Demote non responsive Windows 2K3 DC with NTDSUTIL

Posted on 2008-11-18
Medium Priority
Last Modified: 2012-05-05
One of the drives in my second DC failed, unfortunately it takes with it part of the AD. I tried to restore it from backup but I'm missing ntds.dit and don't have the system state on backup. As of right now I have it up in Directory Services Restore mode and have not had much luck getting things back.
Which leaves me with the option to demote it from a domain controller and rejoin and set it back to replicate. DCPROMO obviously is not working on the failed DC so I'm left with NTDSUTIL to demote.

I found this article that seems to be straight forward:

I the article it mentions to try going into the AD of another DC, locate the bad one Right-click on the failed domain controller and select the Delete command. The only selection that will possibly work is the 3rd(see picture). I have not tried it because I wanted to make sure that IF it did work and deleted the server from the AD that I could go back and re-add it.
Any input would be greatly appreciated.


Question by:Floyd_Droid
  • 5

Expert Comment

ID: 22987812
you will do no harm with this.  
it is definatley safer than ntdsutil, as one bad command can cause untold damage.
try this option first.
LVL 63

Expert Comment

ID: 22987957
You may also have to delete it from DNS, after doing the metadata cleanup

If the demotion fails for any reason, you can forcibly demote it using dcpromo /forceremoval, after which you'll need to perform a metadata cleanup from a working DC as described here:

I hope this helps !

Author Comment

ID: 22989832
Cool! I was able to remove it from the AD DC container. Hopefully, I have not yet been able to reboot the server yet since I have users still working. What other steps to I take promote it back and activate repication?
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.


Author Comment

ID: 22990007
Nope, it still thinks it a domain controller. It came back want me to go back into Directory Services Restore mode. What now?

Author Comment

ID: 22990453
Okay, I went through both steps including http://support.microsoft.com/kb/216498 the domain controller is no longer there. However, when I reboot I still get the message:

lsass.exe System Error
Security Accounts Manager initialization failed because of the following error:
Directory Service cannot start. Error Status 0xC00002e1. Please click OK to shutdown and reboot into Directory Services Restore mode, check the event viewer for for detailed info.


Author Comment

ID: 22990515
It's like the Active Directory is still on the machine. Is there a way to get it off?

Accepted Solution

Floyd_Droid earned 0 total points
ID: 22994872
Okay got it off. Had to take some drastic steps and want to share them for the next poor unfortunate soul:

(Read my earlier progress posts)

I followed the below section:

"The steps of the UNSUPPORTED way of removing AD from a server with W2K and W2K3 are:"



Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question