Demoting Domain Controller in DSRM? (Server 2K3)

Toggle sidebar Toggle sidebar
R

RagingBITCH

Lifer
Sep 27, 2003
17,618
2
76
Quick question - is it possible to do that? We basically are in Directory Services Restore Mode (only mode we can get into, can't get into normal, safe, last known good config, etc) - our AD somehow got corrupted and for some reason, we don't have backups running on the server of it.

We tried NTDSUTIL to repair but considering we dont have a good backup, can't. (Get a Jet error when trying to)

Is there a way to unpromote it while in DSR mode? (Basically considered a safe mode of sorts) Tried DCPROMO and Manage Your Server Roles. Was curious if we could force DCPROMO via a command line switch or if there was another way around it)

Thanks!

Melvin
 
S

stash

Diamond Member
Jun 22, 2000
5,468
0
0
Do you have other DCs? If this is your only DC, I'm not sure what running dcpromo would accomplish.

There is a dcpromo /force command that will forcably demote a server without checking for replication, but I'm 99% sure that does not work in DSRM. It stills needs access to the dit at that point, and in DSRM the dit is not mounted.

What commands did you try in ntdsutil and what errors did you get? Please post as much info as possible. If this is your only DC, you might be able to do a force repair with esentutl, but this is NOT recommended, especially if you have other working DCs. Even if this is the only DC, it is still not recommended, because it will literally rip things out of the dit file to get it to a bootable state. It will probably get the machine booted, but there is no guarantee that everything in your directory will still be there. And even if everything looks like it is still there, you may still encounter some weird transient behavior down the road. I believe that the ability to run this command was removed in 2003 SP1, and is only possible with a checked build of esentutil or ntdsutil, available only to a PSS engineer.
 
L

lansalot

Senior member
Jan 25, 2005
298
0
0
If you only have the one DC, then you are in big trouble I guess.

If not, then you should restore and when you are in DS restore mode, as long as you don't set it to restore authoratively (ie, this restore should be considered the authentic source for the state of the AD), then it should come up with the old AD at time of backup, and then resync after the reboot.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom