DCPromo - Demoting 2008 R2 Errors Out
I have two Windows 2008 R2 DC's that was added to a Windows 2003 domain then the 2003 was demoted. I now need to demote the other 2008 DC.
When I try to demote the 2008 box via dcpromo, I get the error attached.
Could anyone help me demote this DC?
Untitled.jpg
When I try to demote the 2008 box via dcpromo, I get the error attached.
Could anyone help me demote this DC?
Untitled.jpg
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Dariusq - I transferred the 5 roles to the IT-PDC DC
DCdiag on the IT-PDC server reports this
MKline - I did see that thread and this link http://support.microsoft.com/kb/949257
When I run the script as instructed, I recieve this...
C:\>cscript fixfsmo.vbs DC=DomainDnsZones,DC=domai
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.
DNS name: DomainDnsZones.domain.org
Using DC IT-PDC.domain.org
infra fsmo is CN=NTDS Settings,CN=IT-BDC,CN=Serv
N=Sites,CN=Configuration,D
If I am reading this correctly is show the infrasture FSMO is the wrong server. But when I go to the operations masters on the IT-PDC it shows Itself as the infrastructure master.
DCdiag on the IT-PDC server reports this
MKline - I did see that thread and this link http://support.microsoft.com/kb/949257
When I run the script as instructed, I recieve this...
C:\>cscript fixfsmo.vbs DC=DomainDnsZones,DC=domai
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.
DNS name: DomainDnsZones.domain.org
Using DC IT-PDC.domain.org
infra fsmo is CN=NTDS Settings,CN=IT-BDC,CN=Serv
N=Sites,CN=Configuration,D
If I am reading this correctly is show the infrasture FSMO is the wrong server. But when I go to the operations masters on the IT-PDC it shows Itself as the infrastructure master.
C:\>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = IT-PDC
* Identified AD Forest.
Ldap search capabality attribute search failed on server DC02, return value
= 81
Got error while checking if the DC is using FRS or DFSR. Error:
Win32 Error 81The VerifyReferences, FrsEvent and DfsrEvent tests might fail
because of this error.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\IT-PDC
Starting test: Connectivity
......................... IT-PDC passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\IT-PDC
Starting test: Advertising
......................... IT-PDC passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... IT-PDC passed test FrsEvent
Starting test: DFSREvent
......................... IT-PDC passed test DFSREvent
Starting test: SysVolCheck
......................... IT-PDC passed test SysVolCheck
Starting test: KccEvent
......................... IT-PDC passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... IT-PDC passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... IT-PDC passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=domain,DC=org
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=domain,DC=org
......................... IT-PDC failed test NCSecDesc
Starting test: NetLogons
......................... IT-PDC passed test NetLogons
Starting test: ObjectsReplicated
......................... IT-PDC passed test ObjectsReplicated
Starting test: Replications
[Replications Check,IT-PDC] A recent replication attempt failed:
From DC02 to IT-PDC
Naming Context: DC=DomainDnsZones,DC=domain,DC=org
The replication generated an error (1256):
The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
The failure occurred at 2010-06-03 13:49:42.
The last success occurred at 2010-04-13 07:50:42.
4919 failures have occurred since the last success.
[Replications Check,IT-PDC] A recent replication attempt failed:
From DC02 to IT-PDC
Naming Context: DC=ForestDnsZones,DC=domain,DC=org
The replication generated an error (1256):
The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
The failure occurred at 2010-06-03 13:49:42.
The last success occurred at 2010-04-13 07:50:42.
4920 failures have occurred since the last success.
[Replications Check,IT-PDC] A recent replication attempt failed:
From DC02 to IT-PDC
Naming Context:
CN=Schema,CN=Configuration,DC=domain,DC=org
The replication generated an error (5):
Access is denied.
The failure occurred at 2010-06-03 13:49:42.
The last success occurred at 2010-04-13 07:50:42.
4920 failures have occurred since the last success.
[Replications Check,IT-PDC] A recent replication attempt failed:
From DC02 to IT-PDC
Naming Context: CN=Configuration,DC=domain,DC=org
The replication generated an error (5):
Access is denied.
The failure occurred at 2010-06-03 13:49:42.
The last success occurred at 2010-04-13 07:50:42.
4920 failures have occurred since the last success.
[Replications Check,IT-PDC] A recent replication attempt failed:
From DC02 to IT-PDC
Naming Context: DC=domain,DC=org
The replication generated an error (5):
Access is denied.
The failure occurred at 2010-06-03 13:49:42.
The last success occurred at 2010-04-13 07:50:41.
4920 failures have occurred since the last success.
......................... IT-PDC failed test Replications
Starting test: RidManager
......................... IT-PDC passed test RidManager
Starting test: Services
......................... IT-PDC passed test Services
Starting test: SystemLog
......................... IT-PDC passed test SystemLog
Starting test: VerifyReferences
......................... IT-PDC passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : domain
Starting test: CheckSDRefDom
......................... doamin passed test
CheckSDRefDom
Starting test: CrossRefValidation
......................... domain passed test
CrossRefValidation
Running enterprise tests on : domain.org
Starting test: LocatorCheck
......................... domain.org passed test
LocatorCheck
Starting test: Intersite
......................... domain.org passed test
Intersite
You have failed replications to DC2
Run
netdom query fsmo
Is that all IT-PDC
Is the DC02 box the 2008 box you are trying to demote?
Thanks
Mike
netdom query fsmo
Is that all IT-PDC
Is the DC02 box the 2008 box you are trying to demote?
Thanks
Mike
ASKER
netdom query fsmo does show all IT-PDC
DC02 must be a long gone DC
DC02 must be a long gone DC
Then it shouldn't be trying to replicate with DC02. Run a metadata cleanup for DC02
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
I have some meetings (real work calls) but I'll be back later this afternoon.
Thanks
Mike
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
I have some meetings (real work calls) but I'll be back later this afternoon.
Thanks
Mike
Also, while you are running metadata cleanup check for other DCs that are no longer DCs.
When you run dcdiag on the other new DC what errors do you get?
When you run dcdiag on the other new DC what errors do you get?
ASKER
I didn't see any other old DC's. I remove the DC02 and replicated the changes. The following is dcdiag from the other 2008 dc Orph-DC
C:\Windows\system32>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = ORPH-DC
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Orpheum\ORPH-DC
Starting test: Connectivity
......................... ORPH-DC passed test Connectivity
Doing primary tests
Testing server: Orpheum\ORPH-DC
Starting test: Advertising
......................... ORPH-DC passed test Advertising
Starting test: FrsEvent
......................... ORPH-DC passed test FrsEvent
Starting test: DFSREvent
......................... ORPH-DC passed test DFSREvent
Starting test: SysVolCheck
......................... ORPH-DC passed test SysVolCheck
Starting test: KccEvent
A warning event occurred. EventID: 0x80000B47
Time Generated: 06/03/2010 14:38:17
Event String:
......................... ORPH-DC passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... ORPH-DC passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... ORPH-DC passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=domain,DC=org
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=domain,DC=org
......................... ORPH-DC failed test NCSecDesc
Starting test: NetLogons
......................... ORPH-DC passed test NetLogons
Starting test: ObjectsReplicated
......................... ORPH-DC passed test ObjectsReplicated
Starting test: Replications
......................... ORPH-DC passed test Replications
Starting test: RidManager
......................... ORPH-DC passed test RidManager
Starting test: Services
......................... ORPH-DC passed test Services
Starting test: SystemLog
......................... ORPH-DC passed test SystemLog
Starting test: VerifyReferences
......................... ORPH-DC passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : domain
Starting test: CheckSDRefDom
......................... domain passed test
CheckSDRefDom
Starting test: CrossRefValidation
......................... domain passed test
CrossRefValidation
Running enterprise tests on : domain.org
Starting test: LocatorCheck
......................... domain.org passed test
LocatorCheck
Starting test: Intersite
......................... domain.org passed test
Intersite
C:\Windows\system32>ASKER
now the dcdiag on the it-pdc
C:\Windows\system32>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = IT-PDC
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\IT-PDC
Starting test: Connectivity
......................... IT-PDC passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\IT-PDC
Starting test: Advertising
......................... IT-PDC passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... IT-PDC passed test FrsEvent
Starting test: DFSREvent
......................... IT-PDC passed test DFSREvent
