Important: This article contains information about modifying the registry. Before modifying the registry, you must back up the registry and must know how to restore the registry when there is a problem. For information on how to back up, restore, and edit the registry, click the article number below to view the article in the Microsoft Knowledge Base:
256986 Microsoft Windows Registry Description
This page
Symptom Cause Solution Substitution Status More Information
symptom
Microsoft Windows 2000 or Microsoft Windows Server 2003 domain controller may not be able to use the "Active Directory Installation Wizard" (DCPROMo.exe).
the reason
This phenomenon may occur if the required related items or operations fail. This includes network connections, name resolution, authentication, Active Directory directory service replication, or location of key objects in Active Directory.
solution
To resolve this issue, determine the reason why the Windows 2000 or Windows Server 2003 domain controller is downgraded, and then try to use the Active Directory Installation Wizard to drop the domain controller.
alternative method
If this problem cannot be resolved, you can use the following workaround to perform a forced downgrade to keep the operating system and any of any applications.
WARNING: Before using any of the following modifications, make sure you can start successfully in directory service restore mode. Otherwise, after you force the computer, you will not be able to log in. If the user forgets the password of the directory service restore mode, you can reset your password by using the setPwd.exe utility in the WinNT / System32 folder. In Windows Server 2003, the functionality of the setPwd.exe utility has been integrated into the NTDSUTIL tool.
Set dsrm password command.
For additional information about how to perform this process, click the article number below to see the article in the Microsoft Knowledge Base:
271641 "Configuring your Service Wizard" Set the recovery mode password to blank
Windows 2000 domain controller
1. Install the Q332199 fix on the Windows 2000 domain controller running Service Pack 2 (SP2) or later, or install Windows 2000 Service Pack 4 (SP4). SP2 and higher support support forced downgrade. Then restart the computer. 2. Click Start, click Run, and type the following command:
DCPROMO / forceremoval
3. Click OK. 4. On the "Welcome to the Active Directory Installation Wizard" page, click Next. 5. If you want to delete the computer is a global catalog server, click OK. Note: If you want to downgrade the domain controller is a global catalog server, improve other global catches in the forest or site as needed. 6. In the "Delete Active Directory" page, make sure the "The server is the last domain controller" check box, and then click Next. 7. On the Network Credentials page, type the name, password, and domain name of the user account with an enterprise administrator credentials in the forest, and then click Next. 8. In Administrator Password, type your password and confirm password you want to assign a local SAM database, and then click Next. 9. On the Summary page, click Next. 10. On the domain controller that continues in the forest, the downded domain controller performs metadata clearance. If you remove a domain from the forest by using the delete domain command in NTDSUTIL, verify that all domain controllers and global catalog servers in the forest have completely deleted all objects and references to the domain pointing to you just deleted. Then use the same domain name to increase a new domain to the same forest. Tools such as Replmon.exe and Repadmin.exe included in Windows 2000 Support Tools help you determine if over-end-to-end replication occurs. Windows 2000 SP3 and earlier global catalog servers delete objects and naming contexts are slower than Windows Server 2003. Windows Server 2003 domain controller
1.Windows Server 2003 domain controller supports forced downgrade by default. Click Start, click Run, and type the following command:
DCPROMO / forceremoval
2. Click OK. 3. On the "Welcome to the Active Directory Installation Wizard" page, click Next. 4. On the "Forced Delete Active Directory" page, click Next. 5. In Administrator Password, type your password and confirm password you want to assign a local SAM database, and then click Next. 6. In "Summary", click Next. 7. On the domain controller in the forest, the downtrepable domain controller perform metadata clearance. If you remove a domain from the forest by using the delete domain command in NTDSUTIL, verify that all domain controllers and global catalog servers in the forest have completely deleted all objects and references to the domain pointing to you just deleted. Then use the same domain name to increase a new domain to the same forest. Windows 2000 Service Pack 3 (SP3) and earlier global catalog server delete objects and naming contexts are slower than Windows Server 2003.
If the domain controller cannot start in normal mode
Note: If the domain controller cannot start in normal mode, do not take the following steps if it is absolutely necessary.
WARNING: "Registry Editor" can cause serious problems and may need to reinstall the operating system. Microsoft does not guarantee that you can solve problems caused by improper use of the Registry Editor. Use Registry Editor at your own risk.
To remove Active Directory from a domain controller, follow these steps:
1. Restart your computer and press the F8 key to display the Windows 2000 Advanced Options menu. 2. Select "Directory Service Restore mode", press Enter, then press ENTER to continue restarting. 3. Modify the ProductType item in the registry. To do this, please follow these steps:
a. Start the Registry Editor. b. Click the "ProductType" item under the following registry sub-key:
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / CONTROL / CURRENTCONTROLSET / Control / ProductOptionsc. On the Edit menu, click "String", type Server, and then click OK. Note: If this value is not set correctly, or if the spell is incorrect, you may receive the following error message:
System Process - License Violation: The System Has Detected Tampering With your registered product type.this is a violation of your software license.tampering with product type is not permitted.
d. Exit the Registry Editor. 4. Restart your computer. 5. Log in with the administrator account and password for the directory service repair mode. The computer will run as a member server. However, there are still some remaining files and registry items associated with the domain controller on the computer. 6. Please delete these remaining files and registry entries. To do this, please follow these steps:
a. Start the "Active Directory Installation Wizard". b. Install Active Directory, the computer as a new temporary domain (such as "psstemp.deleteme" domain controller. Note: Be sure to make the computer a domain controller in different forests. c. After installing Active Directory, launch Active Directory Install Wizard again and remove Active Directory from the domain controller. 7. After deleting Active Directory from the domain controller, delete metadata remaining in this domain. For additional information about how to delete this metadata, click the article number below to see the article in the Microsoft Knowledge Base:
216498 How to delete data in Active Directory after the domain controller fails
If the Resource Access Control Item (ACE) on a computer that deletes Active Directory is based on domain local group, these permissions may be reconfigured because these groups are unavailable for member servers or independent servers. If you plan to install Active Directory on this computer, you do not have to configure the Access Control List (ACL) in the original domain controller. If you want to keep the computer as a member server or standalone server, you must convert or replace any permissions based on domain-based groups.
