Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2006-12-02) Uninstalling Active Directory – Demoting A DC

Posted by Jorge on 2006-12-02


This is an old one, but I thought I’d post it here for those ever having trouble demoting a DC to a member server or stand alone server.

The 3 supported ways of removing AD from a server with W2K, W2K3 and W2K8 are:

  1. DCPROMO
    1. Used most of the times when it concerns a healthy DC
    2. Does NOT work in SAFE or DSRM mode, only works in NORMAL mode
    3. End result will be a member server in the domain, except when it is the last DC in the domain because in that case it will be a stand alone server
    4. Eventual FSMO roles will be transferred automatically to a near DC
    5. DC specific metadata will be cleaned (except for the server object)
  2. DCPROMO /FORCEREMOVAL
    1. Used most of the times when it concerns an UNhealthy DC. For example a DC that experiences "USN rollback" or "Lingering Objects"
    2. Does NOT work in SAFE or DSRM mode, only works in NORMAL mode
    3. End result will be a stand alone server
    4. When W2K3 SP1, eventual FSMO roles will NOT be transferred automatically to a near DC. However a message is generated stating that continuing will orphan eventual FSMO roles hosted by the DC. When continuing you would need to SEIZE the FSMO roles to another DC –> see: Moving FSMO Roles From One DC To Another DC
    5. DC specific metadata will NOT be cleaned. You still need to clean the AD metadata of the DC –> see: Cleaning Up The AD Metadata Of A DC Or An AD domain
  3. Just wack the server and reinstall😉
    1. Used most of the times when NOTHING else works and/or it is does not contain any data that is worth saving
    2. End result will depend on the install (joined or unjoined)
    3. Eventual FSMO roles will NOT be transferred automatically (duh!) to a near DC. Afterwards you would need to SEIZE the FSMO roles to another DC –> see: Moving FSMO Roles From One DC To Another DC
    4. DC specific metadata will NOT be cleaned. You still need to clean the AD metadata of the DC BEFORE rebuilding the server –> see: Cleaning Up The AD Metadata Of A DC Or An AD domain

NOTE: W2K8 supports removing AD from a DC in DSRM by using ‘DCPROMO /FORCEREMOVAL’. Be aware that afterwards you still need clean the AD metadata. If the server hosts any FSMO role you will be warned about it. If you continue you would need to seize the FSMO roles to another live DC!

The following method is especially used when the DC does not boot anymore in NORMAL mode, but it does boot in DSRM and it contains data that is worth saving or rebuilding the DC takes too much time. Also BE AWARE that:

  1. Eventual FSMO roles will NOT be transferred automatically (duh!) to a near DC. You would still need to SEIZE the FSMO roles to another DC –> see: Moving FSMO Roles From One DC To Another DC
  2. DC specific metadata will NOT be cleaned (duh!). You still need to clean the AD metadata of the DC BEFORE rebuilding the server –> see: Cleaning Up The AD Metadata Of A DC Or An AD domain 

NOTE: PROCEED WITH CAUTION AND DO NOT USE THIS IF THERE IS ANOTHER WAY!

The steps of the UNSUPPORTED way of removing AD from a server with W2K and W2K3 are:

