EPFL > VPSI > IT > EXAPP - Site d'information: WinAD (Windows Active Directory)
 

  Affiche tous les articles

 Mode d'emploi du moteur de recherche  Rechercher : 
Moteur de recherche
Home page
Accréditation
Activation MS
AD c'est quoi ?
AD PowerShell
Authentifications
Autorisations DHCP
bugs
Conseils AD
DCs Sécurité
Délégations OUs
Domaine SC
Gaspar
GPO
Grp-Staff
KMS
Migrations
Outils
Procès verbaux
Profiles Itinérants
PWAD
Règles de nommage
Restaurations DC Fac
· Event ID 2087: DNS lookup failure caused replication to fail
· Comment Enlever un DC orphelin d'un domaine
· Pour restaurer les données d’un DC
· oublié le Mot de passe de restauration du service d'annuaire
· Documentation minimale pour la restauration des domaines contrôleurs de facultés
· DOC-Modèle pour la restauration des domaines contrôleurs de facultés
· Comment rétrograder un DC irréparable sans reformater la machine
· Réparation de l'Active Directory
· Compactage et réindexation de la base de données Active Directory
· topologie réseau avec VISIO
ServerAD2003
ServerAD2008
Seven
Students
synchro
toto1
Trucs et Astuces
Win 8.1
WinAD
Windows 10
Windows 8
Windows Server
Wins
Work Shop
  Afficher une version imprimable de ce document dans une nouvelle fenêtre
 
Comment rétrograder un DC irréparable sans reformater la machine
 

Using the DCPROMO /FORCEREMOVAL Command to Force the Demotion of Active Directory Domain Controllers (332199)

The information in this article applies to:
  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, 64-Bit Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
This article was previously published under Q332199

SYMPTOMS

Windows 2000 or Windows Server 2003 domain controllers may not gracefully demote by using the Active Directory Installation Wizard (Dcpromo.exe).

CAUSE

This behavior may occur if a required dependency or operation fails. These include network connectivity, name resolution, authentication, Active Directory replication, or the location of a critical object in Active Directory.

RESOLUTION

To resolve this behavior, determine what is preventing the graceful demotion of the Windows 2000 or Windows Server 2003 domain controller, and then try to demote the domain controller by using the Active Directory Installation Wizard again.

WORKAROUND

If you cannot resolve the behavior, you can use the following workarounds to perform a forced demotion of the domain controller to preserve the installation of the operating system and any applications on it.

Warning Before you you use either of the following workarounds, make sure that the user can successfully boot into Directory Services Restore mode. If not, the user will be unable to log on after forcefully demoting the computer. If the user does not remember the Directory Services Restore mode password, the user can reset the password by using the Setpwd.exe utility that is located in the Winnt\System32 folder. For additional information how to perform this procedure, click the following article number to view the article in the Microsoft Knowledge Base:
271641 The Configure Your Server Wizard Sets Blank Recovery Mode Password

Windows 2000 Domain Controllers

  1. Install the Q332199 hotfix on a Windows 2000 domain controller that is running Service Pack 2 (SP2) or later, or install Windows 2000 Service Pack 4 (SP4), when it becomes available. SP2 and later support forced demotion. Then, restart your computer.
  2. Click Start, click Run, and then type the following command:
    dcpromo /forceremoval

  3. Click OK.
  4. At the Welcome to the Active Directory Installation Wizard page, click Next.
  5. If the computer that you are removing is a global catalog server, click OK in the message window.

    Note Promote additional global catalogs in the forest or site if the domain controller that you are demoting is a global catalog server, as required.
  6. At the Remove Active Directory page, make sure that the This server is the last domain controller in the domain check box is cleared, and then click Next.
  7. At the Network Credentials page, type the name, password, and domain name for a user account with enterprise administrator credentials in the forest, and then click Next.
  8. In Administrator Password, type the password and confirmed password that you want to assign to the Administrator account of the local SAM database, and then click Next.
  9. On the Summary page, click Next.
  10. Perform a metadata cleanup for the demoted domain controller on a surviving domain controller in the forest.

    If you removed a domain from the forest by using the remove selected domain command in Ntdsutil, verify that all the domain controllers and the global catalog servers in the forest have completely removed all the objects and the references to the domain that you just removed before you promote a new domain into the same forest with the same domain name. Tools such as Replmon.exe or Repadmin.exe from Windows 2000 Support Tools may help you determine if end-to-end replication has occurred. Windows 2000 SP3 and earlier global catalog servers are noticeably slower to remove objects and naming contexts than is Windows Server 2003.