For additional information about the permissions after deleting Active Directory from the domain controller, click the article number below to view the article in the Microsoft Knowledge Base:
320230 domain controller effect after downgrade
status
Microsoft has tested the domain controller running Windows 2000 or Windows Server 2003 and supports the enforcement of these domain controllers.
More information
"Active Directory Installation Wizard" creates an Active Directory domain controller on Windows 2000-based computers and Windows Server 2003-based computers. The operations performed by the Active Directory Installation Wizard include installing a new service, changing the boot value of the existing service, and converts Active Directory into security and authentication.
By enforce the degradation, domain administrators can force the Active Directory and roll back the locally saved system changes without being contacted with other domain controllers in the forest or copy local to other domain controllers in the forest.
Because the forced downgrade can result in any local saved changes, if it is absolutely necessary, do not use forced downgrades in the production domain or test domain. You can force the domain controller to degrade the domain controller when you cannot resolve the connection, name resolution, authentication, or replication engine. Forced downgrading effective solutions include: • When you try to degrade the last domain controller in the direct subdomain, there is no domain controller available in the parent domain. • Since there is an unresolved name resolution, authentication, copy engine, or Active Directory object related items after performing detailed troubleshooting, the "Active Directory Installation Wizard" cannot be completed. • In Tombstone Retention Time (the default Tombstone retention time is 60 days), the domain controller has not been copied to one or more named contexts to copy the station Active Directory change. Important: Please do not restore such domain controllers unless they are the only choice for recovering specific domains. • Since you must put the domain controller to use, there is no more detailed troubleshooting. Forced downgrades may be very useful in experimental and teaching environments, in which you can delete domain controllers in existing domains, but don't have to drop each domain controller in order.
If you enforce the domain controller, you will lose any unique changes you want to enforce the domain controller of the downgrade, which is included in you
The DCPROMO / Forceremoval command has not been copied before the user, computer, group, trust relationship, and group policies or Active Directory configurations are added, deleted, or modified. In addition, you will lose your changes to any properties of these objects (such as user password, computer, trust relationship, and group member qualifications).
However, if you enforce the domain controller, you will restore the operating system to the same state as the last domain controller in the domain (including service startup values and installed services, including the account database. SAM and computer based on the registry are members of the working group, etc.). The programs installed in the downgraded domain controller will continue to remain installed.
The "System" event log will identify forced downgraded Windows 2000 domain controllers with event ID 29234 (and
An instance of DCPROMO / ForceRemoval operation). E.g:
Event Type: Warning
Event Source: lsasrv
Event Category: None
Event ID: 29234
Date: mm / dd / yyyy
Time: hh: mm: SS AM | PM
User: N / a
COMPUTER:
Computername Description: The Server Was Force Demoted.it is no longe a domain controller. "System" event log identifies the Forced Windows Server 2003 domain controller for the event ID 29239. E.g:
Event Type: Warning
Event Source: lsasrv
Event Category: None
Event ID: 29239
Date: mm / dd / yyyy
Time: hh: mm: SS AM | PM
User: N / a
COMPUTER:
Computername Description: The Server Was Force Demoted.it Is No Longer a Domain Controller. Used in you
After the dcpromo / forceremoval command, on the domain controller that continues to exist
The metadata of the downgrade is not deleted. For additional information, click the article number below to see the article in the Microsoft Knowledge Base:
216498 How to delete data in Active Directory after the Dawn Controller Downgrade Favorites Domain Controller, you must complete the following tasks (if applicable):
1. Remove the computer account from the domain. 2. Verify that the DNS record (including A record, CNAME record, and srv record) is deleted; if they still exist, they delete them. 3. Verify that the FRS member object (FRS and DFS) is deleted; if they still exist, they delete them. For additional information, click the article number below to see the article in the Microsoft Knowledge Base:
296183 Overview of the Active Directory object used by FRS
4. If the dropped computer is a member of any security group, remove it from these groups. 5. Delete any DFS reference (link, or root copy) for the downgrade. 6. The domain controller that continues to exist must obtain any operator role (also known as flexible single-mode operation or FSMO) owned by the domain controller that is forced to be degraded. For additional information, click the article number below to see the article in the Microsoft Knowledge Base:
255504 Get the FSMO role or transfer it to domain controller with NTDSUTIL.EXE
7. If the domain controller you want to downgrade is a DNS server or a global catalog server, you must create a new GC or DNS server to meet the load balance, fault tolerance and configuration settings in the forest. 8. When you use NTDSUTI to delete the selected server command, the NTDSDSA object (the object is the parent object to the inbound connection of the domain controller for you to force) will be deleted. This command does not delete the parent server objects that appear in the Site and Services management unit. If you do not use the same computer name to lift the domain controller to the forest, use the "Active Directory Site and Service" MMC snap-in to delete the server object.
