This is an old one, but I thought I'd post it here for those ever having trouble demoting a DC to a member server or stand alone server.

 

The 3 supported ways of removing AD from a server with W2K, W2K3 and W2K8 are:

  1. DCPROMO
    1. Used most of the times when it concerns a healthy DC
    2. Does NOT work in SAFE or DSRM mode, only works in NORMAL mode
    3. End result will be a member server in the domain, except when it is the last DC in the domain because in that case it will be a stand alone server
    4. Eventual FSMO roles will be transferred automatically to a near DC
    5. DC specific metadata will be cleaned (except for the server object)
  2. DCPROMO /FORCEREMOVAL
    1. Used most of the times when it concerns an UNhealthy DC. For example a DC that experiences "USN rollback" or "Lingering Objects"
    2. Does NOT work in SAFE or DSRM mode, only works in NORMAL mode
    3. End result will be a stand alone server
    4. When W2K3 SP1, eventual FSMO roles will NOT be transfered automatically to a near DC. However a message is generated stating that continuing will orphan eventual FSMO roles hosted by the DC. When continuing you would need to SEIZE the FSMO roles to another DC --> see: Moving FSMO roles from one DC to another DC
    5. DC specific metadata will NOT be cleaned. You still need to clean the AD metadata of the DC --> see: Cleaning up the AD metadata of a DC or an AD domain
  3. Just wack the server and reinstall ;-)
    1. Used most of the times when NOTHING else works and/or it is does not contain any data that is worth saving
    2. End result will depend on the install (joined or unjoined)
    3. Eventual FSMO roles will NOT be transfered automatically (duh!) to a near DC. Afterwards you would need to SEIZE the FSMO roles to another DC --> see: Moving FSMO roles from one DC to another DC
    4. DC specific metadata will NOT be cleaned. You still need to clean the AD metadata of the DC BEFORE rebuilding the server --> see: Cleaning up the AD metadata of a DC or an AD domain

 

NOTE: W2K8 supports removing AD from a DC in DSRM by using 'DCPROMO /FORCEREMOVAL'. Be aware that afterwards you still need clean the AD metadata. If the server hosts any FSMO role you will be warned about it. If you continue you would need to seize the FSMO roles to another live DC!

 

The following method is especially used when the DC does not boot anymore in NORMAL mode, but it does boot in DSRM and it contains data that is worth saving or rebuilding the DC takes too much time. Also BE AWARE that:

  1. Eventual FSMO roles will NOT be transfered automatically (duh!) to a near DC. You would still need to SEIZE the FSMO roles to another DC --> see: Moving FSMO roles from one DC to another DC
  2. DC specific metadata will NOT be cleaned (duh!). You still need to clean the AD metadata of the DC BEFORE rebuilding the server --> see: Cleaning up the AD metadata of a DC or an AD domain 

 

NOTE: PROCEED WITH CAUTION AND DO NOT USE THIS IF THERE IS ANOTHER WAY!

 

The steps of the UNSUPPORTED way of removing AD from a server with W2K and W2K3 are:

  1. Boot into DSRM (Directory Services Restore Mode)
  2. Log on with the DSRM administrator
  3. Start REGEDIT
  4. Navigate to the key "HKLM\System\CurrentControlSet\Control\ProductOptions"
  5. Change the data value of the data name "ProductType" from "LanmanNT" to "ServerNT"
  6. Reboot the server. It will boot as a stand alone server (although it shows the domain it belongs to in the logon screen)
  7. Login with the LOCAL SERVER administrator account and its password. The password is the same as the DSRM administrator account.
  8. Promote the server to a DC in a new AD domain in a new AD forest.
    1. As a domain use for example "TEMPAD.TEMP" as the domain FQDN and "TEMPAD" as the domain NetBIOS name (it will suggest the OLD domain NetBIOS name, but DO NOT use that!!!).
    2. Use the same path for the AD DB, the AD LOGS and the SYSVOL. If you don't know anymore open REGEDIT and navigate to the key "HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" for the AD files information and look at the data values from the data names "DSA Working Directory" and "Database log files path". For the SYSVOL path navigate to the key "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" and look at the data value from the data name "SYSVOL". From that path use only the part without the last SYSVOL directory. After entering the paths acknowledge to delete the current files in the specified folders!
    3. REMARK: the password of the domain administrator account will be the same as the local server administrator, which again is the same as the previous DSRM administrator account.
  9. Reboot the server. It will boot as a DC for the new created AD forest/domain
  10. Login with the domain administrator account and its password. Look at the remark mentioned above.
  11. Demote the DC being the last DC of the AD forest/domain that was just created. The end result will be a stand alone server which will still have the temporary FQDN as its DNS suffix (this changes automatically by default when the domain membership changes).
  12. Delete the SYSVOL directory.
  13. Reboot the server. It will boot as a stand alone server.
  14. From now on do with the server as you wish, like joining as a member server or promoting to a DC of an existing AD domain (BEFORE DOING EITHER, DO FIRST WHAT IS MENTIONED ABOVE MEANING "SEIZING FSMO ROLES" HOSTED BY THE DC BEFORE AND "CLEANING ITS METADATA" AND FORCING AD REPLICATION OF BOTH CHANGES)

 

Cheers,

Jorge

------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------------