Domain controller failure in Win2K
Wednesday, July 31, 2002 02:00 PM
Problems can occur during the demotion that turn a simple fix into a major headache. The domain controller can get stuck in limbo. While it no longer thinks it’s a domain controller, a record of it remains in Active Directory, causing every other domain controller in your Active Directory tree to think the domain controller still exists.
If you suspect that an Active Directory problem is limited to a single domain controller, the best way to attempt a fix is to use the DCPROMO command. This tool will allow you to remove the system’s domain controller status and make the system a member server instead. You can then use the DCPROMO command again to promote the system back to domain controller status. This will place a brand-new—and with any luck clean—copy of the Active Directory database on the affected domain controller. Problem solved.
Of course, things rarely go as planned. Problems can occur during the demotion that turn a simple fix into a major headache. The domain controller can get stuck in limbo. While it no longer thinks it’s a domain controller, a record of it remains in Active Directory, causing every other domain controller in your Active Directory tree to think the domain controller still exists. In this article, I’ll describe the manual process of using NTDSUTIL to clean up the mess.
What can go wrong, and why would it matter?
A networking problem or a failure to communicate with a DNS server or the other domain controllers can all cause the demotion process to fail. Likewise, you may not always have a chance to demote the system properly before a server crashes. For example, last week, I had a domain controller get destroyed by lightning. With hardware prices so low, it was cheaper to buy a new server than to repair the damaged one. But my Active Directory contained a record that my old server was still a domain controller.
If you have a system that no longer exists listed as a domain controller in Active Directory, Active Directory will continue to operate normally. However, you could encounter problems down the road, especially if the crashed domain controller served as an operations master. If the domain controller held any operations master roles, it could be difficult to seize those roles as long as Active Directory thinks that the domain controller still exists. Suffice it to say that properly functioning operations masters are vital to a healthy Active Directory.
Whether you need to demote a domain controller because it’s having problems or remove a domain controller that no longer exists, the process is the same. The method I’m about to show you will completely remove the server from Active Directory. You can then repair the server and, when appropriate, rejoin the repaired server with the domain and use DCPROMO to restore the server to its domain controller status.
Cleaning things up
We'll start by attempting to remove the domain controller without using NTDSUTIL. This approach rarely succeeds, but it's worth a shot because it can save you a lot of work. First, open the Active Directory Users And Computers utility and navigate to the Domain Controllers container. Then, right-click on the failed domain controller and select the Delete command.
If this technique fails, it's time to try to remove the domain controller through the NTDSUTIL utility. One note of caution: If the domain controller is still in the Domain Controllers container after the DCPROMO demotion appears to have succeeded, verify that replication is functional and that a replication cycle has completed before attempting to use NTDSUTIL. Otherwise, you could turn a small problem into a big one.
It’s sometimes difficult to follow complex instructions when they are presented in paragraph form. Therefore, I’m including this link to the actual text that I used for the removal process so that you can see what the removal process actually looks like in its regular form.
To launch the NTDSUTIL utility. open a Command Prompt window, type NTDSUTIL, and press [Enter]. At the NTDSUTIL prompt, enter the METADATA CLEANUP command.
The next step is to connect to the server on which you’ll be performing the cleanup operation. Technically, you can perform this operation on any domain controller, but I recommend connecting to the Domain Naming Master or to the PDC Emulator for the domain. If neither of these servers is functional, connect to whatever domain controller you can.
Type CONNECTIONS and press [Enter] to go to the Server Connections
prompt. Ideally, you should be logged on as a user who has permissions to do the
necessary cleanup work. If you're not, enter the command
SET CREDS domain username password
where domain is the domain you’re connected to, username is the name of a user with administrator rights, and password is the password for the user.
The SET CREDS command requires you to enter a password. If the chosen account doesn’t use a password, use the word null in place of the password. Be sure to enter it in lowercase.
» Powerful server blade for SMBs
Test Drive Now!
Your advise was concise, direct and best of all, successful. No more dead server errors in DCDIAG.
Thanks... Mick
Posted by anonymous on Thursday, March 20 2003 01:42 PM