How to promote and demote domain controllers in Windows 2000 (238369)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
This article was previously published under Q238369

IN THIS TASK

SUMMARY

This article describes how to promote or demote a domain controller to a stand-alone server in Windows 2000. Promoting a server to a domain controller is the process of installing Active Directory Services on that server. Demoting a domain controller removes Active Directory and switches to using a local User Accounts System (UAS). Before promoting a server to a domain controller, you must plan your structure to best suit your organizational needs and network topologies. An administrator has the following options when promoting a server to a domain controller:
  • Installing the first domain controller in a new forest
  • Installing the first domain controller in a new domain tree
  • Installing the first domain controller in a new child domain
  • Installing an additional domain controller in a domain tree
  • Removing Active Directory from domain controller
The Domain Name System (DNS) service is an integral part of Active Directory for name resolution. DNS defines the Windows 2000 namespace and is very flexible. For additional information about DNS requirements and installation, click the article number below to view the article in the Microsoft Knowledge Base:

237675 Setting Up the Domain Name System for Active Directory

After you plan your configuration and decide which option you will be using during the promotion process, use the steps in the appropriate section below. These sections guide an administrator through the promotion process.

back to the top

Installing the First Domain Controller in a New Forest

NOTE: You must install a DNS server at some point before or during the promotion process. After the computer is promoted to a domain controller, it registers services in DNS that enable Lightweight Directory Access Protocol (LDAP) queries to be performed against the directory on that domain controller.
  1. Click Start, click Run, type dcpromo, and then click OK.
  2. This starts the Active Directory Installation Wizard. Click Next.
  3. The Active Directory Installation Wizard asks a series of questions to determine the role this server will have. Because you are installing this server as the first domain controller in the forest, click Domain Controller for a New Domain.
  4. Click Next.
  5. Because this domain controller will also be the first domain controller in a new domain tree, click Create a new domain tree.
  6. Click Next.
  7. Because this will be the first domain controller in the new forest, it will be the first domain in your organization. Click Create a new forest of domain trees.
  8. Click Next.
  9. In the New Domain Name screen, type the full DNS name for your new domain in the form of a fully qualified domain (for example: Microsoft.com).
  10. In the NetBIOS Domain Name screen, the NetBIOS Name box is populated with the first part of your fully qualified domain name (for example: MICROSOFT).
  11. The Database Location and Logs Location boxes are populated with the default location (Rootdrive\Winnt\Ntds). For best performance and recoverability, store the database and the logs on a separate hard disk. Change the Logs Location value to another hard disk.
  12. Click Next.
  13. In the Shared System Volume screen, the default location of Rootdrive\Winnt\Sysvol is acceptable as long as the volume uses the NTFS file system. This is required for the Sysvol folder.
  14. Click Next.
  15. If you do not have a DNS server available, a "The wizard cannot contact the DNS server that handles the name Domain Name to determine if it supports dynamic update. Confirm your DNS configuration, or install and configure a DNS server on this computer" message appears.
  16. Click OK.
  17. In the Configure DNS screen, click Yes, install and configure DNS on this computer (recommended).
  18. Click Next.
  19. In the Windows NT 4.0 RAS Server screen, choose whether or not you want to allow Remote Access Services (RAS) access to this server. Click Next.
  20. In the Directory Serviced Restore Mode Administrative Password screen, specify an administrator password to use when you start the computer in Directory Services Restore mode. You use Directory Services Restore mode when you need to recover the Active Directory database.

    NOTE: Make sure you remember this password, or you cannot restore Active Directory if needed.
  21. In the Summary screen, confirm your options, and then click Next.
  22. Verify that Active Directory is installed by viewing the messages on the screen. After Active Directory is installed, click Finish to close the wizard.
  23. Restart the computer.

