Demote 2008 Domain Controller - DCPromo

posted Mar 4, 2013, 6:19 AM by Unknown user
If you have your domain controller objects 'protected' under Sites and Services, you may find yourself in a difficult spot for a while during a demotion.  Running DCPromo on the domain controller that you are pulling from the domain will start, act like everything is fine, beginning with stopping services and pulling out parts of the Active Directory setup, and then stop with an error.  This is because of the protected objects.  Open Sites and Services, Select the Domain Controller and remove the Check box that indicates that you want to protect the object from accidental deletion.
Note: This isn't the only check box, you have to do it for Every Object here that mentions that domain controller.  Follow the tree to its conclusion listing the connection.
Check each part for that very protected check box, Both NTDS Settings, and even the Automatically Generated Connection. 
Otherwise your DCPromo will continue to stop with an error message.  Make sure you do it for Each additional Controller Listed, Go to NTDS Settings, and check each connection type that lists that server, uncheck that protected objects box.

Also Note: Should you fail to do the above you can go ahead and force the demotion of the DC regardless running the DCPROMO /ForceRemoval command.  This will remove the Domain Controller from the network, but will not remove the links mentioned above.  You will still need to go in and remove those check marks before you can run metadata cleanup. 

If you run metadata clean up and you end with an error message, it is most likely because you failed to remove one of the aforementioned check boxes.  Just go back through sites and services, and look through, go through each item and find the one you missed.  Then run metadata clean up again.  It will go through when you have all the appropriate boxes unchecked.

A really good walk-through of metadata clean up can be found here: