Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 342
  • Last Modified:

Not able to dicommision a DC in a single doamin......

I have a single domain called something like abc.xyz.com. I don't know why last person use it in the local domain. If it was me, I would use something like xyz.local anyways. There is one DC/DNS/GC running on a slow old PC, I tried to set up a new pc and transfered all 5 role of FSMO to the new PC. It went successfully I think, because it was the last person doing it. I just checked the role on each DC, the roles changed there. But the problem here is when I run DCDIAG /FIX, I got one of the fail message: Ths system volume has not been completely replicated to the local machine. This machine is not working properly as a DC....

Also when I tried to do replication from site and service (Both DC are GCs), I got "The following error occurred during the attempt to synchronize the domain controllers: Access is denied"....

*both the DCs running windows 2000 sp4. They are poingting theirself for DNS and they are AD-Intergrated.
I also stop netlogon and restart netlogon already...

Here is the log after I run DCDIAG /FIX in the attachment.
DCDIAG.txt
0
wuitsung
Asked:
wuitsung
  • 11
  • 10
1 Solution
 
Darius GhassemCommented:
When you look at the FSMO roles now do you see them on the new server? Do you have a firewall on either server? Make sure the new DNS has the correct IP address listed for DNS and do the same for the old DC there should be no 127.0.0.1 addresses in for DNS. Plus, I do see the you have DNS servers twice in the TCP\IP settings.
0
 
Darius GhassemCommented:
Is any of the server's SBS?
0
 
wuitsungAuthor Commented:
there is no DBS in my network. From the new server, I see the 5 fsmo role already transferred to the new server. I also confirmed that from the old server. There is no firewall installed on each server. I confirmed the ips are good. Both DC point to theirself for DNS and point to each other for secondary. I don't see any 127.0.0.1 in DNS. Entries are the same in each DC. I even tried to delete the DNS and recreated. By the way, the dcdiag was run from new DC. I also tried to shut down the old DC test to see if a clent able to join domain, but it failed. It says something ip mapping is wrong or not connected. But once the old DC is on, client able to join the domain. I think there ahold be something to do with the failed message in dcdiag I showed you here....
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
wuitsungAuthor Commented:
sorey typing mistake... It's sbs
0
 
Darius GhassemCommented:
If the clients still have the old server's DNS server listed in their TCP\IP settings then they will still look for it when logging on. What the errors says was the new DC hasn't fully replicated. If you aren't getting any errors on the old DC then I would transfer the roles back to the old DC then demote  the new DC then repromote. Can you post the exact errors you are getting in the Event Log?
0
 
wuitsungAuthor Commented:
The client already changed the dns to point to the new DC. But even I don't change it, it's also supposed to work. because the old DC is still there.

The netlog.log here was generated from new DC. There are more errors in old DC after running dcdiag and dcdiag /fix.

In the event log of new DC, there is no error of DNS. I am not at the server now, I cannot get the event logs. I will try to attach here.

I heard in windows 2000, there is something called dns isalnd problem. Do you think I need to point the old DC's DNS to the new DC?
0
 
Darius GhassemCommented:
Yes, you should have one central DNS server that all DCs point to for their primary. Sorry I must just have been thinking that but I thought I posted for you to do that it must have been another post.
0
 
wuitsungAuthor Commented:
but I think even I point the old DC to the DC as primary DNS. The new DC will still generate same fail message as I show you in the attacement... What do you think?
0
 
Darius GhassemCommented:
You are getting the replication error on the new DC, correct? The new DC should be pointing to the old DC for DNS until replication is fully done. Make sure that all firewalls and AV are disabled. You might will have to transfer roles back to the old dc then demote the new dc then re-promote,
0
 
wuitsungAuthor Commented:
There is anything to do with Antivirus??? I know the 2 servers are running AVG.....

So to summarize, you mean even now I have all FSMO roles on new DC, but you want the new DC to point to old DC as DNS? Then after the replication is done.. (how can I prove it's done?), transfer all FSMO back to old DC and demote new DC and promo again. Correct?
0
 
Darius GhassemCommented:
If replication still isn't finished at this point then you will most likely have to transfer the FSMO roles back to the old server then demote the new server. Make sure DNS is points to the old server then promote the new server again.

If you go to AD sites and services then right-click NTDS settings then replicate do you get an error or an event in the event log?

Yes, AVG could be the issue. Make sure you disable the AV until replication is finished. You can try to disable then manually replicate like the steps above in AD sites and services.
0
 
wuitsungAuthor Commented:
I think replication not finished on new DC , because in the attachment I showed you here "Domain membership test . . . . . . : Failed
    [WARNING] Ths system volume has not been completely replicated to the local machine. This machine is not working properly as a DC.
"

So you want the new DC to point to old DC as DNS and wait until replication finished, then transfer FSMO roles back to old pc? Or you just want me to transfer all FSMO back now without waiting for replication finished? Could you please confirm the steps again?

In AD sites and services, I got failed message "The following error occurred during the attempt to synchronize the domain controllers: Access is denied"

Could you please also tell me why antivrus can be a problem???
0
 
Darius GhassemCommented:
1. You want to transfer the roles back over to  the old dc.
2. Demote the new DC
3. Do a metadata cleanup. You must run this on the old DC to remove any objects that are lingering for the new DC,
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
4. Point the new DC's DNS settings to old DC.
5. Promote the new DC then allow replication to occur over night.

Make sure your AV is disabled when do all of this. Once the first replication is finished and you have tested with dcdiag then turn on AV again.

If you have AV running during the first replication then the AV can block or corrupt the data. So, during the first replication you want it to be disabled so you know you got the current data from the other DC.
0
 
wuitsungAuthor Commented:
Ok. Thank you very much. I will try it. But as you said "If you have AV running during the first replication then the AV can block or corrupt the data... ...Once the first replication is finished and you have tested with dcdiag then turn on AV again."

But are you sure that the second replication or next replication will not blocked or data corrupt by AV??
0
 
Darius GhassemCommented:
You can't be for sure but usually everything is good to go once you get the first replication in. That is why you should test your network the first couple of weeks after promotion or configuration change.
0
 
wuitsungAuthor Commented:
For your last, last post in step1 "1. You want to transfer the roles back over to  the old dc." Do you have to use the old DC as primary here in new DC?
0
 
wuitsungAuthor Commented:
Sorry just one more thing,
2. Demote the new DC
3. Do a metadata cleanup. You must run this on the old DC to remove any objects that are lingering for the new DC

If I can successfully demote the new DC, I think I don't need to run the metadata cleanup right? I think it's only for when you are failed to promo or demote DC.. right?
0
 
Darius GhassemCommented:
At this point to transfer the roles back you shouldn't have to but you might. Just try transferring them before switching DNS.

Correct you will only need to do a metadata cleanup if the DC fails to demote correctly but I would go through the process just in case since you had some issues.
0
 
wuitsungAuthor Commented:
Do you mind if I can ask  you an extra question? Nothing to do with the topic here...

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23847776.html

I followed what KCTS said, but if the old DC is totally down and I cannot even bring it online anymore. I have to use NTDSUTIL to seize the roles. In this case, I also have to use the metadata cleaup right? Or it's ok that I just leave the objects there?
0
 
Darius GhassemCommented:
If the DC is failed they you need to do the metadata cleanup on AD. Also, you can try this burflag method to see if you can force replication before demoting the DC from this post it's worth a try.

http://support.microsoft.com/kb/315457/
0
 
wuitsungAuthor Commented:
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 11
  • 10
Tackle projects and never again get stuck behind a technical roadblock.
Join Now