event log identifies forcibly demoted DCs by event ID 29239.
- Click Start, click Run, and then type the following command:
- At the Welcome to the Active Directory Installation Wizard page, click Next.
- At the Force the Removal of Active Directory page, click Next.
- In Administrator Password, type the password and confirmed password that you want to assign to the Administrator account of the local SAM database, and then click Next.
- In Summary, click Next.
- Watch as the process runs. Do not disturb it. Go drink some coffee. It should take no longer than a few minutes.
- When Dcpromo finishes it will prompt you to click Finish.
- Restart the server.
After you use the dcpromo /forceremoval command, all the remaining metadata for the demoted DC is not deleted on the surviving domain controllers, and therefore you must manually remove it by using the NTDSUTIL command. For more information please read my “Delete Failed DCs from Active Directory” article (insert link).
Domain controllers do not demote gracefully when you use the Active Directory Installation Wizard to force demotion in Windows Server 2003 and in Windows 2000 Server – 332199 Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller – 255504 Permissions Are Affected After You Demote a Domain Controller – 320230
More in Active Directory
CISA Advises Federal Agencies to Patch Windows LSA Flaw Affecting Domain Controllers
Jul 5, 2022 | Rabia Noureen
How to Fix the "An Active Directory Domain Controller for the Domain Could Not Be Contacted" Error
Jun 20, 2022 | Michael Reinders
How to Delete a Protected OU in Active Directory
Jun 8, 2022 | Michael Reinders
Learn How Organizations Are Using Semperis Purple Knight to Secure Active Directory
Jun 7, 2022 | Russell Smith
Microsoft Announces Entra, A New Identity and Access Management Suite
May 31, 2022 | Rabia Noureen
Microsoft Releases Out-Of-Band Patches to Fix Windows AD Authentication Issues
May 20, 2022 | Rabia Noureen
Most popular on petri