back to the top

Installing the First Domain Controller in an Existing Forest

NOTE: The design of your namespace determines whether or not you install and configure the DNS service on this computer. If the TCP/IP settings are configured correctly to point to an existing DNS server, you do not need to install the DNS service on this server.
  1. Click Start, click Run, type dcpromo, and then click OK.
  2. This starts the Active Directory Installation Wizard. Click Next.
  3. The Active Directory Installation Wizard asks a series of questions to determine the role this server will have. Because you are installing this server as the first domain controller in the forest, click Domain Controller for a new domain.
  4. Click Next.
  5. Because this domain controller will also be the first domain controller in a new domain tree, click Create a new domain tree.
  6. Click Next.
  7. Because this will not be the first domain controller in the new forest, it will not be the first domain in your organization. Click Place this new domain tree in an existing forest.
  8. Click Next.
  9. The next screen prompts for network credentials. Type the user name, password, and domain name for an account to use for this operation. The account must have full administrative privileges. The domain name can be in the form of a fully qualified domain name (FQDN).
  10. In the New Domain Tree screen, type the full DNS name for your new domain in the form of a fully qualified domain (for example: Microsoft.com).
  11. In the NetBIOS Domain Name screen, the NetBIOS Name box is populated with the first part of your fully qualified domain name (for example: MICROSOFT).
  12. The Database Location and Logs Location boxes are populated with the default location (Rootdrive\Winnt\Ntds). For best performance and recoverability, store the database and the logs on a separate hard disk. Change the Logs Location value to another hard disk.
  13. Click Next.
  14. In the Shared System Volume screen, the default location of Rootdrive\Winnt\Sysvol is acceptable as long as the volume uses the NTFS file system. This is required for the Sysvol folder.
  15. Click Next.
  16. If you do not have a DNS server available, a "The wizard cannot contact the DNS server that handles the name Domain Name to determine if it supports dynamic update. Confirm your DNS configuration, or install and configure a DNS server on this computer" message appears.
  17. Click OK.
  18. In the Configure DNS screen, click Yes, install and configure DNS on this computer (recommended).
  19. Click Next.
  20. In the Windows NT 4.0 RAS Server screen, choose whether or not you want to allow Remote Access Services (RAS) access to this server. Click Next.
  21. In the Directory Serviced Restore Mode Administrative Password screen, specify an administrator password to use when you start the computer in Directory Services Restore mode. You use Directory Services Restore mode when you need to recover the Active Directory database.

    NOTE: Make sure you remember this password, or you cannot restore Active Directory if needed.
  22. In the Summary screen, confirm your options, and then click Next.
  23. Verify that Active Directory is installed by viewing the messages on the screen. After Active Directory is installed, click Finish to close the wizard.
  24. Restart the computer.

back to the top

Installing the First Domain Controller in a New Child Domain

NOTE: You must have the DNS settings configured correctly on the server before promoting it to a domain controller in a child domain. During the promotion process, the server needs to resolve the fully qualified domain name of the parent domain.

For additional information about how to configure DNS for a new child domain, click the following article number to view the article in the Microsoft Knowledge Base:

255248 How to create a child domain in Active Directory and delegate the DNS namespace to the child domain

  1. Click Start, click Run, type dcpromo, and then click OK.
  2. This starts the Active Directory Installation Wizard. Click Next.
  3. The Active Directory Installation Wizard asks a series of questions to determine the role this server will have. Because you are installing this server as the first domain controller in a new domain, click Domain Controller for a New Domain.
  4. Click Next.
  5. Because this domain controller will also be the first domain controller in a new child domain, click Create a new child domain in an existing domain tree.
  6. Click Next.
  7. The next screen prompts for network credentials. Type the user name, password, and domain name for the account to use for this operation. The account must have full administrative privileges. To install a child domain, make sure that DNS is configured correctly so that it can find the parent domain. If you have DNS configured correctly and the server points to the DNS server that contains the correct domain name, the Domain box entry can be in the form of a fully qualified domain name.
  8. In the Child Domain Installation screen, type the full DNS name for the parent domain in the form of a fully qualified domain (for example: Microsoft.com).
  9. In the Child Domain box, type the name of the child domain (for example: Finance). Click Next.
  10. In the NetBIOS Domain Name screen, the NetBIOS Name box is populated with the first part of your fully qualified domain name (for example: Finance).
  11. The Database Location and Logs Location boxes are populated with the default location (Rootdrive\Winnt\Ntds). For best performance and recoverability, store the database and the logs on a separate hard disk. Change the Logs Location value to another hard disk.
  12. Click Next.
  13. In the Shared System Volume screen, the default location of Rootdrive\Winnt\Sysvol is acceptable as long as the volume uses the NTFS file system. This is required for the Sysvol folder.
  14. Click Next.
  15. If you do not have a DNS server available, a "The wizard cannot contact the DNS server that handles the name Domain Name to determine if it supports dynamic update. Confirm your DNS configuration, or install and configure a DNS server on this computer" message appears.
  16. Click OK.
  17. In the Configure DNS screen, click Yes, install and configure DNS on this computer (recommended).
  18. Click Next.
  19. In the Windows NT 4.0 RAS Server screen, choose whether or not you want to allow Remote Access Services (RAS) access to this server. Click Next.
  20. In the Directory Serviced Restore Mode Administrative Password screen, specify an administrator password to use when you start the computer in Directory Services Restore mode. You use Directory Services Restore mode when you need to recover the Active Directory database.

