Cleaning Up After AD
How to gracefully demote Active Directory domain controllers and the mess left behind by doing so.
If you've worked with Active Directory long enough, most likely you have run into situations where Active Directory domain controllers refuse to be demoted when you use the Active Directory Installation Wizard (dcpromo.exe). Even though everything else on your network seems to be fine, the demotion process will fail no matter what you do.
According to Microsoft this can happen if "required dependency or operation fails," such as network connectivity, name resolution or authentication. If you've determined that these are not the culprit, then certain problems with Active Directory may be the cause, such as Active Directory unable to locate certain objects or problems with replication service.
The fact is, Active Directory developers have been unable to pinpoint this problem that has existed since the inception of Active Directory. Things became so problematic that Microsoft decided to give us a new feature in Windows Server 2003 called "forced demotion." This feature is really meant to be used as a last resort when you are unable to resolve the problem. Even though forced demotion will (hopefully) demote your domain controller, it won't clean the metadata in Active Directory. In the future, as Active Directory matures, hopefully these types of chores will be done by the utilities automatically so you don't have to manually make the changes to clean up the mess.
Tech Help—Just An
Got a Windows, Exchange or virtualization question
or need troubleshooting help? Or maybe you want a better
explanation than provided in the manuals? Describe
your dilemma in an e-mail to the MCPmag.com editors
the best questions get answered in this column and garner
the questioner with a nifty MCPmag.com baseball-style
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message, but submit the requested
information for verification purposes.)
Let’s take a look at the procedures for forced demotion of Windows Server 2003 DCs as well as Windows 2000 DCs. Then I will show you how you can clean the metadata from Active Directory to remove the remnants of old information to avoid Active Directory from getting confused in the future.
Demoting Windows Server 2003 DCs
DCPROMO (Active Directory Installation Wizard) is a toggle switch, which allows you to either install or remove Active Directory DCs. To forcibly demote a Windows Server 2003 DC, run the following command either at the Start, Run, or at the command prompt:
Note: If you're running Certificate Services on the DC, you must first remove Certificate Services before continuing. If you specify the /forceremoval switch on a server that doesn't have Active Directory installed, the switch is ignored and the wizard pretends that you want to install Active Directory on that server.
Once the wizard starts, you will be prompted for the Administrator password that you want to assign to the local administrator in the SAM database. If you have Windows Server 2003 Service Pack 1 installed on the DC, you'll benefit from a few enhancements. The wizard will automatically run certain checks and will prompt you to take appropriate actions. For example, if the DC is a Global Catalog server or a DNS server, you will be prompted. You will also be prompted to take an action if your DC is hosting any of the operations master roles.
Demoting Windows 2000 DCs
On a Windows 2000 domain controller, forced demotion is supported with Service Pack 2 and later. The rest of the procedure is similar to the procedure I described for Windows Server 2003. Just make sure that while running the wizard, you clear the "This server is the last domain controller in the domain" check box. On Windows 2000 Servers you won't benefit from the enhancements in Windows Server 2003 SP1, so if the DC you are demoting is a Global Catalog server, you may have to manually promote some other DC to a Global Catalog server.
Cleaning the Metadata on a Surviving DC
Once you've successfully demoted the DC, your job is not quite done yet. Now you must clean up the Active Directory metadata. You may be wondering why I need to clean the metadata manually. The metadata for the demoted DC is not deleted from the surviving DCs because you forced the demotion. When you force a demotion, Active Directory basically ignores other DCs and does its own thing. Because the other DCs are not aware that you removed the demoted DC from the domain, the references to the demoted DC need to be removed from the domain.
Although Active Directory has made numerous improvements over the years, one of the biggest criticisms of Active Directory is that it doesn't clean up the mess very well. This is obvious in most cases but, in other cases, you won't know it unless you start digging deep into Active Directory database.
To clean up the metadata you use NTDSUTIL. The following procedure describes how to clean up metadata on a Windows Server 2003 SP1. According to Microsoft, the version of NTDSUTIL in SP1 has been enhanced considerably and does a much better job of clean-up, which obviously means that the earlier versions didn't do a very good job. For Windows 2000 DCs, you might want to check out Microsoft Knowledge Base article 216498, "How to remove data in Active Directory after an unsuccessful domain controller demotion."
Here’s the step-by-step procedure for cleaning metadata on Windows Server 2003 DCs:
- Logon to the DC as a Domain Administrator.
- At the command prompt, type ntdsutil.
- Type metadata cleanup.
- Type connections.
- Type connect to server servername, where servername is the name of the server you want to connect to.
- Type quit or q to go one level up. You should be at the Metadata Cleanup prompt.
- Type select operation target.
- Type list domains. You will see a list of domains in the forest, each with a different number.
- Type select domain number, where number is the number associated with the domain of your server
- Type list sites.
- Type select site number, where number is the number associated with the site of your server.
- Type list servers in site.
- Type select server number, where number is the number associated with the server you want to remove.
- Type quit to go to Metadata Cleanup prompt.
- Type remove selected server. You should see a confirmation that the removal completed successfully.
- Type quit to exit ntdsutil.
You might also want to cleanup DNS database by deleting all DNS records related to the server.
In general, you will have better luck using forced promotion on Windows Server 2003, because the naming contexts and other objects don't get cleaned as quickly on Windows 2000 Global Catalog servers, especially servers running Windows 2000 SP3 or earlier. Due to the nature of forced demotion and the fact that it's meant to be used only as a last resort, there are additional things that you should know about forced demotion.
Even after you've used NTDSUTIL to clean the metadata, you may still need to do additional cleaning manually using ADSIEdit or other such tools. You might want to check out Microsoft’s Knowledge Base article 332199, "Domain controllers do not demote gracefully when you use the Active Directory Installation Wizard to force demotion in Windows Server 2003 and in Windows 2000 Server," for more information.
Zubair Alexander, MCSE, MCT, MCSA and Microsoft MVP is the founder of SeattlePro Enterprises, an IT training and consulting business. His experience covers a wide range of spectrum: trainer, consultant, systems administrator, security architect, network engineer, author, technical editor, college instructor and public speaker. Zubair holds more than 25 technical certifications and Bachelor of Science degrees in Aeronautics & Astronautics Engineering, Mathematics and Computer Information Systems. His Web site, www.techgalaxy.net, is dedicated to technical resources for IT professionals. Zubair may be reached at firstname.lastname@example.org.