Demote non responsive Windows 2K3 DC with NTDSUTIL

One of the drives in my second DC failed, unfortunately it takes with it part of the AD. I tried to restore it from backup but I'm missing ntds.dit and don't have the system state on backup. As of right now I have it up in Directory Services Restore mode and have not had much luck getting things back.
Which leaves me with the option to demote it from a domain controller and rejoin and set it back to replicate. DCPROMO obviously is not working on the failed DC so I'm left with NTDSUTIL to demote.

I found this article that seems to be straight forward:
http://articles.techrepublic.com.com/5100-10878_11-5031938 

I the article it mentions to try going into the AD of another DC, locate the bad one Right-click on the failed domain controller and select the Delete command. The only selection that will possibly work is the 3rd(see picture). I have not tried it because I wanted to make sure that IF it did work and deleted the server from the AD that I could go back and re-add it.
 
Any input would be greatly appreciated.

David



AD-DC-delete.JPG
Floyd_DroidAsked:
Who is Participating?
 
Floyd_DroidAuthor Commented:
Okay got it off. Had to take some drastic steps and want to share them for the next poor unfortunate soul:

(Read my earlier progress posts)

I followed the below section:

"The steps of the UNSUPPORTED way of removing AD from a server with W2K and W2K3 are:"

http://blogs.dirteam.com/blogs/jorge/archive/2006/12/03/Uninstalling-Active-Directory-_2D00_-Demoting-a-DC.aspx



0
 
hodgeyohnCommented:
you will do no harm with this.  
it is definatley safer than ntdsutil, as one bad command can cause untold damage.
try this option first.
0
 
SysExpertCommented:
You may also have to delete it from DNS, after doing the metadata cleanup

If the demotion fails for any reason, you can forcibly demote it using dcpromo /forceremoval, after which you'll need to perform a metadata cleanup from a working DC as described here:
http://support.microsoft.com/kb/216498.


I hope this helps !
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Floyd_DroidAuthor Commented:
Cool! I was able to remove it from the AD DC container. Hopefully, I have not yet been able to reboot the server yet since I have users still working. What other steps to I take promote it back and activate repication?
0
 
Floyd_DroidAuthor Commented:
Nope, it still thinks it a domain controller. It came back want me to go back into Directory Services Restore mode. What now?
0
 
Floyd_DroidAuthor Commented:
Okay, I went through both steps including http://support.microsoft.com/kb/216498 the domain controller is no longer there. However, when I reboot I still get the message:

lsass.exe System Error
Security Accounts Manager initialization failed because of the following error:
Directory Service cannot start. Error Status 0xC00002e1. Please click OK to shutdown and reboot into Directory Services Restore mode, check the event viewer for for detailed info.

HELP!
0
 
Floyd_DroidAuthor Commented:
It's like the Active Directory is still on the machine. Is there a way to get it off?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.