Forced Demotion of a Windows Server 2008 Core Domain Controller

TechNet Blogs > Ask the Directory Services Team > Forced Demotion of a Windows Server 2008 Core Domain Controller
Server & Tools Blogs > Server & Management Blogs > Ask the Directory Services Team
Live Now on Server & Tools Blogs
Menu
Recent Posts
Tags
More
Archives
Archives
More

Forced Demotion of a Windows Server 2008 Core Domain Controller

14 Nov 2008 7:14 AM
  • Comments 1

Ned here again. Today's post is short and sweet, but when you need this one you will need it fast and we don't have this publically documented anywhere on TechNet (yet).

Since Windows 2000 SP4, it has been possible to forcibly demote Domain Controllers using the DCPROMO /FORCEREMOVAL command. You could use this switch if:

  • There are no domain controllers currently available in the parent domain when you try to demote the last domain controller in an immediate child domain.
  • The Active Directory Installation Wizard cannot complete because there is a name resolution, authentication, replication engine, or Active Directory object dependency that you cannot resolve after you perform detailed troubleshooting.
  • A domain controller has not replicated incoming Active Directory changes in Tombstone Lifetime (Default Tombstone Lifetime is 60 days) number of days for one or more naming contexts (see also KB article 216993).
  • Time does not permit more detailed troubleshooting because you must immediately bring into service the domain controller.

Naturally you must always follow this up with Metadata Cleanup on other DCs.

However, if you try to run this command on a Windows Server 2008 DC running in Core (no GUI) mode, it will always return:

An answer file or unattend installation command-line parameters must be specified.

And even if you provide an answer file, you will continue to get various prompts and issues that prevent demotion.

So how do we get this to work? With the following command:

dcpromo /forceremoval /demotefsmo:yes /administratorpassword:<the new password>

For example:

dcpromo /forceremoval /demotefsmo:yes /administratorpassword:Password1

So I can already hear the question "But this server did not have any FSMO roles on it - why do I need to add that switch?" The answer is because this not only forces demotion with a FSMO role in place, it also suppresses the warning prompt for FSMO when forcibly demoting.

I tried to come up with a snappier title for this, but I figured most readers that actually needed this post would already be so busy that they wouldn't want any cutesy-pie stuff. :-)

- Ned Pyle

, , , , ,
Comments
Page 1 of 1 (1 items)