    NOTE: Make sure you remember this password, or you cannot restore Active Directory if needed.
  21. In the Summary screen, confirm your options, and then click Next.
  22. Verify that Active Directory is installed by viewing the messages on the screen. After Active Directory is installed, click Finish to close the wizard.
  23. Restart the computer.

back to the top

Installing an Additional Domain Controller for an Existing Domain

NOTE: You must have the DNS settings configured correctly on the server before promoting it to a domain controller in an existing domain. During the promotion process, the server needs to resolve the fully qualified domain name of the domain.
  1. Click Start, click Run, type dcpromo, and then click OK.
  2. This starts the Active Directory Installation Wizard. Click Next.
  3. The active Directory Installation Wizard asks a series of questions to determine the role this server will have. Because you are installing this server as an additional domain controller in a domain, click Additional Domain Controller for an Existing Domain.
  4. Click Next.
  5. The next screen prompts for network credentials. Type the user name, password, and domain name for the account to use for this operation. The account must have full administrative privileges. The domain name should not be in the form of a fully qualified domain name.
  6. In the Additional Domain Controller screen, type the full DNS name for your existing domain in the form of a fully qualified domain (for example: Microsoft.com).
  7. The Database Location and Logs Location boxes are populated with the default location (Rootdrive\Winnt\Ntds). For best performance and recoverability, store the database and the logs on a separate hard disk. Change the Logs Location value to another hard disk.
  8. Click Next.
  9. In the Shared System Volume screen, the default location of Rootdrive\Winnt\Sysvol is acceptable as long as the volume uses the NTFS file system. This is required for the Sysvol folder.
  10. Click Next.
  11. If you do not have a DNS server available, a "The wizard cannot contact the DNS server that handles the name Domain Name to determine if it supports dynamic update. Confirm your DNS configuration, or install and configure a DNS server on this computer" message appears.
  12. Click OK.
  13. In the Configure DNS screen, click Yes, install and configure DNS on this computer (recommended).
  14. Click Next.
  15. In the Windows NT 4.0 RAS Server screen, choose whether or not you want to allow Remote Access Services (RAS) access to this server. Click Next.
  16. In the Directory Serviced Restore Mode Administrative Password screen, specify an administrator password to use when you start the computer in Directory Services Restore mode. You use Directory Services Restore mode when you need to recover the Active Directory database.

    NOTE: Make sure you remember this password, or you cannot restore Active Directory if needed.
  17. During the replication phase of the promotion process, there is an option to replicate later. There are many reason to choose this option (for example, if you are using a slow link in the middle of the day and you want to wait until the end of the day).
  18. Verify that Active Directory is installed by viewing the messages on the screen. After Active Directory is installed, click Finish to close the wizard.
  19. Restart the computer.

back to the top

Removing Active Directory from a Domain Controller

NOTE: When a domain controller is demoted, if it is not the last domain controller in the domain, it performs a final replication and then transfers the roles to another domain controller. As part of the demotion process, the Dcpromo utility removes the configuration data for the domain controller from Active Directory. This data takes the form of an NTDS Settings object, which exists as a child to the server object in Active Directory Sites and Services Manager. After the domain controller is demoted it no longer has Active Directory information available, and uses the Security Accounts Manager (SAM) database for local database information. If the domain controller is a global catalog, that role is not transferred to another domain controller. In this case, you must manually select the check box in Active Directory Sites and Services Manager for another domain controller to take over the role.

If the demotion process does not succeed for any reason, you must manually delete this metadata from the directory. Use the Ntdsutil.exe utility to manually remove the NTDS Settings object. For additional information about how to use Ntdsutil.exe, click the article number below to view the article in the Microsoft Knowledge Base:

216498 Removing Active Directory Data After an Unsuccessful Demotion

  1. Click Start, click Run, type dcpromo, and then click OK.
  2. This starts the Active Directory Installation Wizard. Click Next.
  3. There is a check box in the Remove Active Directory screen. If this computer is the last domain controller in the domain, click to select the check box. Otherwise, click Next.
  4. In the next screen, set the password for the administrator account on the server after Active Directory is removed. Type the appropriate password in the Password and Confirm Password boxes, and then click Next.
  5. In the Summary screen, review and confirm the options you selected, and then click Next.
  6. The wizard begins the process of removing Active Directory from the server. After the process is finished, a message indicates that Active Directory was removed from the computer.
  7. Click Finish to quit the wizard.
  8. Restart the computer.
NOTE: Windows 2000-based DNS severs should point to themselves for DNS in their TCP/IP properties. If this server needs to resolve names from its Internet service provider (ISP),you should configure a forwarder.

back to the top
Modification Type:MajorLast Reviewed:11/16/2004
Keywords:kbenv kbhowto kbHOWTOmaster KB238369 kbAudITPro
©2004 Microsoft Corporation. All rights reserved.