Starting test: SysVolCheck
......................... IT-PDC passed test SysVolCheck
Starting test: KccEvent
......................... IT-PDC passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... IT-PDC passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... IT-PDC passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=domain,DC=org
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=domain,DC=org
......................... IT-PDC failed test NCSecDesc
Starting test: NetLogons
......................... IT-PDC passed test NetLogons
Starting test: ObjectsReplicated
......................... IT-PDC passed test ObjectsReplicated
Starting test: Replications
......................... IT-PDC passed test Replications
Starting test: RidManager
......................... IT-PDC passed test RidManager
Starting test: Services
......................... IT-PDC passed test Services
Starting test: SystemLog
......................... IT-PDC passed test SystemLog
Starting test: VerifyReferences
......................... IT-PDC passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : domain
Starting test: CheckSDRefDom
......................... domain passed test
CheckSDRefDom
Starting test: CrossRefValidation
......................... domain passed test
CrossRefValidation
Running enterprise tests on : domain.org
Starting test: LocatorCheck
......................... domain.org passed test
LocatorCheck
Starting test: Intersite
......................... domain.org passed test
Intersite
C:\Windows\system32>ASKER
I retried dcpromo on the one i need to demote (it-bdc) with the same error as orginally posted.
Reboot the DCs allow replication to fully take place.
ASKER
I reboot all of the DC's and allowed replication to run. I then retryed dcpromo on it-bdc with the same result.
does dcdiag /v look clean on it-bdc?
You could always do a dcpromo /forceremoal and then metadata cleanup on it but let's see if any thing shows up in dcdiag or the event logs that may be preventing this demotion from happening.
Thanks
Mike
You could always do a dcpromo /forceremoal and then metadata cleanup on it but let's see if any thing shows up in dcdiag or the event logs that may be preventing this demotion from happening.
Thanks
Mike
ASKER
Okay, looks at this might be something
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC IT-BDC.
The forest is not ready for RODC. Will skip checking ERODC ACEs.
* Security Permissions Check for
DC=DomainDnsZones,DC=domain,DC=org
(NDNC,Version 3)
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=domain,DC=org
* Security Permissions Check for
DC=ForestDnsZones,DC=domain,DC=org
(NDNC,Version 3)
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=domain,DC=org
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=domain,DC=org
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=domain,DC=org
(Configuration,Version 3)
* Security Permissions Check for
DC=domain,DC=org
(Domain,Version 3)
......................... IT-BDC failed test NCSecDesc
ASKER
Here is the full output
1. Determine which server should hold the role in question.
2. Configuration view may be out of date. If the server in question
has been promoted recently, verify that the Configuration partition has replicat
ed from the new server recently. If the server in question has been demoted rec
ently and the role transferred, verify that this server has replicated the parti
tion (containing the latest role ownership) lately.
3. Determine whether the role is set properly on the FSMO role holde
r server. If the role is not set, utilize NTDSUTIL.EXE to transfer or seize the
role. This may be done using the steps provided in KB articles 255504 and 324801
on http://support.microsoft.com.
4. Verify that replication of the FSMO partition between the FSMO ro
le holder server and this server is occurring successfully.
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this for
est.
Domain Naming: You will no longer be able to add or remove domains f
rom this forest.
PDC: You will no longer be able to perform primary domain controller
operations, such as Group Policy updates and password resets for non-Active Dir
ectory Domain Services accounts.
RID: You will not be able to allocation new security identifiers for
new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal grou
p memberships, will not be updated properly if their target object is moved or r
enamed.
An error event occurred. EventID: 0xC00007E6
Time Generated: 06/07/2010 08:54:58
Event String:
The operations master roles held by this directory server could not
transfer to the following remote directory server.
Remote directory server:
\\IT-PDC.domain.org
This is preventing removal of this directory server.
User Action
Investigate why the remote directory server might be unable to accep
t the operations master roles, or manually transfer all the roles that are held
by this directory server to the remote directory server. Then, try to remove thi
s directory server again.
