Demote non responsive Windows 2K3 DC with NTDSUTIL
One of the drives in my second DC failed, unfortunately it takes with it part of the AD. I tried to restore it from backup but I'm missing ntds.dit and don't have the system state on backup. As of right now I have it up in Directory Services Restore mode and have not had much luck getting things back.
Which leaves me with the option to demote it from a domain controller and rejoin and set it back to replicate. DCPROMO obviously is not working on the failed DC so I'm left with NTDSUTIL to demote.
I found this article that seems to be straight forward:
http://articles.techrepublic.com.com/5100-10878_11-5031938
I the article it mentions to try going into the AD of another DC, locate the bad one Right-click on the failed domain controller and select the Delete command. The only selection that will possibly work is the 3rd(see picture). I have not tried it because I wanted to make sure that IF it did work and deleted the server from the AD that I could go back and re-add it.
Any input would be greatly appreciated.
David
AD-DC-delete.JPG
Which leaves me with the option to demote it from a domain controller and rejoin and set it back to replicate. DCPROMO obviously is not working on the failed DC so I'm left with NTDSUTIL to demote.
I found this article that seems to be straight forward:
http://articles.techrepublic.com.com/5100-10878_11-5031938
I the article it mentions to try going into the AD of another DC, locate the bad one Right-click on the failed domain controller and select the Delete command. The only selection that will possibly work is the 3rd(see picture). I have not tried it because I wanted to make sure that IF it did work and deleted the server from the AD that I could go back and re-add it.
Any input would be greatly appreciated.
David
AD-DC-delete.JPG
You may also have to delete it from DNS, after doing the metadata cleanup
If the demotion fails for any reason, you can forcibly demote it using dcpromo /forceremoval, after which you'll need to perform a metadata cleanup from a working DC as described here:
http://support.microsoft.com/kb/216498.
I hope this helps !
If the demotion fails for any reason, you can forcibly demote it using dcpromo /forceremoval, after which you'll need to perform a metadata cleanup from a working DC as described here:
http://support.microsoft.com/kb/216498.
I hope this helps !
ASKER
Cool! I was able to remove it from the AD DC container. Hopefully, I have not yet been able to reboot the server yet since I have users still working. What other steps to I take promote it back and activate repication?
ASKER
Nope, it still thinks it a domain controller. It came back want me to go back into Directory Services Restore mode. What now?
ASKER
Okay, I went through both steps including http://support.microsoft.com/kb/216498 the domain controller is no longer there. However, when I reboot I still get the message:
lsass.exe System Error
Security Accounts Manager initialization failed because of the following error:
Directory Service cannot start. Error Status 0xC00002e1. Please click OK to shutdown and reboot into Directory Services Restore mode, check the event viewer for for detailed info.
HELP!
lsass.exe System Error
Security Accounts Manager initialization failed because of the following error:
Directory Service cannot start. Error Status 0xC00002e1. Please click OK to shutdown and reboot into Directory Services Restore mode, check the event viewer for for detailed info.
HELP!
ASKER
It's like the Active Directory is still on the machine. Is there a way to get it off?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
it is definatley safer than ntdsutil, as one bad command can cause untold damage.
try this option first.