Solved

Not able to dicommision a DC in a single doamin......

Posted on 2008-10-28
21
312 Views
Last Modified: 2013-12-05
I have a single domain called something like abc.xyz.com. I don't know why last person use it in the local domain. If it was me, I would use something like xyz.local anyways. There is one DC/DNS/GC running on a slow old PC, I tried to set up a new pc and transfered all 5 role of FSMO to the new PC. It went successfully I think, because it was the last person doing it. I just checked the role on each DC, the roles changed there. But the problem here is when I run DCDIAG /FIX, I got one of the fail message: Ths system volume has not been completely replicated to the local machine. This machine is not working properly as a DC....

Also when I tried to do replication from site and service (Both DC are GCs), I got "The following error occurred during the attempt to synchronize the domain controllers: Access is denied"....

*both the DCs running windows 2000 sp4. They are poingting theirself for DNS and they are AD-Intergrated.
I also stop netlogon and restart netlogon already...

Here is the log after I run DCDIAG /FIX in the attachment.
DCDIAG.txt
0
Comment
Question by:wuitsung
  • 11
  • 10
21 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22823608
When you look at the FSMO roles now do you see them on the new server? Do you have a firewall on either server? Make sure the new DNS has the correct IP address listed for DNS and do the same for the old DC there should be no 127.0.0.1 addresses in for DNS. Plus, I do see the you have DNS servers twice in the TCP\IP settings.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22823620
Is any of the server's SBS?
0
 

Author Comment

by:wuitsung
ID: 22826918
there is no DBS in my network. From the new server, I see the 5 fsmo role already transferred to the new server. I also confirmed that from the old server. There is no firewall installed on each server. I confirmed the ips are good. Both DC point to theirself for DNS and point to each other for secondary. I don't see any 127.0.0.1 in DNS. Entries are the same in each DC. I even tried to delete the DNS and recreated. By the way, the dcdiag was run from new DC. I also tried to shut down the old DC test to see if a clent able to join domain, but it failed. It says something ip mapping is wrong or not connected. But once the old DC is on, client able to join the domain. I think there ahold be something to do with the failed message in dcdiag I showed you here....
0
 

Author Comment

by:wuitsung
ID: 22826926
sorey typing mistake... It's sbs
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22827150
If the clients still have the old server's DNS server listed in their TCP\IP settings then they will still look for it when logging on. What the errors says was the new DC hasn't fully replicated. If you aren't getting any errors on the old DC then I would transfer the roles back to the old DC then demote  the new DC then repromote. Can you post the exact errors you are getting in the Event Log?
0
 

Author Comment

by:wuitsung
ID: 22827816
The client already changed the dns to point to the new DC. But even I don't change it, it's also supposed to work. because the old DC is still there.

The netlog.log here was generated from new DC. There are more errors in old DC after running dcdiag and dcdiag /fix.

In the event log of new DC, there is no error of DNS. I am not at the server now, I cannot get the event logs. I will try to attach here.

I heard in windows 2000, there is something called dns isalnd problem. Do you think I need to point the old DC's DNS to the new DC?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22830467
Yes, you should have one central DNS server that all DCs point to for their primary. Sorry I must just have been thinking that but I thought I posted for you to do that it must have been another post.
0
 

Author Comment

by:wuitsung
ID: 22831626
but I think even I point the old DC to the DC as primary DNS. The new DC will still generate same fail message as I show you in the attacement... What do you think?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22831680
You are getting the replication error on the new DC, correct? The new DC should be pointing to the old DC for DNS until replication is fully done. Make sure that all firewalls and AV are disabled. You might will have to transfer roles back to the old dc then demote the new dc then re-promote,
0
 

Author Comment

by:wuitsung
ID: 22831879
There is anything to do with Antivirus??? I know the 2 servers are running AVG.....

So to summarize, you mean even now I have all FSMO roles on new DC, but you want the new DC to point to old DC as DNS? Then after the replication is done.. (how can I prove it's done?), transfer all FSMO back to old DC and demote new DC and promo again. Correct?
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22831951
If replication still isn't finished at this point then you will most likely have to transfer the FSMO roles back to the old server then demote the new server. Make sure DNS is points to the old server then promote the new server again.

If you go to AD sites and services then right-click NTDS settings then replicate do you get an error or an event in the event log?

Yes, AVG could be the issue. Make sure you disable the AV until replication is finished. You can try to disable then manually replicate like the steps above in AD sites and services.
0
 

Author Comment

by:wuitsung
ID: 22832097
I think replication not finished on new DC , because in the attachment I showed you here "Domain membership test . . . . . . : Failed
    [WARNING] Ths system volume has not been completely replicated to the local machine. This machine is not working properly as a DC.
"

So you want the new DC to point to old DC as DNS and wait until replication finished, then transfer FSMO roles back to old pc? Or you just want me to transfer all FSMO back now without waiting for replication finished? Could you please confirm the steps again?

In AD sites and services, I got failed message "The following error occurred during the attempt to synchronize the domain controllers: Access is denied"

Could you please also tell me why antivrus can be a problem???
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 300 total points
ID: 22832214
1. You want to transfer the roles back over to  the old dc.
2. Demote the new DC
3. Do a metadata cleanup. You must run this on the old DC to remove any objects that are lingering for the new DC,
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
4. Point the new DC's DNS settings to old DC.
5. Promote the new DC then allow replication to occur over night.

Make sure your AV is disabled when do all of this. Once the first replication is finished and you have tested with dcdiag then turn on AV again.

If you have AV running during the first replication then the AV can block or corrupt the data. So, during the first replication you want it to be disabled so you know you got the current data from the other DC.
0
 

Author Comment

by:wuitsung
ID: 22832297
Ok. Thank you very much. I will try it. But as you said "If you have AV running during the first replication then the AV can block or corrupt the data... ...Once the first replication is finished and you have tested with dcdiag then turn on AV again."

But are you sure that the second replication or next replication will not blocked or data corrupt by AV??
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22832364
You can't be for sure but usually everything is good to go once you get the first replication in. That is why you should test your network the first couple of weeks after promotion or configuration change.
0
 

Author Comment

by:wuitsung
ID: 22832827
For your last, last post in step1 "1. You want to transfer the roles back over to  the old dc." Do you have to use the old DC as primary here in new DC?
0
 

Author Comment

by:wuitsung
ID: 22832879
Sorry just one more thing,
2. Demote the new DC
3. Do a metadata cleanup. You must run this on the old DC to remove any objects that are lingering for the new DC

If I can successfully demote the new DC, I think I don't need to run the metadata cleanup right? I think it's only for when you are failed to promo or demote DC.. right?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22833723
At this point to transfer the roles back you shouldn't have to but you might. Just try transferring them before switching DNS.

Correct you will only need to do a metadata cleanup if the DC fails to demote correctly but I would go through the process just in case since you had some issues.
0
 

Author Comment

by:wuitsung
ID: 22833793
Do you mind if I can ask  you an extra question? Nothing to do with the topic here...

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23847776.html

I followed what KCTS said, but if the old DC is totally down and I cannot even bring it online anymore. I have to use NTDSUTIL to seize the roles. In this case, I also have to use the metadata cleaup right? Or it's ok that I just leave the objects there?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22834067
If the DC is failed they you need to do the metadata cleanup on AD. Also, you can try this burflag method to see if you can force replication before demoting the DC from this post it's worth a try.

http://support.microsoft.com/kb/315457/
0
 

Author Comment

by:wuitsung
ID: 22837033
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Learn about cloud computing and its benefits for small business owners.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now