Shulou(Shulou.com)05/31 Report--

What is the basic knowledge of domain controller degradation? I believe many inexperienced people are helpless about it. For this reason, this article summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Domain controller demotion is the process of removing Active Directory services, demoting a domain controller to a member server or standalone server. This may be necessary when a new server takes over the work of the domain controller or when the network replans.

Important note:

This article contains information about how to modify the registry. Before modifying the registry, be sure to make a backup and know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the article number below to view the article in the Microsoft Knowledge Base:

symptoms

Microsoft Windows 2000 or Microsoft Windows Server 2003 domain controllers may not degrade properly by using the Active Directory Installation Wizard (Dcpromo.exe).

reason

This phenomenon may occur if the required correlation or operation fails. This includes network connectivity, name resolution, authentication, Active Directory directory services replication, or the location of critical objects in Active Directory.

solutions

To resolve this issue, determine what is preventing the Windows 2000 or Windows Server 2003 domain controller from being demoted properly, and then try demoting the domain controller again using the Active Directory Installation Wizard.

alternative method

If this problem cannot be resolved, the following workarounds can be used to perform a forced downgrade of the domain controller to preserve the installation of the operating system and any applications within it.

Warning: Ensure that you can successfully boot in Directory Services Restore mode before using any of the following workarounds. Otherwise, you will not be able to sign in after you forcibly demote the computer. If the user forgets the password for Directory Services Restore Mode, the password can be reset by using the Setpwd.exe utility in the Winnt\System32 folder. In Windows Server 2003, the functionality of the Setpwd.exe utility has been integrated into the Set DSRM Password command of the NTDSUTIL tool. For more information on how to perform this procedure, click the article number below to view the article in the Microsoft Knowledge Base:

Windows 2000 domain controller

1. Install the Q332199 hotfix on a Windows 2000 domain controller running Service Pack 2 (SP2) or later, or install Windows 2000 Service Pack 4 (SP4). SP2 and later versions support forced demotions. Then restart the computer.

2. Click Start, click Run, and then type:

dcpromo /forceremoval

3. Click OK.

4. On the Welcome to the Active Directory Installation Wizard page, click Next.

5. If the computer you want to delete is a global catalog server, click OK in the message window.

Note: If the domain controller you are demoting is a global catalog server, promote other global catalog servers in the forest or site as needed.

6. On the Remove Active Directory page, make sure that the This server is *** a domain controller in the domain check box is cleared, and then click Next.

7. On the Network Credentials page, type the name, password, and domain name of the user account in the forest that has enterprise administrator credentials, and then click Next.

8. In Administrator Password, type the password and confirmation password that you want to assign to the administrator account for the local SAM database, and then click Next.

9. On the Summary page, click Next.

10. On domain controllers that continue to exist in the forest, perform metadata cleanup on demoted domain controllers.

If you removed a domain from the forest by using the Delete Selected Domain command in Ntdsutil, verify that all domain controllers and global catalog servers in the forest have completely removed all objects and references to the domain you just removed, and then promote a new domain to the same forest using the same domain name. Windows 2000 support tools include tools such as Replmon.exe or Repadmin.exe to help you determine if an end-to-end copy is occurring. Windows 2000 SP3 and earlier global catalog servers delete objects and naming contexts significantly slower than Windows Server 2003.

Windows Server 2003 domain controller

1. Windows Server 2003 domain controllers support forced demotions by default. Click Start, click Run, and then type:

dcpromo /forceremoval

2. Click OK.

3. On the Welcome to the Active Directory Installation Wizard page, click Next.

4. On the Force Delete Active Directory page, click Next.

5. In Administrator Password, type the password and confirmation password that you want to assign to the administrator account for the local SAM database, and then click Next.

6. In Summary, click Next.

7. On domain controllers that continue to exist in the forest, perform metadata cleanup on demoted domain controllers.

If you removed a domain from the forest by using the Delete Selected Domain command in Ntdsutil, verify that all domain controllers and global catalog servers in the forest have completely removed all objects and references to the domain you just removed, and then promote a new domain to the same forest using the same domain name. Windows 2000 Service Pack 3 (SP3) and earlier global catalog servers delete objects and naming contexts significantly slower than Windows Server 2003.

If the resource access control entries (ACEs) on the computer from which Active Directory was deleted are based on domain local groups, you may have to reconfigure these permissions because these groups are not available to member servers or standalone servers. If you plan to install Active Directory on this computer so that it becomes the domain controller in the original domain, you no longer need to configure access control lists (ACL). If you want to keep this computer as a member server or standalone server, you must convert or replace any permissions based on the domain local group.

After reading the above, do you know the basics of how to downgrade domain controllers? If you still want to learn more skills or want to know more related content, welcome to pay attention to the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.