5

We've had a child DC fail on us, and can't get into Windows on it as Directory Services is failing. A restore of the backed-up active directory hasn't worked due to a corruption, and so we've decided to demote the child DC and - for now - run AD from the PDC only.

However, dcpromo /demote doesn't work from Safe Mode or Directory Services Restore Mode.

We don't want to do a complete reinstall, as we have Exchange running on the child DC.

Anyone know how (if?) we can demote the DC within safe mode or otherwise get into windows?

Thanks

LapTop006
  • 6,496
  • 20
  • 26
adam
  • 243
  • 2
  • 6
  • There are no "PDC" computers in Active Directory. There is a single domain controller in each domain that holds a role, "PDC Emulator", but that doesn't make that domain controller some kind of special "primary" copy of of Active Directory. They're all just domain controllers. – Evan Anderson Feb 25 '10 at 23:02
  • How many DCs in the AD, just two? How does dcpromo /demote fail? What are the errors you have indicating problems with the AD? You might be able to fix or restore the DC first if you provide some more info. What does DCDIAG say? If you only have two DCs then make sure you have sorted out what you are going to do with the FSMO role ownership as well. – Sim Feb 25 '10 at 23:10
  • 1
    @Sim: I'm guessing he's getting an Active Directory failure message being generated by LSASS.exe during boot (prior to a logon prompt) that, in turn, is casuing the machine to reboot w/o allowing access to Windows (and, thus, the ability to run dcpromo at all from a Normal Mode boot). – Evan Anderson Feb 25 '10 at 23:23
  • @Evan - that's correct. Apologies, my IT knowledge is somewhat outdated and I've been relaying from out IT manager! We do have two DCs, LSASS fails immediately before login and dcpromo fails due to being in safe mode. – adam Feb 25 '10 at 23:57

1 Answers1

6

You've got a bit of a mess there.

Microsoft recommends against demoting a Windows Server 2003 domain controller running Exchange 2003. (They describe a "...loss of some Exchange functionality..." but don't go into details.)

I'm not aware of any DCPROMO switches that will help you if you can only boot in DS Restore Mode. I think your best bet is probably the procedure in KB332199 under "If the domain controller cannot start in normal mode".

If it were me and I managed to get it running again w/ the manual regsitry modification procedure I'd setup a temporary Exchange Server machine, move the mailboxes off the source server, level and reload the source server, then reload Exchange and move the mailboxes back. I don't think I'd trust a machine that had AD "manually" removed as described in that procedure.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • Thanks Evan! We'd also found KB332199 and have made the registry edit. We've reinstalled the AD on our failed DC, seized the FSMO and are now doing a metadata cleanup. Then we're going to try to replicate our working DC down before focusing on Exchange. All good fun... – adam Feb 25 '10 at 23:59
  • Good call Evan. I'd also add try and get another dedicated DC up and running as well, perhaps as a VM, so you can avoid the shared DC and Exchange setup in the future. – Sim Feb 26 '10 at 01:06
  • Thanks for your help Evan. We demoted the DC and created another (seperate) DC. Exchange is fine, but we're moving it to a new server asap. – adam Feb 26 '10 at 10:14