none
Can't Demote Windows 2000 Domain Controller

    Question

  • I recently upgraded our domain to Windows 2008 R2. I'm at the point where I'm now trying to demote our Windows 2000 and 2003 domain controllers. On my Windows 2000 DC, after running dcpromo to demote it, it gets stuck at "Stopping service NETLOGON'. The first time I tried this, it sat at this screen for 7 hours before the server rebooted on its own. I tried it again this morning, and it ran for over 9 hours at this screen before I terminated the process.

    I've also tried first stopping the NETLOGON service (which does stop successfully) before running the dcpromo, but it still gets stuck at the Stopping service NETLOGON message.

    During this time when it is sitting at this screen, both the Services.exe and LSASS.exe process are pegging the CPU at 100% (they are both around 50%).

    Here is some info from the dcpromo.log:

    06/14 08:27:25 [INFO] Stopping service NETLOGON

    06/14 19:14:37 [INFO] StopService on NETLOGON failed with 1115
    06/14 19:14:37 [INFO] Configuring service NETLOGON to 1 returned 1115
    06/14 19:14:37 [INFO] Error - Failed to configure the service NETLOGON as requested
     (1115)
    06/14 19:14:37 [ERROR] Failed to stop NETLOGON (1115)
    06/14 19:14:38 [ERROR] DsRolepFinishSysVolPropagation (Abort Demote) failed with 1115
    06/14 19:14:38 [WARNING] Failed to abort system volume demotion (1115)
    06/14 19:14:38 [INFO] Canceling current operation...
    06/14 19:14:38 [INFO] Request for cancel returning 0
    06/14 19:14:38 [WARNING] Failed to destroy the session with DC3.company.us: 0x8ca
    06/14 19:14:38 [INFO] The attempted domain controller operation has completed
    06/14 19:14:38 [INFO] DsRolepSetOperationDone returned 0

    Any help to resolve this would be appreciated.


    • Edited by marks70 Wednesday, June 15, 2011 3:09 AM added info
    Wednesday, June 15, 2011 3:01 AM

Answers

  • I was finally able to demote my DC successfully. I had to first remove the DNS role . After doing so, the dcpromo completed without issue.

    Thank you for everyone's input.

    • Marked as answer by marks70 Thursday, June 30, 2011 10:15 PM
    Thursday, June 30, 2011 10:15 PM

All replies

  • On a new Windows 2008 DC, look in ADUC for the old domain controller object, properties, and check to see if "Protect this object from accidental deletion" is checked. You'll also want to check in Sites and Services for the server object to make sure that checkbox is unchecked. Here's more info:

    http://social.technet.microsoft.com/Forums/en/winserverDS/thread/050b8ba5-be2d-4dda-8f86-3317d4efae67

    I assume to faciliate the demotion and make it easier, is you've already transferred the FSMO roles to the newer DCs?

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Proposed as answer by Mike Kline Wednesday, June 15, 2011 3:38 AM
    Wednesday, June 15, 2011 3:36 AM
  • Demote the DC using dcpromo /forceremoval & perform the metadata cleanup. Make sure other DC is also pointing the new windows 2008 R2 as an DNS server instead of windows 2000. Also, verify windows 2008 R2 DC is also a GC server.

    If, windows 2000 DC doesn't hold FSMO roles, you can demote the DC using dcpromo /forceremoval. After metadata cleanup which is mandatory step, you are required to remove the left out references manually.

    Metadata Cleanup of a Domain controller

    http://awinish.wordpress.com/2011/05/08/metadata-cleanup-of-a-domain-controller/

     

    Regards


    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Proposed as answer by Mike Kline Wednesday, June 15, 2011 3:38 AM
    Wednesday, June 15, 2011 3:38 AM
    Moderator
  • Thanks for your response. I checked both of the locations for the "Protect this object from accidental deletion", and it was not checked. The FSMO roles were previously moved to different servers. I removed this server as a Global Catalog after the first failed attempt to demote it.
    Wednesday, June 15, 2011 4:31 AM
  • Thank you for the suggestions. I'm trying to avoid using the /forceremoval parameter until hopefully a couple of other troubleshooting steps/suggestions have been made.
    Wednesday, June 15, 2011 4:33 AM
  • Are there any Event log errors on any of the DCs? I assume the old DC is pointing to the new DC for it's DNS entry?