  1. Boot into DSRM (Directory Services Restore Mode)
  2. Log on with the DSRM administrator
  3. Start REGEDIT
  4. Navigate to the key "HKLM\System\CurrentControlSet\Control\ProductOptions"
  5. Change the data value of the data name "ProductType" from "LanmanNT" to "ServerNT"
  6. Reboot the server. It will boot as a stand alone server (although it shows the domain it belongs to in the logon screen)
  7. Login with the LOCAL SERVER administrator account and its password. The password is the same as the DSRM administrator account.
  8. Promote the server to a DC in a new AD domain in a new AD forest.
    1. As a domain use for example "TEMPAD.TEMP" as the domain FQDN and "TEMPAD" as the domain NetBIOS name (it will suggest the OLD domain NetBIOS name, but DO NOT use that!!!).
    2. Use the same path for the AD DB, the AD LOGS and the SYSVOL. If you don’t know anymore open REGEDIT and navigate to the key "HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" for the AD files information and look at the data values from the data names "DSA Working Directory" and "Database log files path". For the SYSVOL path navigate to the key "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" and look at the data value from the data name "SYSVOL". From that path use only the part without the last SYSVOL directory. After entering the paths acknowledge to delete the current files in the specified folders!
    3. REMARK: the password of the domain administrator account will be the same as the local server administrator, which again is the same as the previous DSRM administrator account.
  9. Reboot the server. It will boot as a DC for the new created AD forest/domain
  10. Login with the domain administrator account and its password. Look at the remark mentioned above.
  11. Demote the DC being the last DC of the AD forest/domain that was just created. The end result will be a stand alone server which will still have the temporary FQDN as its DNS suffix (this changes automatically by default when the domain membership changes).
  12. Delete the SYSVOL directory.
  13. Reboot the server. It will boot as a stand alone server.
  14. From now on do with the server as you wish, like joining as a member server or promoting to a DC of an existing AD domain (BEFORE DOING EITHER, DO FIRST WHAT IS MENTIONED ABOVE MEANING "SEIZING FSMO ROLES" HOSTED BY THE DC BEFORE AND "CLEANING ITS METADATA" AND FORCING AD REPLICATION OF BOTH CHANGES)

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

7 Responses to “(2006-12-02) Uninstalling Active Directory – Demoting A DC”

  1. tomek said

    Nice that You’ve described this “unsupported” procedure. I’ve used it several time when it was officially available on KB. But maybe You will consider changing color of UNSUPPORTED word to red and put few lines of words where You will use PROCEED and CAUTION and DO NOT DO THIS IS IF THERE IS ANOTHER WAY.

    In my case I’ve used it when DCs (Windows 2000) were in the state when no logon screen was available and it keeps crashing at some system boot stage.

  2. Hello Jorge,

    As usual, very good post !🙂
    Q: When doing a normal deomotion with dcpromo, will all AD records in all NCs be deleted automatically ?
    For example,after each normal demotion, i had to delete the empty object conatainer in dssite.msc, even if after all DCs were synchronzed.

    For DNS records, i think scavenging will do the trick.

    Thanks and happy new year !

    Yann

  3. Jorge said

    Hi Yann,

    Either using a normal demotion or a metadata cleanup, everything is cleaned….except…
    * The server object under the servers container in the configuration partition, which is viewable with DSSITE.MSC. You always need to delete this one manually. The main reason is that the sever object may contain other leaf objects which are based on the roles of that server. The server object has nothing to do with the DC role. If it does not exist it is most of the times created by DCPROMO. However other services can do that as well, like Exchange and MSMQ (if I remember correctly). The NTDS Settings object DOES have a relation with the DC role.
    * DNS records….Either these are removed as they should by the demotion process and if some remain, if you use aging/scavenging (you should IMO) that should take care of it after some days.

    If I’m not mistaken it also depends on what DCPROMO version is used for what is cleaned or not. For example, again if I remember correctly, DFS-R stuff is not cleaned as it should.

    I have been working on a metadata cleanup utility that clean EVERYTHING. The only thing missing until now is DNS cleanup. That is however not easy because you can have primary zones and AD-I zones and I want the cleanup only be based upon the FQDN as I assume that is the only thing I know. Besides that, the script now is a VBS script and if I ever release it, it will be an EXE

    cheers,
    Jorge

  4. Understood !

    Thanks Jorge for clarification.

    BTW: what does IMO mean ?
    -> “…if you use aging/scavenging (you should IMO)…”

  5. Jorge said

    IMO = In my opinion
    IMHO = In my honest opinion

  6. Hey, Thanks for this ! This saved me a lot of time for one of my client that was using terminal services in application mode on this server (Yes we are not supposed to run TS application mode on a DC)

    All the profiles followed also since the server rejoined the Domain,

    Again thanks

  7. […] Because of that it was either needed to re-install the DC or use an unsupported method as mentioned here. In Windows Server Longhorn it is not needed to use this unsupported method as in DSRM it will […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: