Cannot remove failed DCPROMO Demotion DC from domain

Posted on 2006-07-08
Last Modified: 2008-01-09
I took over a company network a couple of months back which is all 2003 standard with SP1 with XP Clients and noticed straight away that 1 DC had being demoted some how,
I assume using DCPROMO but its still showing up as a DC everywhere in AD and giving replication errors.

Ive since bought in 2 new HP Proliant DL 380s to help beef up the network with 2003 R2 on them but I wont dcpromo the schema on the existing Domain too accept the new R2 for these 2 new dcs which are just sat as member servers at the moment waiting to be promoted until Ive cleaned this rogue DC out of AD.

Ive spent the last 3 hours this morning trying to remove this server using NTDSUTIL>METADATA CLEANUP>CONNECTIONS>CONNECT TO SERVER ROGUEDC
(Obviously its not called ROGUEDC)
Each time i get

>>>dsbindw error 0x6d9 there are no more endpoints available from the endpoint mapper<<<

Ive tried using the IP address/Netbios name
Ive tried running it from the actual rogue server using localhost
Ive made sure all servers are fully upto date with SPs and updates
Ive rebooted countless times and RPC is always started and the locater service is always stopped on manual, it makes no differance if I start this.
I always use an enterprise admin acc, Ive even created a new user and made it a member of the domain admins and enterprise admins and added this to the roguedcs local admins group (not that it needs it).
Using DCPROMO /FORCEREMOVAL only gives the AD Installation option there is no option on any of the pages after clicking next to force the removal.

I can connect to any of the other DCs using
From the rogue dc and from any of the other dcs, however each time I try to connect to the rogue DC I always get:

>>>dsbindw error 0x6d9 there are no more endpoints available from the endpoint mapper<<<

Its clearly showing in the Domain Controllers OU and in sites and services and shows <error: server unreachable> when using REPLMON

Any other ideas GREATLY appreciated as this is getting to be a real pain.

Question by:rpartington
  • 2
  • 2
LVL 84

Expert Comment

ID: 17064690
You need to connect to any *working* domain controller with ntdsutil, not to the rogue machine. This procedure has to be done as well when a DC completely dies and can't be restored, so it would be rather useless if you have to connect to the machine that you want to clean out.
You decide later in the process which machine to remove (step 13 in the article below): "Type select server number, where number is the number associated with the server you want to remove. You receive a confirmation listing the selected server, its Domain Name Server (DNS) host name, and the location of the server's computer account you want to remove."
How to remove data in Active Directory after an unsuccessful domain controller demotion

Author Comment

ID: 17064711
Thanks for the response obdA
However I have tried from all the dcs to connect to the rogue dc,
That was my point,
I can as a test connect from the rogue dc to the fully functioning dcs no problem and from the fully functioning dcs to another fully functioning dc,
however I simply cannot connect from a fully functioning dc to the rogue dc.
LVL 84

Accepted Solution

oBdA earned 500 total points
ID: 17064726
As I said: do *not* connect to the rogue DC in step 5. How would you ever be able to remove a dead DC from AD if you had to connect to it to remove it? Connect to any *working* domain controller instead. Replace "servername" in the connect command with any other DC name, but NOT the name of the rogue DC.
"Type connect to server servername, and then press ENTER. You should receive confirmation that the connection is successfully established. If an error occurs, verify that the domain controller being used in the connection is available and the credentials you supplied have administrative permissions on the server."
LVL 25

Expert Comment

ID: 17064729
>>However I have tried from all the dcs to connect to the rogue dc
you dont need to connect to it,,, you need to follow what the MS article said that oBdA on a working DC (just like he said to do).

those instructions will remove the 'bad' DC from active directory regardless of it is even on the network anymore or not.


Author Comment

ID: 17064748
cheers lads, Ive being blinded by the trees here,
Even though I had that MS KB I got blinkered into that error message.
Ive now got it,
1st time Ive fell for it where you get blinkered by the error message and cant think round the problem.

Sorted now Im on my way, havent removed it will do that tomorrow, Ive had a gut full for today.

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question