Troubleshooting
Problem
Active Directory Domain Demotion
Symptom
- When you try to demote the last domain controller in a child domain, it fails.
- The server is still a domain controller after the demotion reports that it was successful.
- The last domain controller is a Windows 2000 Server in a mixed environment which contained.
- You observe the DCPromo log (c:\windows\debug\DCPromo.log), and find the following:
02/02 06:34:14 [INFO] Error - According to the information stored locally, this dc is the last dc in the domain, and the domain has a child domain. (8398)
02/02 06:34:14 [INFO] NtdsDemote returned 8398
02/02 06:34:14 [INFO] DsRolepDemoteDs returned 8398
02/02 06:34:14 [ERROR] Failed to demote the directory service (8398)
- You then try using the NTDSUTIL tool from the forest root domain controller to delete the child domain and get the following error:
DsRemoveDsDomainW error 0x2015
Cause
When you promote a Windows Server 2003 server to a Domain Controller, it creates a naming context (DC=DomainDnsZones) in the application partition.
- If the last Domain Controller in the child domain is a Windows 2000 Server, it checks Active Directory and finds this naming context and thinks it's a child domain.
- The child domain thinks it has another child domain, which causes DCPromo to fail.
Environment
Active Directory
Diagnosing The Problem
Check: System Event Logs, Directory Services Event Logs, and DCPromo Log
Resolving The Problem
Solution :
1. You have to remove the DomainDNSZones naming context in Active Directory by using the following steps (Make sure you are running these steps on the forest root domain controller):
"DsRemoveDsDomainW error 0x2015" error message when you use Ntdsutil to try to remove metadata for a domain controller that was removed from your network in Windows Server 2003
http://support.microsoft.com/kb/887424/
- Click Start, click Run, type ntdsutil, and then press ENTER.
- At the Ntdsutil command prompt, type domain management, and then press ENTER.
- Type connections, and then press ENTER.
- Type connect to server Domain_Controller_Name, and then press ENTER.
- After the following message appears, type quit, and then press ENTER:
- Connected to Domain_Controller_Name using credentials of locally logged on user
- At the domain management prompt, type list, and then press ENTER.
- Note the following entry:
- DC=DomainDnsZones,DC=Child_Domain, DC=extension
- For example, if the child domain is Contoso.com, note the following entry:
- DC=DomainDnsZones,DC=contoso,DC=com
- Type the following command, and then press ENTER.
- delete nc dc=domaindnszones,dc=Child_Domain,dc=extension
- Note: In this command, Child_Domain represents the name of the child domain that you want to remove. For example, if the child domain is Contoso.com, type the following command, and then press ENTER:
- delete nc dc=domaindnszones,dc=contoso,dc=com
- Quit Ntdsutil.
2. Use NTDSUTIL to delete the domain controller from the child domain.
How to remove data in Active Directory after an unsuccessful domain controller demotion
http://support.microsoft.com/kb/216498
3. Then use NTDSUTIL on the Forest Root DC to delete the child domain.
- C:\>ntdsutil
- ntdsutil: metadata cleanup
- metadata cleanup: connections
- server connections: connect to server DC01
Binding to DC01 ...
Connected to titanic using credentials of locally logged on user
- server connections: quit
- metadata cleanup: select operation target
- select operation target: list domains
Found 3 domain(s)
0 - DC=Microsoft,DC=com
1 - DC=Child1,DC=Microsoft,DC=com
2 - DC=Child2,DC=Microsoft,DC=com
- select operation target: select domain 2
Site - CN=London,CN=Sites,CN=Configuration,DC=Microsoft,DC=com
Domain - DC=Child2,DC=Microsoft,DC=com
No current server
No current Naming Context
- select operation target: quit
- metadata cleanup: remove selected domain
4. On the last domain controller (Windows 2000 Server), you can run DCPROMO /Forceremoval (Start >> Run) to remove any Active Directory information from that server.
How to prevent this from happening:
- If you have a child domain which contains mixed domain controllers (Windows 2000 Server, and Windows Server 2003), you have to demote the Windows Server 2003 domain controllers last. With new operating systems come new changes to the schema and Active Directory Partitions. Older operating systems may not understand these changes.
Was this topic helpful?
Document Information
Modified date:
03 January 2022
UID
isg3T1011443