Windows Server 2003 Domain Controllers

  1. Windows Server 2003 domain controllers support forced demotion by default. Click Start, click Run, and then type the following command:
    dcpromo /forceremoval

  2. Click OK.
  3. At the Welcome to the Active Directory Installation Wizard page, click Next.
  4. At the Force the Removal of Active Directory page, click Next.
  5. In Administrator Password, type the password and confirmed password that you want to assign to the Administrator account of the local SAM database, and then click Next.
  6. In Summary, click Next.
  7. Perform a metadata cleanup for the demoted domain controller on a surviving domain controller in the forest.

    If you removed a domain from the forest by using the remove selected domain command in Ntdsutil, verify that all the domain controllers and the global catalog servers in the forest have completely removed all the objects and the references to the domain that you just removed before you promote a new domain into the same forest with the same domain name. Windows 2000 Service Pack 3 (SP3) and earlier global catalog servers are noticeably slower to remove objects and naming contexts than is Windows Server 2003.

STATUS

Microsoft has tested and supports the forced demotion of domain controllers that are running Windows 2000 or Windows Server 2003.

MORE INFORMATION

The Active Directory Installation wizard creates Active Directory domain controllers on Windows 2000 and Windows Server 2003 computers. Operations that are performed by the Active Directory Installation Wizard include the installation of new services, changes to the startup values of existing services, and the transition to Active Directory as a security and authentication realm.

With forced demotion, a domain administrator can forcibly remove Active Directory and roll back locally held system changes without having to contact or replicate any locally held changes to another domain controller in the forest.

Because forced demotion results in the loss of any locally held changes, use it only as a last resort in production or test domains. You can forcibly demote domain controllers when connectivity, name resolution, authentication, or replication engine dependencies cannot be resolved so that graceful demotion can be performed. Valid scenarios for forced demotions include:
  • There is no domain controllers currently available in the parent domain when you try to demote the last domain controller in an immediate child domain.
  • The Active Directory Installation Wizard cannot complete because there is a name resolution, authentication, replication engine, or Active Directory object dependency that you cannot resolve after you perform detailed troubleshooting.
  • A domain controller has not replicated inbound Active Directory changes in Tombstone Lifetime (Default Tombstone Lifetime is 60 days) number of days for one or more naming contexts.

    Important: Do not recover such domain controllers unless they are the only chance of recovery for a particular domain.
  • Time does not permit more detailed troubleshooting because you must immediately bring into service the domain controller.
Forced demotions may be useful in lab and classroom environments where you can remove domain controllers out of existing domains, yet you do not have to demote each domain controller serially.

If you force the demotion of a domain controller, you will lose any unique change that reside in the Active Directory of the domain controller that you are forcibly demoting, including the addition, deletion, or modification of users, computers, groups, trust relationships, and Group Policy or Active Directory configuration that did not replicate off before you ran the dcpromo /forceremoval command. Additionally, you will lose changes to any of the attributes on these objects, such as passwords for users, computers, and trust relationships and group membership.

However, if you force the demotion of a domain controller, you return the operating system to a state that is the same as the successful demotion of the last domain controller in a domain (service start values, installed services, use of a registry based SAM for the account database, computer is a member of a workgroup). Programs that are installed on the demoted domain controller remain installed.

The System event log identifies forcibly demoted Windows 2000 domain controllers (and instances of the dcpromo /forceremoval operation) by event ID 29234. For example:

Event Type: WARNING
Event Source: lsasrv
Event Category: None
Event ID: 29234
Date: MM/DD/YYYY
Time: HH:MM:SS AM|PM
User: N/A
Computer: computername Description: The server was force demoted. It is no longer a Domain controller.

The System event log identifies forcibly demoted Windows Server 2003 domain controllers by event ID 29239. For example:
Event Type: WARNING
Event Source: lsasrv
Event Category: None
Event ID: 29239
Date: MM/DD/YYYY
Time: HH:MM:SS AM|PM
User: N/A
Computer: computername Description: The server was force demoted. It is no longer a Domain controller.

After you use the dcpromo /forceremoval command, metadata for the demoted computer is not deleted on surviving domain controllers. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
216498 HOW TO: Remove Data in Active Directory After an Unsuccessful Domain Controller Demotion

The following are items that you must address, if applicable, after forcibly demoting a domain controller:
  1. Remove the computer account from the domain.
  2. Take out DNS records, including A, CNAME, and SRV records.
  3. Remove FRS member objects (FRS and DFS). For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
    296183 Overview of Active Directory Objects That Are Used by FRS

    .
  4. If the demoted computer is a member of any security groups, you must take it out of those groups.
  5. Remove any DFS references to the demoted server (links or root replicas).
  6. A surviving domain controller must seize any operations master roles (also known as flexible single master operations or FSMO) that were previously held by the forcibly demoted domain controller. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
    255504 Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller

Article N° 64, du 26.09.2003, par Alain Gremaud
URL de cet article : http://winad.epfl.ch/?article=64

© 2017 VPSI - EXAPP - TC