Link to home
Start Free TrialLog in
Avatar of Joshua Dumas
Joshua Dumas

asked on

I didnt dcpromo my old server...oh.....

I put a new server into place, and when the old one was history I couldn't do a dcpromo to put it to a member server....so whenever I access the group policies in Active Directory Users and Computers I am getting the following:

The domain controller for Group Policy operations is not available. You may cancel this operation for this session or retry using one of the following domain controller choices:
The one with the Operations Master token for the PDC emulator.

Any idea...what I need to do to remove the old server from the farm?
Avatar of jon_godwin
jon_godwin

you need to move those roles to your current server
Avatar of Joshua Dumas

ASKER

and how is that done?
I am assuming that you only have two DCs, one old and one new.  When you open up ADUC, make sure that the very top line in the view pane reads "Active Directory Users and Computers [your new DC]".  If not, right click that line, select "Connect to Domain Controller" and select your new DC.  

Next, right-click the very top line again and select "All tasks" and then "Operations Masters".  Make sure that all the roles point to your new DC, change them if they are not.  If this does not work, the roles will have to be siezed using NTDSUTL and the old DC will have to be reinstalled if DCPROMO does not work.

Thanks,
Because the old server is no longer available you have to seize the roles to the existing server exactly as cfairley says. Here is the kb to get that done. If this works CREDIT cfairley please.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;255504
can I have some help with NTDSUTL - I hate to F*C* my domain up with a stupid command....
Before using ntdsutil, enable "File and Printer Sharing" and enable "TCP/IP NetBIOS Service".  Follow the brief directions in this link:  http://www.jsiinc.com/SUBN/tip6500/rh6590.htm

Then try to change the roles using ADUC.  If still unable, then use ntdsutil.  The link that jdeclue provided describes exactly how to use it.  Don't worry about damaging your domain with this command, it is harmless when you only have two DCs.  When you have more than two, you could possibly move a FSMO role to the wrong DC.
duemes, an update as to the status of your dcpromo, please.

J
This is what I get when I run seize domain naming master:

Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of domain naming FSMO failed, proceeding with seizure ...
Server "SERVERNAME" knows about 5 roles
Schema - CN=NTDS Settings,CN=SERVERNAME,CN=Servers,CN=Default-First-Site,CN=Sites
,CN=Configuration,DC=DOMAINNAME,DC=MYDOMAINNAME,DC=com
Domain - CN=NTDS Settings,CN=SERVERNAME,CN=Servers,CN=Default-First-Site,CN=Site
s,CN=Configuration,DC=DOMAINNAME,DC=MYDOMAINNAME,DC=com
PDC - CN=NTDS Settings,CN=SERVERNAME,CN=Servers,CN=Default-First-Site,CN=Sites,C
N=Configuration,DC=DOMAINNAME,DC=MYDOMAINNAME,DC=com
RID - CN=NTDS Settings,CN=SERVERNAME,CN=Servers,CN=Default-First-Site,CN=Sites,CN
=Configuration,DC=DOMAINNAME,DC=MYDOMAINNAME,DC=com
Infrastructure - CN=NTDS Settings,CN=SERVERNAME,CN=Servers,CN=Default-First-Site,
CN=Sites,CN=Configuration,DC=DOMAINNAME,DC=MYDOMAINNAME,DC=com
fsmo maintenance:

ANY IDEA?
Any ideas?
This happens when you seize a role from a DC that is not available.  If the previous owner of the FSMO role was available, then the message would read successful.  Notice that it still says "proceeding with seizure".  The list of roles shown above should tell you who is the correct owner of the role, it should say your new DC.

To check the roles:
ntdsutil
roles
select operation target
connections
connect to server "servername"
Q
list roles for connected server
it appears when I do the above steps it shows that the Schema, RID, & Infrastructure is with the old server...how do I get it to the new server????

The new server is doing:
Domain & PDC

Any ideas?
Here are the step by step instructions on removing the old Domain Controller in a MS knowledge Base Article, after you remove the Server object from Active Directory then you will have to follow the steps to seize the roles. You will need ADSIEdit and NTDSUtil to complete this.

http://support.microsoft.com/default.aspx?kbid=216498 - How to remove the DC manually after a failed Demotion
http://support.microsoft.com/default.aspx?scid=kb;EN-US;255504 - NTDSUTIL to seize the roles

This is a procedure that can cause serious issues if done incorrectly so you must follow the steps exactly.

In addition, before you follow these steps I would like to request Second Opinions or Concurrence from other Experts, please.

J
ASKER CERTIFIED SOLUTION
Avatar of jdeclue
jdeclue

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I think I found out what wasnt seized..and I seized it...let me check later on tonight and I will post something...but I went into ADUC and it looks like everything is working fine....HEA!

I will post something later (8-9PM) EST to let you know if everything went alright.

THANKS!
Fingers crossed ;)
I hope everything is OK too.  duemes, disregard jdeclue's earlier message about giving me the CREDIT.  We worked as a team.  If you can't split it, then give it to him.

Nice working with you jdeclue!  I wish a lot more people would use this site.
everything is working great!
I just started answering questions a couple of weeks ago, and have found this sit to be great! Wish I had started earlier... Thanks cfairley... and dittos to you