Solved

Removing a Windows 2003 DC from a domain

Posted on 2014-07-30
14
299 Views
Last Modified: 2014-09-01
We have 2 x 2003 Windows servers running as DC's. We also have a Windows 2008 server running as DC, DHCP and DNS. We also have a Windows 2012 server running exchange 2010 which is just a member server.

We are no longer using one of the 2003 servers, and wish to remove it altogether.

I have tried running DCPROMO but we keep getting the error :-

DsRemoveDsDomainW error 0x2162<The requested domain could not be deleted because there exisits domain controllers that still host this domain.

Obviously, we still wish to use the same domain with our remaining servers, and just (first of all) remove the 2003 server.

What do I need to do to remove all traces of the first 2003 server? We will then move on to removing the second 2003 server.

Can anyone help, as it is ver frustrating being so close to physically removing the old server, and being stuck at this point.

Any advice much appreciated.

Many thanks.
0
Comment
Question by:nigelbeatson
14 Comments
 
LVL 17

Expert Comment

by:Nik
ID: 40228829
Go into Active Directory Sites and Services on your parent domain's DC, click on the server which you don 't find anywhere anymore in your domain computer accounts (try pinging it for all I care), open the subfolder on it where it says "NTDS Settings" and delete it.
You will be prompted what to do about it. Take the third option: the server is permantly offline and you want it removed.
Make sure you run this procedure with any badly removed DC.
Now rerun DCPROMO on the server you want the new child domain to be created. Et voila, new child domain (re)created.

What 's probably behind this: your parent domain is still in a pending state where it 's waiting to notify your dead DC about the removal of the original child domain. Since this cannot happen, your AD will remain in a crippled state about the child domain.

Source: http://trinityhome.org/Home/index.php?content=DSREMOVEDSDOMAINW_ERROR_0X2162_THE_REQUESTED_DOMAI&front_id=18&lang=en&locale=en
0
 
LVL 13

Expert Comment

by:Andy M
ID: 40228834
Firstly you need to make sure that the server is not holding any of the FSMO roles - if it does you need to move these before attempting to demote it.

Secondly ensure it's not the only global catalog in the domain.

I believe there's also options during the DCPromo, one of these is something like "this is the last domain controller/global catalog in the domain" - don't select this or anything else that refers to removing the domain/forest.
(Been a while since I did this so can't remember the exact page/settings)
0
 
LVL 19

Expert Comment

by:Kash
ID: 40228862
0
 

Author Comment

by:nigelbeatson
ID: 40231361
I have removed the DHCP and DNS server roles. I can only see :-

File Server
Print Server
Application Server Domain Controller (Active Directory)

Set as configured. Are you saying I have to remove these first?

The Domain Controller is what I am trying to remove, should I try to remove it here? Can I remove it here?

This server is not a global catalogue server, this was moved to another server.

I did not select the option as being the last Domain Controller on the domain, so that is why I was surprised that it indicated that there were still other domain controllers hosting this domain, as I know there are.

I will check out the other suggestions too.

Many thanks.
0
 

Author Comment

by:nigelbeatson
ID: 40231362
Can I verify that this qualifies as a Child domain? We only have one domain, and simply want to remove this old 2003 server, leaving the domain in place on other servers.

Many thanks.
0
 

Author Comment

by:nigelbeatson
ID: 40231370
I would also like to confirm that the old 2003 server does still show under the list of Domain Controllers in AD. I am always concerend when the Microsoft Processes do not work in the way expected, and just removing things from AD sites and services etc, as I am unsure of the results.

The document detailed above mentions that it does not exist anymore but our old server still does.

Any suggestions.
0
 

Author Comment

by:nigelbeatson
ID: 40231384
Kash, i've been through the document and can confirm that all of the tests and criteria have passed.

