We help IT Professionals succeed at work.

DCPROMO FORCED REMOVAL WINDOWS 2003

I have a couple DC's that are broken and are not responding. I am currently in the process of upgrading my infrastructure and need these DC issues cleaned up. These two DC's were setup only for assistance in authentication that's really all there for.

Question:

Do I just stop the roles on each one and run the dcpromo force removal from the primary and then do the cleanup or do I need to run the DCpromo force removal from each DC?
Comment
Watch Question

Paul MacDonaldDirector, Information Systems

Commented:
It's not clear if there are other DCs in your domain, but if there are, you'd want to MOVE the FSMO roles to the other DCs, then demote the ones you want to remove.  If, for some reason, the DCs don't demote or you run into some problem removing them, then you can consider forcibly removing them.

Author

Commented:
The infrastructure is as follows:

DC-1= IS ACTING AS THE FOLLOWING
*AD
*PRIMARY DNS
*EXCHANGE
*DHCP
DC=2
*SECONDRY DNS
DC=3
*REALLY DOING NOTHING, NOT SURE WHY THIS ONE WAS ADDED.

DC-2 OR DC-3 ARE NOT REPLICATING WITH DC-1 ANY LONGER. I JUST NEED THEM REMOVED FROM THE DOMAIN.
Distinguished Expert 2019

Commented:
DCpromos to demote the non-functional DC have to be run on the non-functional DC.

You need to use the ntdsutil to cleanup the AD.
http://www.petri.co.il/delete_failed_dcs_from_ad.htm

You should have at least two DC's just in case of hardware failure.

Author

Commented:
So, run the DCpromo force removal from the non-functional DC in this case DC-2 and DC-3. Then I would need to run the NTDSUTIL on the primary DC correct?
Distinguished Expert 2019

Commented:
You have an issue in the environment that prevents the DC2,3 from replicating.  One option is to use dcdiag/netdiag to diagnose what the issue is that is preventing the synchronization/replication which I'd recommend you do for DC 2 since it provides DNS services.

Could you attach the output of DCDIAG generated from the working DC1 which hopefully is the master of all roles in the environment?

DC3 should be taken offline and not connected back to the network unless reformatted/os reinstalled which means you have to be 100% sure that DC3 does not have anything no matter how small.
Once it is offline, you would use ntdsutil as describe in the link for petri, to remove any reference to DC3 from the AD.

Author

Commented:
DC1 is the master and yes I will attach the log once I have it.

Thanks

Author

Commented:
ok, i ran the dcdiag however I can not fine the output. Any ideas?
Distinguished Expert 2019
Commented:
when you run dcdiag it displays/outputs the data to screen.
if you want the output to go to a file, you need to run in the command window
dcdiag > c:\somdir\file_for_output.log
Then attach the file.

Author

Commented:
Thanks, here is the log

 20111205.log

Author

Commented:
In doing a little more research it would appear they have setup DC-3 as a DNS server primary to that location with DC-1 being the secondry.