Additional Data
Error value:
5005 The directory service is missing mandatory configuration inform
ation, and is unable to determine the ownership of floating single-master operat
ion roles.
Extended error value:
0
Internal ID:
52498735
......................... IT-BDC failed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=IT-PDC,CN=Servers,CN=Default-Fi
rst-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=org
Role Domain Owner = CN=NTDS Settings,CN=IT-PDC,CN=Servers,CN=Default-Fi
rst-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=org
Role PDC Owner = CN=NTDS Settings,CN=IT-PDC,CN=Servers,CN=Default-First
-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=org
Role Rid Owner = CN=NTDS Settings,CN=IT-PDC,CN=Servers,CN=Default-First
-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=org
Role Infrastructure Update Owner = CN=NTDS Settings,CN=IT-PDC,CN=Server
s,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC
=org
......................... IT-BDC passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC IT-BDC on DC IT-BDC.
* SPN found :LDAP/IT-BDC.domain.org/domain.or
g
* SPN found :LDAP/IT-BDC.domain.org
* SPN found :LDAP/IT-BDC
* SPN found :LDAP/IT-BDC.domain.org/PERFDOMAIN
* SPN found :LDAP/14127b11-d9ec-43d6-a9fe-f41f495d549b._msdcs.omahaperf
ormingarts.org
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/14127b11-d9ec-43d6-a9
fe-f41f495d549b/domain.org
* SPN found :HOST/IT-BDC.domain.org/domain.or
g
* SPN found :HOST/IT-BDC.domain.org
* SPN found :HOST/IT-BDC
* SPN found :HOST/IT-BDC.domain.org/PERFDOMAIN
* SPN found :GC/IT-BDC.domain.org/domain.org
......................... IT-BDC passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC IT-BDC.
The forest is not ready for RODC. Will skip checking ERODC ACEs.
* Security Permissions Check for
DC=DomainDnsZones,DC=domain,DC=org
(NDNC,Version 3)
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=domain,DC=org
* Security Permissions Check for
DC=ForestDnsZones,DC=domain,DC=org
(NDNC,Version 3)
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=domain,DC=org
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=domain,DC=org
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=domain,DC=org
(Configuration,Version 3)
* Security Permissions Check for
DC=domain,DC=org
(Domain,Version 3)
......................... IT-BDC failed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\IT-BDC\netlogon
Verified share \\IT-BDC\sysvol
......................... IT-BDC passed test NetLogons
Starting test: ObjectsReplicated
IT-BDC is in domain DC=domain,DC=org
Checking for CN=IT-BDC,OU=Domain Controllers,DC=domain,DC=
org in domain DC=domain,DC=org on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=IT-BDC,CN=Servers,CN=Default-First-Sit
e-Name,CN=Sites,CN=Configuration,DC=domain,DC=org in domain CN=Conf
iguration,DC=domain,DC=org on 1 servers
Object is up-to-date on all servers.
......................... IT-BDC passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=DomainDnsZones,DC=domain,DC=org
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0 had no
latency information (Win2K DC).
DC=ForestDnsZones,DC=domain,DC=org
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0 had no
latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=domain,DC=org
Latency information for 5 entries in the vector were ignored.
5 were retired Invocations. 0 were either: read-only replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0 had no
latency information (Win2K DC).
CN=Configuration,DC=domain,DC=org
Latency information for 5 entries in the vector were ignored.
5 were retired Invocations. 0 were either: read-only replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0 had no
latency information (Win2K DC).
DC=domain,DC=org
Latency information for 5 entries in the vector were ignored.
5 were retired Invocations. 0 were either: read-only replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0 had no
latency information (Win2K DC).
......................... IT-BDC passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 6604 to 1073741823
* IT-PDC.domain.org is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 5104 to 5603
* rIDPreviousAllocationPool is 5104 to 5603
* rIDNextRID: 5119
......................... IT-BDC passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... IT-BDC passed test Services
Starting test: SystemLog
* The System Event log test
A warning event occurred. EventID: 0x8000001D
Time Generated: 06/07/2010 08:01:33
Event String:
The Key Distribution Center (KDC) cannot find a suitable certificate
to use for smart card logons, or the KDC certificate could not be verified. Sma
rt card logon may not function correctly if this problem is not resolved. To cor
rect this problem, either verify the existing KDC certificate using certutil.exe
or enroll for a new KDC certificate.