    I'm curious why you're avoiding the /forceremoval method. Are there apps or services you're trying to maintain running after demotion? It looks like the *easier* option is to use the /forceremoval switch and run a Metadata cleanup to make sure the reference is removed from AD.

    Believe me, in some cases, instead of spending hours trying to find a root cause with a DC, it's actually faster and easier to use this method. It reduces stress, gets the job done, and doesn't cut into your drinking time. :-)

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Wednesday, June 15, 2011 4:43 AM
  • Yes, until you want to preserve any running application, spending time on finding the cause, why graceful demotion is not working is waste of time.

    Due to this feasibility of faster demoting & promoting the DC, it stands one more reason, why DC should not be used for running any other application too apart from GC & DNS.

    There can be lot of reason with windows 2000, which has lot its support too, personally, i would not prefer to look cause for graceful demotion not working atleast for windows 2000 DC.

     

    Regards


    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Wednesday, June 15, 2011 4:57 AM
    Moderator
  • All the other DCs' event logs are clean with no error messages. The old DC is pointing to new DCs for DNS.

    The old DC is a DNS server that many of our legacy systems are still using for DNS. I need to continue using the server as a DNS server until the DNS entries on the old systems can be changed.

    Wednesday, June 15, 2011 5:29 AM
  • With the forcedemote switch, and the steps in the following, you can still use the machine as a DNS server. Keep in mind, make sure you know the DSRM password on the machine (that is the local administrator account) or you won't be able to log in after it's been cleaned up from AD services.

    Also keep in mind, and assuming the AD zone is AD integrated, do NOT delete the zone out of DNS or doing so will delete the zone out of the AD database. Once it's not a DC, it will no longer participate in AD replication, and the zone won't be available. At that time when the machine comes back up, create a Secondary zone, (you'll have to allow zone transfers from the DC you choose to be the Master), and you should be good to go.

    ==================================================================
    Force demote a DC (manually uninstall AD services off of a DC)

    This is a manual 15 step method to unistall AD services from a DC, essentially making it a member server. Of course, you would rather use dcpromo with the /forceremoval switch, but if that doesn't work, it's really advised to simply rebuild it from scratch, and this is all assuming you have other DCs in the domain.

    Keep in mind, this was previosly not supported however, Microsoft supports it now:

    Domain controllers do not demote gracefully when you use the Active Directory Installation Wizard to force demotion in Windows Server 2003 and in Windows 2000 Server
    http://support.microsoft.com/kb/332199
     

    1) On another DC in the domain run NTDSUTIL to seize the FSMO roles to another DC. (If this is the only DC, then don't worry about it)
    How to view and transfer FSMO roles in Windows Server 2003
    http://support.microsoft.com/kb/324801
    2) Make sure DNS is 100% solid on the working DC. (If only one DC, don't worry about it for now, but configure it correctly before promoting it to a new DC).
    3) Make sure working DC is also a GC. (If just one DC, don't worry about it).
    4) Boot corrupted DC into DSRM, edit the registry change
    HKLM\SYSTEM\CCS\Control\ProductOptions change the ProductType value from
    LanmanNT to ServerNT. This key dictates if the machine is a DC or just a server. ServerNT means it's not a DC.
    5) Command prompt >  net stop ntfrs to stop FRS.
    6) Delete the Winnt\Sysvol and NTDS directories.
    7) Reboot the now former DC
    8) Log into the now member server. Change it to a stand alone, by joining a workgroup (My Computer Properties, Network ID tab, remove it from the old domain).
    9) Reboot the now stand alone server.
    10) If there is only one DC in the domain, skip this step, otherwise, on the good DC delete the disabled computer account for the old, now defunct DC.
    11) If there are existing DCs in the domain, you'll want to run a Metadata Cleanup to remove the reference of this now defunct DC. Follow the steps at:

