Cannot remove failed DCPROMO Demotion DC from domain

Posted on 2006-07-08
Last Modified: 2008-01-09
I took over a company network a couple of months back which is all 2003 standard with SP1 with XP Clients and noticed straight away that 1 DC had being demoted some how,
I assume using DCPROMO but its still showing up as a DC everywhere in AD and giving replication errors.

Ive since bought in 2 new HP Proliant DL 380s to help beef up the network with 2003 R2 on them but I wont dcpromo the schema on the existing Domain too accept the new R2 for these 2 new dcs which are just sat as member servers at the moment waiting to be promoted until Ive cleaned this rogue DC out of AD.

Ive spent the last 3 hours this morning trying to remove this server using NTDSUTIL>METADATA CLEANUP>CONNECTIONS>CONNECT TO SERVER ROGUEDC
(Obviously its not called ROGUEDC)
Each time i get

>>>dsbindw error 0x6d9 there are no more endpoints available from the endpoint mapper<<<

Ive tried using the IP address/Netbios name
Ive tried running it from the actual rogue server using localhost
Ive made sure all servers are fully upto date with SPs and updates
Ive rebooted countless times and RPC is always started and the locater service is always stopped on manual, it makes no differance if I start this.
I always use an enterprise admin acc, Ive even created a new user and made it a member of the domain admins and enterprise admins and added this to the roguedcs local admins group (not that it needs it).
Using DCPROMO /FORCEREMOVAL only gives the AD Installation option there is no option on any of the pages after clicking next to force the removal.

I can connect to any of the other DCs using
From the rogue dc and from any of the other dcs, however each time I try to connect to the rogue DC I always get:

>>>dsbindw error 0x6d9 there are no more endpoints available from the endpoint mapper<<<

Its clearly showing in the Domain Controllers OU and in sites and services and shows <error: server unreachable> when using REPLMON

Any other ideas GREATLY appreciated as this is getting to be a real pain.

Question by:rpartington
  • 2
  • 2
LVL 83

Expert Comment

ID: 17064690
You need to connect to any *working* domain controller with ntdsutil, not to the rogue machine. This procedure has to be done as well when a DC completely dies and can't be restored, so it would be rather useless if you have to connect to the machine that you want to clean out.
You decide later in the process which machine to remove (step 13 in the article below): "Type select server number, where number is the number associated with the server you want to remove. You receive a confirmation listing the selected server, its Domain Name Server (DNS) host name, and the location of the server's computer account you want to remove."
How to remove data in Active Directory after an unsuccessful domain controller demotion

Author Comment

ID: 17064711
Thanks for the response obdA
However I have tried from all the dcs to connect to the rogue dc,
That was my point,
I can as a test connect from the rogue dc to the fully functioning dcs no problem and from the fully functioning dcs to another fully functioning dc,
however I simply cannot connect from a fully functioning dc to the rogue dc.
LVL 83

Accepted Solution

oBdA earned 500 total points
ID: 17064726
As I said: do *not* connect to the rogue DC in step 5. How would you ever be able to remove a dead DC from AD if you had to connect to it to remove it? Connect to any *working* domain controller instead. Replace "servername" in the connect command with any other DC name, but NOT the name of the rogue DC.
"Type connect to server servername, and then press ENTER. You should receive confirmation that the connection is successfully established. If an error occurs, verify that the domain controller being used in the connection is available and the credentials you supplied have administrative permissions on the server."
LVL 25

Expert Comment

ID: 17064729
>>However I have tried from all the dcs to connect to the rogue dc
you dont need to connect to it,,, you need to follow what the MS article said that oBdA on a working DC (just like he said to do).

those instructions will remove the 'bad' DC from active directory regardless of it is even on the network anymore or not.


Author Comment

ID: 17064748
cheers lads, Ive being blinded by the trees here,
Even though I had that MS KB I got blinkered into that error message.
Ive now got it,
1st time Ive fell for it where you get blinkered by the error message and cant think round the problem.

Sorted now Im on my way, havent removed it will do that tomorrow, Ive had a gut full for today.

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now