• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3849
  • Last Modified:

Cannot remove failed DCPROMO Demotion DC from domain

I took over a company network a couple of months back which is all 2003 standard with SP1 with XP Clients and noticed straight away that 1 DC had being demoted some how,
I assume using DCPROMO but its still showing up as a DC everywhere in AD and giving replication errors.

Ive since bought in 2 new HP Proliant DL 380s to help beef up the network with 2003 R2 on them but I wont dcpromo the schema on the existing Domain too accept the new R2 for these 2 new dcs which are just sat as member servers at the moment waiting to be promoted until Ive cleaned this rogue DC out of AD.

Ive spent the last 3 hours this morning trying to remove this server using NTDSUTIL>METADATA CLEANUP>CONNECTIONS>CONNECT TO SERVER ROGUEDC
(Obviously its not called ROGUEDC)
Each time i get

>>>dsbindw error 0x6d9 there are no more endpoints available from the endpoint mapper<<<

Ive tried using the IP address/Netbios name
Ive tried running it from the actual rogue server using localhost
Ive made sure all servers are fully upto date with SPs and updates
Ive rebooted countless times and RPC is always started and the locater service is always stopped on manual, it makes no differance if I start this.
I always use an enterprise admin acc, Ive even created a new user and made it a member of the domain admins and enterprise admins and added this to the roguedcs local admins group (not that it needs it).
Using DCPROMO /FORCEREMOVAL only gives the AD Installation option there is no option on any of the pages after clicking next to force the removal.

I can connect to any of the other DCs using
From the rogue dc and from any of the other dcs, however each time I try to connect to the rogue DC I always get:

>>>dsbindw error 0x6d9 there are no more endpoints available from the endpoint mapper<<<

Its clearly showing in the Domain Controllers OU and in sites and services and shows <error: server unreachable> when using REPLMON

Any other ideas GREATLY appreciated as this is getting to be a real pain.

  • 2
  • 2
1 Solution
You need to connect to any *working* domain controller with ntdsutil, not to the rogue machine. This procedure has to be done as well when a DC completely dies and can't be restored, so it would be rather useless if you have to connect to the machine that you want to clean out.
You decide later in the process which machine to remove (step 13 in the article below): "Type select server number, where number is the number associated with the server you want to remove. You receive a confirmation listing the selected server, its Domain Name Server (DNS) host name, and the location of the server's computer account you want to remove."
How to remove data in Active Directory after an unsuccessful domain controller demotion
rpartingtonAuthor Commented:
Thanks for the response obdA
However I have tried from all the dcs to connect to the rogue dc,
That was my point,
I can as a test connect from the rogue dc to the fully functioning dcs no problem and from the fully functioning dcs to another fully functioning dc,
however I simply cannot connect from a fully functioning dc to the rogue dc.
As I said: do *not* connect to the rogue DC in step 5. How would you ever be able to remove a dead DC from AD if you had to connect to it to remove it? Connect to any *working* domain controller instead. Replace "servername" in the connect command with any other DC name, but NOT the name of the rogue DC.
"Type connect to server servername, and then press ENTER. You should receive confirmation that the connection is successfully established. If an error occurs, verify that the domain controller being used in the connection is available and the credentials you supplied have administrative permissions on the server."
>>However I have tried from all the dcs to connect to the rogue dc
you dont need to connect to it,,, you need to follow what the MS article said that oBdA on a working DC (just like he said to do).

those instructions will remove the 'bad' DC from active directory regardless of it is even on the network anymore or not.

rpartingtonAuthor Commented:
cheers lads, Ive being blinded by the trees here,
Even though I had that MS KB I got blinkered into that error message.
Ive now got it,
1st time Ive fell for it where you get blinkered by the error message and cant think round the problem.

Sorted now Im on my way, havent removed it will do that tomorrow, Ive had a gut full for today.

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now