    How to remove data in Active Directory after an unsuccessful domain controller demotion Windows 2000 and 2003
    http://support.microsoft.com/kb/216498
    or
    Cleanup Metadata Windows 2003
    http://technet.microsoft.com/en-us/library/cc736378(WS.10).aspx
    or
    Complete Step by Step Guideline to Remove an Orphaned Domain controller
    http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx

    If Windows 2008:
    Cleanup Server Metadata Windows 2008 (GUI Based)
    http://technet.microsoft.com/en-us/library/cc816907(WS.10).aspx

    12) Now on this new stand alone machine, set the Primary DNS Suffix to the new domain name that you want (In My Computer. Properties, Network ID Tab, Properties, More,). Reboot.
    13. Make sure that DNS is configured with the new domain name and updates set to YES.
    14. Run DCPROMO to create a new domain or join the domain/tree/forest again.
    15. Reboot.
    ==================================================================

     

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Wednesday, June 15, 2011 1:53 PM
  • Once you demote the DC using forceremooval, you can reconfigure the DNS but that will not be AD-Integrated as AD-Integrated DNS can only be on domain controller to save its database & the reason for using AD-Integrated DNS is because of certain advantages like replication of DNS with AD,security etc.

    Since, you have other DC, make all the DC as DNS/GC, point the application to new DNS server as it doesn't make sense to host the server just for DNS until DNS is used heavily in your environment.

     

    Regards


    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Thursday, June 16, 2011 2:32 AM
    Moderator
  • I have to hold off on demoting the DCs until hopefully next week. Once I do this, I will update the thread.

    Thanks for everyone's assistance so far.

    Tuesday, June 21, 2011 4:25 PM
  • I was finally able to demote my DC successfully. I had to first remove the DNS role . After doing so, the dcpromo completed without issue.

    Thank you for everyone's input.

    • Marked as answer by marks70 Thursday, June 30, 2011 10:15 PM
    Thursday, June 30, 2011 10:15 PM
  • Good to hear. You are welcome. And thank you for the update. Curious, did you find a link suggesting to remove DNS first?

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Friday, July 01, 2011 3:46 AM
  • Good to hear. You are welcome. And thank you for the update. Curious, did you find a link suggesting to remove DNS first?

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    No suggestions on removing DNS first. Thought I'd try one more thing before force demoting it, and I lucked out. ;-)
    Friday, July 01, 2011 7:48 PM
  • I got the same issue when demoting the Windows 2000 DC. I did not wait that long (9hours). After 25mins when it was not going anywhere at I did stopped the NETLOGON Service and DNS Server Service Manually. It then proceeded with stopping other services. It got stuck again for 5mins on message saying "completing demotion for the Directory Services" Finally after that it completed the demotion and prompted to reboot the server.

    I was relieved at that point. Thanks marks70 for giving direction to uninstall the DNS server first when demoting the DC. I hope somebody else might benefit with my experience.

    Thanks.

    • Proposed as answer by zakhanz Friday, April 13, 2012 5:29 AM
    Friday, April 13, 2012 5:29 AM
  • I got the same issue when demoting the Windows 2000 DC. I did not wait that long (9hours). After 25mins when it was not going anywhere at I did stopped the NETLOGON Service and DNS Server Service Manually. It then proceeded with stopping other services. It got stuck again for 5mins on message saying "completing demotion for the Directory Services" Finally after that it completed the demotion and prompted to reboot the server.

    I was relieved at that point. Thanks marks70 for giving direction to uninstall the DNS server first when demoting the DC. I hope somebody else might benefit with my experience.

    Thanks.

    Hello,

    there is NO need to uninstall DNS first to demote a DC. If it doesn't work the normal there will be mostly another reason.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Friday, April 13, 2012 6:04 AM
  • I was relieved at that point. Thanks marks70 for giving direction to uninstall the DNS server first when demoting the DC. I hope somebody else might benefit with my experience.

    Thanks.

    Hi,

    I never heard that the uninstall DNS then demote DC, this step is not required. I agree with Meinolf, If it doesn't work the normal there will be mostly another reason.
    See this discussion, Stop/uninstall DNS before dcpromo demote? : http://web2.minasi.com/forum/topic.asp?TOPIC_ID=16658


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Friday, April 13, 2012 7:41 AM