Cannot remove failed DCPROMO Demotion DC from domain

Posted on 2006-07-08
Last Modified: 2008-01-09
I took over a company network a couple of months back which is all 2003 standard with SP1 with XP Clients and noticed straight away that 1 DC had being demoted some how,
I assume using DCPROMO but its still showing up as a DC everywhere in AD and giving replication errors.

Ive since bought in 2 new HP Proliant DL 380s to help beef up the network with 2003 R2 on them but I wont dcpromo the schema on the existing Domain too accept the new R2 for these 2 new dcs which are just sat as member servers at the moment waiting to be promoted until Ive cleaned this rogue DC out of AD.

Ive spent the last 3 hours this morning trying to remove this server using NTDSUTIL>METADATA CLEANUP>CONNECTIONS>CONNECT TO SERVER ROGUEDC
(Obviously its not called ROGUEDC)
Each time i get

>>>dsbindw error 0x6d9 there are no more endpoints available from the endpoint mapper<<<

Ive tried using the IP address/Netbios name
Ive tried running it from the actual rogue server using localhost
Ive made sure all servers are fully upto date with SPs and updates
Ive rebooted countless times and RPC is always started and the locater service is always stopped on manual, it makes no differance if I start this.
I always use an enterprise admin acc, Ive even created a new user and made it a member of the domain admins and enterprise admins and added this to the roguedcs local admins group (not that it needs it).
Using DCPROMO /FORCEREMOVAL only gives the AD Installation option there is no option on any of the pages after clicking next to force the removal.

I can connect to any of the other DCs using
From the rogue dc and from any of the other dcs, however each time I try to connect to the rogue DC I always get:

>>>dsbindw error 0x6d9 there are no more endpoints available from the endpoint mapper<<<

Its clearly showing in the Domain Controllers OU and in sites and services and shows <error: server unreachable> when using REPLMON

Any other ideas GREATLY appreciated as this is getting to be a real pain.

Question by:rpartington
  • 2
  • 2
LVL 84

Expert Comment

ID: 17064690
You need to connect to any *working* domain controller with ntdsutil, not to the rogue machine. This procedure has to be done as well when a DC completely dies and can't be restored, so it would be rather useless if you have to connect to the machine that you want to clean out.
You decide later in the process which machine to remove (step 13 in the article below): "Type select server number, where number is the number associated with the server you want to remove. You receive a confirmation listing the selected server, its Domain Name Server (DNS) host name, and the location of the server's computer account you want to remove."
How to remove data in Active Directory after an unsuccessful domain controller demotion

Author Comment

ID: 17064711
Thanks for the response obdA
However I have tried from all the dcs to connect to the rogue dc,
That was my point,
I can as a test connect from the rogue dc to the fully functioning dcs no problem and from the fully functioning dcs to another fully functioning dc,
however I simply cannot connect from a fully functioning dc to the rogue dc.
LVL 84

Accepted Solution

oBdA earned 500 total points
ID: 17064726
As I said: do *not* connect to the rogue DC in step 5. How would you ever be able to remove a dead DC from AD if you had to connect to it to remove it? Connect to any *working* domain controller instead. Replace "servername" in the connect command with any other DC name, but NOT the name of the rogue DC.
"Type connect to server servername, and then press ENTER. You should receive confirmation that the connection is successfully established. If an error occurs, verify that the domain controller being used in the connection is available and the credentials you supplied have administrative permissions on the server."
LVL 25

Expert Comment

ID: 17064729
>>However I have tried from all the dcs to connect to the rogue dc
you dont need to connect to it,,, you need to follow what the MS article said that oBdA on a working DC (just like he said to do).

those instructions will remove the 'bad' DC from active directory regardless of it is even on the network anymore or not.


Author Comment

ID: 17064748
cheers lads, Ive being blinded by the trees here,
Even though I had that MS KB I got blinkered into that error message.
Ive now got it,
1st time Ive fell for it where you get blinkered by the error message and cant think round the problem.

Sorted now Im on my way, havent removed it will do that tomorrow, Ive had a gut full for today.

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question