Link to home
Start Free TrialLog in
Avatar of AA095927
AA095927Flag for United States of America

asked on

Cannot remove first DC in two tree/domain AD forest

We are doing an intraforest domain migration.  The plan is to move everything from our original domain, olddomain (Yes, it's single-label), to a separate forest tree/domain newdomain.internal.  The original DC will then be demoted and promoted to a DC in newdomain.internal.  So - when everything is said and done, I've effectively "renamed" the domain from olddomain to newdomain.internal.  I've brought up a new 2003 DC (I'll call it newserver) in newdomain.internal.   The old DC is 2003 too.  The Schema Master and Domain Naming Master forestwide roles have been transferred to newserver from the original DC.  It is also the Infrastructure Master, RID Master, and PDC Emulator for the newdomain.internal domain.  Using ADMT, I've migrated all of my users from olddomain to newdomain.internal.  I now want to demote the original server.  When I DCPROMO attempting to do this, it errors out with the following:

"The wizard cannot remove Active Directory from this domain controller because other child or tree root domains are dependent on it."

DCPROMO.LOG records a similar error:
03/03 23:09:26 [INFO] Request for demotion of domain controller
03/03 23:09:26 [INFO] DnsDomainName  (NULL)
03/03 23:09:26 [INFO]       ServerRole  0
03/03 23:09:26 [INFO]       Account (NULL)       Options  130
03/03 23:09:26 [INFO]       LastDcInDomain  TRUE
03/03 23:09:26 [INFO]       Forced Demote  FALSE
03/03 23:09:26 [INFO] Start the worker task
03/03 23:09:26 [INFO] Request for demotion returning 0
03/03 23:09:26 [INFO] Reading domain policy from the local machine
03/03 23:09:26 [INFO] We (olddomain) think we have 1 children
03/03 23:09:26 [INFO] Error - Failed to determine if domain testdom.internal is a leaf domain
03/03 23:09:26 [INFO] The attempted domain controller operation has completed

03/03 23:09:26 [INFO] DsRolepSetOperationDone returned 0

Newdomain.internal is definitely a second tree in the same forest and is NOT a child domain.  I've also mocked this same setup up in the lab and get similar results.  Is there a supported way to demote my first domain controller so I can promote it into newdomain.internal?

By the way, doing a domain rename is not an option due to some Exchange complications.  It would have been my first choice if possible
Avatar of CptnTrips

Is this server running with any FSMO roles? Were the roles transfered or did you "Seize" these roles with the new server?
Avatar of AA095927


I moved the Schema Master and Domain Naming Master (the forestwide roles) from oldserver to newserver in the supported manner.  No need to seize.  So, here's what the roles look like now:

OLDSERVER - RID, PDC, Infrastructure (all for olddomain)
NEWSERVER - RID, PDC, Infrastructure (all for newdomain.local), Schema, Domain Naming (forestwide)
Can you use an dsi edit utility to remove the remains of the domain it's referring to? or run the metadata cleanup utlility from MS?
dsi = adsi
I'm sure that I could gut the domain using ADSIEDIT but my concern is that's going to hose my AD.  I've found references to the first DC in a forest being "special" (besides the whole FSMO thing) but what exactly that means I haven't been able to find out.  Also, when comparing the default AD users/groups in my lab after both DCs were installed, the Enterprise Admins and Schema Admins are ONLY present on the first DC installed and cannot be migrated.  So - even though we're in separate trees, that second DC appears to have some type of dependency on that first DC
You're correct - the first domain in the forest is the Forest Root Domain and contains the two security groups you mentioned; and I don't know of any way around that....outside of starting with a whole new forest versus tree.
Have you run dcpromo with the /forceremoval switch?

Try this link. It might shed some light on things if I am understanding your problem correctly.!43FCFDC655121966!239.entry
FSMO roles need to be removed before you can demote the server.
Thanks for the links, CptnTrips.  I'm checking them out.

Aissim got me thinking.  My ultimate goal is to "rename" the domain through a domain migration.   I was looking to do this by bringing up a second tree in the forest and doing an intraforest migration since this is easier than a migration between forests.  However, if Aissim is correct, I would NEED to keep at least one DC in my original domain (the Forest Root Domain) even if I moved everything to my new domain.  So - I'd be really be dealing with two domains vs. the one I was originally looking for.  The only way to be left with one doman would be to do the migration between forests.  Can someone confirm this with 100% certainty.  Our entire course of action is based on this answer.  Thanks everyone for jumping on this so quickly
I'm fairly certain that your only course of action will be an inter-forest migration. I'll look for something definitive to post back with....

(Not to mention - if you left the forest root domain intact I would recommend leaving two DCs....if you left one DC, and it crashed and burned, your whole forest would be trashed)
Avatar of aissim
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial