Networking

Picking up the pieces after a failed domain controller demotion

DCPROMO is supposed to make the task of demoting a domain controller easy. So what do you do if DCPROMO fails? Take a deep breath and read this Daily Drill Down by Brien Posey, who shows you how NTDSUTIL can help you deal with the failure.


If you suspect that an Active Directory problem is limited to a single domain controller, then the best way to initially attempt a fix is to use the DCPROMO command. This tool will allow you to remove the system’s domain controller status and make the system a member server instead. You may then use the DCPROMO command again to promote the system back to domain controller status. This will place a brand-new, and hopefully clean, copy of the Active Directory database on the affected domain controller. Problem solved.

Of course, things rarely go as planned. Sometimes something happens during the demotion that causes a simple fix to become a major problem. The domain controller can get stuck in a twilight zone where the domain controller no longer thinks it’s a domain controller, but a record of it still exists in Active Directory, causing every other domain controller in your Active Directory tree to think the domain controller still exists. In this Daily Drill Down, I’ll describe the manual process behind using NTDSUTIL to clean up the mess.

What can go wrong, and why would it matter?
A networking problem or a failure to communicate with a DNS server or the other domain controllers can all cause the demotion process to fail. Likewise, you may not always have a chance to demote the system properly before a server crashes. For example, last week I had a domain controller get destroyed by lightning. With hardware prices so low, it was cheaper to buy a new server than to repair the damaged one. Consequently, my Active Directory still contained a record that my old server was still a domain controller.

Normally, having a system that no longer exists listed as a domain controller in Active Directory wouldn’t be that big of a deal. Active Directory will continue to operate normally. However, having a dead domain controller listed as active in Active Directory could cause problems down the road, especially if the crashed domain controller serves as an operations master. If the domain controller held any operations master roles, it could be difficult to seize those roles as long as Active Directory thinks that the domain controller still exists. To get an idea about what happens when operations masters fail, see the Daily Drill Down “Follow these steps to transfer and seize operations master roles.” Suffice it to say that properly functioning operations masters are vital to a healthy Active Directory.

Whether you need to demote a domain controller because it’s having problems or you need to remove a domain controller that no longer exists, the process is the same. The method that I’m about to show you will completely remove the server from Active Directory. Once the server has been removed, you can repair the server and, when appropriate, rejoin the repaired server with the domain and then use DCPROMO to restore the server to its domain controller status.

Cleaning things up
Begin the process by opening the Active Directory Users And Computers utility and navigating to the Domain Controllers container. Right-click on the failed domain controller and select the Delete command from the resulting context menu. Most of the time this technique will fail, but if it does happen to work, it will save you a lot of work, so it’s a good idea to go ahead and try it.

If you are unable to remove the domain controller through Active Directory Users And Computers, then it’s time to try removing the domain controller through the NTDSUTIL utility. One note of caution: If the domain controller still appears in the Domain Controllers container after the DCPROMO demotion appears to have succeeded, verify that replication is functional and that a replication cycle has completed before attempting to use the NTDSUTIL utility. Otherwise, you could turn a small problem into a big one. For more information, see the Daily Drill Down “Understanding Active Directory replication.”

It’s sometimes difficult to follow complex instructions when they are presented in paragraph form. Therefore, I’m including this link to the actual text that I used for the removal process so that you can see what the removal process actually looks like in its regular form.

Begin the process by opening a Command Prompt window. Type NTDSUTIL and press [Enter]. This will launch the NTDSUTIL utility. Now, enter the METADATA CLEANUP command at the NTDSUTIL prompt.

The next step in the process is to connect to the server on which you’ll be performing the cleanup operation. While, technically, you can perform this operation on any domain controller, I recommend connecting to the Domain Naming Master or to the PDC Emulator for the domain. If neither of these servers is functional, then connect to whatever domain controller you can.

To do so, type CONNECTIONS and press [Enter]. When you do, you’ll be taken to the Server Connections prompt. Hopefully, you’re logged on as a user who has permissions to do the necessary cleanup work. If not, enter the following command:
SET CREDS domain username password

where “domain” is the domain you’re connected to, “username” is the name of a user with administrator rights, and “password” is the password for the user.

The SET CREDS command requires you to enter a password. If the chosen user account doesn’t use a password, then use the word null in place of the password. You must enter the word null in lowercase.

It’s time to make the actual connection to the server. To do so, enter the command:
CONNECT TO SERVER servername

replacing “servername” with the name of the server with which you want to connect. After entering this command, there will be two messages.

One of these messages states that NTDSUTIL is binding itself to the specified server using the supplied credentials. The next message confirms the connection. If you don’t receive these messages, try reentering your credentials and then try the command once again. If the command still doesn’t work, check your ability to communicate with the target server.

Now that you’ve connected to the target server, type QUIT and press [Enter]. This will return you to the METADATA CLEANUP prompt. Next, type SELECT OPERATION TARGET and press [Enter]. This will take you to the SELECT OPERATION TARGET prompt. Next, enter the LIST DOMAINS command. When you do, the NTDSUTIL command will inform you of how many domains it is aware of in the forest and will display each domain and a corresponding number. Locate the domain that the failing domain controller belongs to and make note of the number that corresponds to it.

Now, type SELECT DOMAIN number and press [Enter]. In this command you should replace the word “number” with the number that corresponds to the domain with which you want to work.

Once you’ve selected the domain, you will probably see some messages stating No Current Site, No Current Server, and No Current Naming Context. Therefore, the next step in the process is to connect to the site that the failing domain controller belongs to. To do so, type LIST SITES and press [Enter]. You’ll now see a list of all of the available sites. Just as you selected domains earlier, you must now select the appropriate site. Type SELECT SITE number, where “number” is the number of the site, and press [Enter]. You should now see a confirmation that you’re attached to the appropriate site.

Now that you’ve selected the domain and the site, you must select the server with which you want to work. The process for doing this is very similar to selecting the domain or site. First, you must get a list of all of the servers within the site by typing LIST SERVERS IN SITE and pressing [Enter]. Make a note of the number that corresponds to the failing domain controller, type SELECT SERVER number, where “number” is the number corresponding to the server, and press [Enter]. You’ll now see a somewhat lengthy confirmation of which server you’re attached to.

It’s extremely important that you take the time to read this confirmation and make sure that you’ve selected the correct server. Otherwise, you could end up removing a functional server from the domain. If you’ve accidentally selected the wrong server, then simply use the LIST SERVERS IN SITE and SELECT SERVER number commands again to select the correct server. Type QUIT and press [Enter] to return to the METADATA CLEANUP prompt.

Now, take one last look to make sure that you’ve selected the correct server. Take a deep breath and enter the command REMOVE SELECTED SERVER. You should see a dialog box similar to the one that’s shown in Figure A.

Figure A
This dialog box appears when you enter the REMOVE SELECTED SERVER command in NTDSUTIL.


As you can see in the figure, the dialog box asks if you really want to remove the server from Active Directory. The dialog box will also tell you whether the server is the last server in the domain. Click Yes and after a couple of seconds, you should see a confirmation indicating that the reference to the selected server has been removed from the server that you attached to earlier in the process. Although you’ve removed the server, replication must complete before the reference to the server will disappear from the remainder of the domain controllers.

Now, enter the QUIT command twice followed by the EXIT command. This will close out the NTDSUTIL command and then close the Command Prompt Window.

What else could go wrong?
Even if you’ve done everything correctly, there’s still a chance that the process could terminate with the following error message:
Error 8419 (0x20E3)
The DSA Object Could Not Be Found


If you receive this error, it usually means that the object has already been removed from Active Directory. There are a number of reasons why this could be the case. Perhaps your DCPROMO operation was successful after all, or maybe another administrator has already completed the removal process.

At any rate, if you get this error message, it’s usually safe to assume that the object has really been removed, rather than there being another problem causing the message. For example, if the server was having trouble communicating with the DNS server or with the selected domain controller, you would have seen error messages far earlier in the process.

Conclusion
Demoting a domain controller is supposed to be an easy process. The DCPROMO command demotes the domain controller and removes all of the Active Directory references for the server. But when things don’t go as planned and DCPROMO fails, then you’ve got problems. Fortunately, a little bit of work with NTDSUTIL can get Active Directory cleaned up in no time.

Editor's Picks