Domain Controller Demotion

If you need to demote a Windows 2000 domain controller (DC) that's missing its DNS suffix, first read the Microsoft article "HOW TO: Remove Data in Active Directory After an Unsuccessful Domain Controller Demotion" ( Then, reboot your server and press F8 to access the startup options. Select Disaster Recovery Mode and log on to the server. Create a local administrator account with a blank password (all previous local accounts were deleted when the server was promoted). Start regedt32.exe and go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions registry subkey. In the right-hand pane, double-click ProductType. Change the value from LanmanNT to ServerNT (the value is case sensitive).

Reboot the server again and use the new local administrator account to log on. Delete the NTDS folder. Follow the Microsoft article's instructions to delete the server's computer account from the Active Directory (AD) domain. This action demotes the DC to a regular server. Reboot the server and log on as administrator. Select the Change primary DNS suffix when domain membership changes check box. (You can find this setting under the Control Panel System applet's Change, More tabs.) You can now run Dcpromo to promote the DC.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.