Any other suggestions?
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 1

Expert Comment

by:Nicola Mackin
ID: 40231390
Hi nigelbeatson

Firstly, DO NOT do what nimatejic has recommended just yet. Forcing the removal in this way is a last resort. If you do, make sure that you have moved any FSMO roles to another server. You can mess up your active directory...

You need to check that your 2003 server is not hosting any of the FSMO roles. There are five of them.

Schema Master
Domain Naming Master
Infrastructure Master
Relative ID (RID)
PDC Emulator

If your 2003 server is hosting any of the above you need to move them to another server.  To check and move these roles refer to this link:

http://support.microsoft.com/kb/324801

I believe you have already stated that your server is not a global catalogue server but do double check before demotion.

Once you have done this, leave it for a while to make sure everything is in sync and then try demoting your DC. After demotion you can kill off the server.  

If it fails again, check the event logs on all domain controllers and maybe post the event ID's here for more specific help. It is also worth mentioning that actually moving FSMO roles can fail, if so post event id's

Regards
Nicola
0
 

Author Comment

by:nigelbeatson
ID: 40231441
Thanks Nicola.

I did not remove the NTDS from Sites and services yet.

Ive been through your article, and can confirm that they are already set to our new server.

The server being removed is called FSAMS1 and all of the settings :-

Current Schema
Operations Masters
RID, PDC and Infrastructure

are all set to FSAFS1, which is correct.

I think I would have called Microsoft by now, but they dont support 2003 any longer.

Any other ideas?

Many thanks.
0
 
LVL 1

Accepted Solution

by:
Nicola Mackin earned 500 total points
ID: 40231461
Hi

I have not worked with 2003 for quite some time, in fact, I only work with Windows Servers when I have no choice. Linux is my preferred choice.

Anyway, that does not help your situation.

These issues can be a real pain and I have had my fair share of them on client site. What I would do is back up your active directory first. Just in case. Then try the following on the 2003 DC that needs to be moved.

Launch the command prompt and then type dcpromo /forceremoval and follow the on screen prompts. After which you will need to clean up the metadata.

For more detailed information please refer to the folliwing technet article.

http://technet.microsoft.com/en-us/library/cc781245(v=ws.10).aspx

This should remove your old DC but as I said, backup your active directory first.

Good Luck

Regards
Nicola
0
 

Author Comment

by:nigelbeatson
ID: 40269902
sorry for the delay. I have been avoiding this process, as all is currently working OK, but I do need to address this. I will be taking another look over the next day or so, and will update the incident then. Thanks.
0
 

Author Comment

by:nigelbeatson
ID: 40287380
OK - I have now been back on site and carried out the Dcpromo /forceremoval which completed OK.

I am now trying to carry out the metadata cleanup as detailed in your document.

However, when I run the remove selected server servername I get the folowing message :-


"C:\Users\administrator.FSA1>NTDSUTIL
NTDSUTIL: metdata cleanup
Error parsing Input - Invalid Syntax.
NTDSUTIL: metadata cleanup
metadata cleanup: remove selected server fsams1
Binding to localhost ...
DsBindWithSpnExW error 0x6d9(There are no more endpoints available from the endp
oint mapper.)
Unable to determine the domain hosted by the Active Directory Domain Controller
(2). Please use the connection menu to specify it.
metadata cleanup:"

I presume I have to run this from our current domain controller, as DS has now been removed from our old DC, and is now just a stand alone computer.

Your assistance in closing this out would be very much appreciated.

I can confirm that the demoted server still shows in Active Directory Sites and Services.

Many thanks.
0
 

Author Comment

by:nigelbeatson
ID: 40287387
I have just tried the connection method, but again it fails.

Does the old 2003 server need to be powered on to complete this, as having removed DS I did not think it would be able to find it anyway?? ie its now a stand alon server in the "workgroup" group??

Please advise.

Many thanks.
0
 

Author Closing Comment

by:nigelbeatson
ID: 40296962
Forced removal worked fine. No obvious problems now.

Thanks to all.
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now