A warning event occurred. EventID: 0x000016AF
Time Generated: 06/07/2010 08:18:58
Event String:
During the past 4.17 hours there have been 28 connections to this Do
main Controller from client machines whose IP addresses don't map to any of the
existing sites in the enterprise. Those clients, therefore, have undefined sites
and may connect to any Domain Controller including those that are in far distan
t locations from the clients. A client's site is determined by the mapping of it
s subnet to one of the existing sites. To move the above clients to one of the s
ites, please consider creating subnet object(s) covering the above IP addresses
with mapping to one of the existing sites. The names and IP addresses of the cl
ients in question have been logged on this computer in the following log file '%
SystemRoot%\debug\netlogon.log' and, potentially, in the log file '%SystemRoot%\
debug\netlogon.bak' created if the former log becomes full. The log(s) may conta
in additional unrelated debugging information. To filter out the needed informat
ion, please search for lines which contain text 'NO_CLIENT_SITE:'. The first wor
d after this string is the client name and the second word is the client IP addr
ess. The maximum size of the log(s) is controlled by the following registry DWOR
D value 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameter
s\LogFileMaxSize'; the default is 20000000 bytes. The current maximum size is 2
0000000 bytes. To set a different maximum size, create the above registry value
and set the desired maximum size in bytes.
Found no errors in "System" Event log in the last 60 minutes.
......................... IT-BDC passed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference)
CN=IT-BDC,OU=Domain Controllers,DC=domain,DC=org and
backlink on
CN=IT-BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurati
on,DC=domain,DC=org
are correct.
The system object reference (serverReferenceBL)
CN=IT-BDC,CN=Domain System Volume (SYSVOL share),CN=File Replication Se
rvice,CN=System,DC=domain,DC=org
and backlink on
CN=NTDS Settings,CN=IT-BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sit
es,CN=Configuration,DC=domain,DC=org
are correct.
The system object reference (frsComputerReferenceBL)
CN=IT-BDC,CN=Domain System Volume (SYSVOL share),CN=File Replication Se
rvice,CN=System,DC=domain,DC=org
and backlink on
CN=IT-BDC,OU=Domain Controllers,DC=domain,DC=org are
correct.
......................... IT-BDC passed test VerifyReferences
Test omitted by user request: VerifyReplicas
Test omitted by user request: DNS
Test omitted by user request: DNS
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : domain
Starting test: CheckSDRefDom
......................... domain passed test
CheckSDRefDom
Starting test: CrossRefValidation
......................... domain passed test
CrossRefValidation
Running enterprise tests on : domain.org
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\IT-PDC.domain.org
Locator Flags: 0xe00033fd
PDC Name: \\IT-PDC.domain.org
Locator Flags: 0xe00033fd
Time Server Name: \\IT-BDC.domain.org
Locator Flags: 0xe00031f8
Preferred Time Server Name: \\IT-PDC.domain.org
Locator Flags: 0xe00033fd
KDC Name: \\IT-BDC.domain.org
Locator Flags: 0xe00031f8
......................... domain.org passed test
LocatorCheck
Starting test: Intersite
Skipping site Site1, this site is outside the scope provided by the
command line arguments provided.
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
......................... domain.org passed test
Intersite
C:\Windows\system32>
Did you run adprep /rodcprep? That is why you are getting those errors in the first output...not a big deal.
What is odd is that in the section
Starting test: KnowsOfRoleHolders
It correctly sees tha IT-PDC holds the roles.
What is odd is that in the section
Starting test: KnowsOfRoleHolders
It correctly sees tha IT-PDC holds the roles.
ASKER
it looks as though i should do a force removal, I will Accept your comment ID:32911116 as a valid solution. One more thing... is there a way to verify that i won't lose the any roles other that the dcdiag /v?
netdom query fsmo
that will also confirm the fsmo roles
Thanks
mike
that will also confirm the fsmo roles
Thanks
mike
ASKER
Had to run dcpromo /force and cleanup the metadata
Run dcdiag on new DCs check for errors.