trouble demoting a dc

bradlee27514
bradlee27514 used Ask the Experts™
on
I have 2 DCs, I'm trying to demote one.  When I do it prompts me for a new password.  After I enter one the wizard fails and says

The operation failed because:

Managing the network session with dnspokey.tpai.local failed

logon failure:  the target account name is incorrect
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Hi,
If the domain controller is not holding any of the operation masters, try to delete it from dsa.msc, the console will inform you that its a domain controller, choose the option that says the domain controller is not working.
after that, perform replication to replicate the settings to all domain controllers in the domain.
 

Author

Commented:
I selected "I want to demote this dc from the domain and continue using it as a computer"

other options are:
i want to restart ad replication for this dc

and

this dc is permanently offline and can no longer be demoted using the ad isntallation wizard

I get:
deleting this object directly should  only be used to delete a dc that is permanently offline.  use dcpromo to demote a dc that is still functioning.

Commented:
Hi,
Turn off the DC (the one you want to remove) and choose this dc is permanently office and can not longer be demoted etc...
then proceed with the steps mentioned in my first post.
let me know what happens,
Khaled,
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

i forced it b/f i saw your new reply.  i'm waiting for the raid array to rebuild and then i'm going to restart, hopefully all is well.

Commented:
Excellent :)
wish you all the luck ;)

Commented:
did it work ?

Author

Commented:
yes, thank goodness :) thanks for your input!
bluntTonyHead of ICT
Top Expert 2009

Commented:
Hang on a minute! If I can interject, and stop me if I have misunderstood, but just simply deleting the Domain Controller object from ADUC isn't enough to remove it from AD completely.
If you cannot gracefully demote a DC, or the demotion failed for some reason, try running dcpromo /forceremoval on the server. This will remove AD from the server even if it cannot contact the other DCs. Then you will need to run a metadata cleanup of the failed DC using ntdsutil.
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Are you also sure that the server doesn't hold any FSMO roles? If it does you will have to seize these roles onto the remaining DC: http://www.petri.co.il/seizing_fsmo_roles.htm 
After this, if /forceremoval didn't work, you will need to re-install the OS on the failed server and re-join it from scratch.These are important steps that you must take in this situation.
If you require any further help I would recommend that you re-open this question.

Author

Commented:
Perhaps I am the one confused.  I simply wanted this server to not be a DC.  It is a terminal server, and from what I read it is not a good idea to have a DC something my users log into.  I read this in several places.

"try running dcpromo /forceremoval on the server. "

that's exactly what i did.  that's what i meant by "i forced it"  AD is no longer on this server.

"Then you will need to run a metadata cleanup of the failed DC using ntdsutil."

I was told elsewhere to do this on the other server that is a functioning DC (and also is where my FSMO roles are).  Is that not correct?  You are saying I should run the metadata cleanup on the server i did the forced removal for???
bluntTonyHead of ICT
Top Expert 2009

Commented:
Because you have had to use the /forceremoval switch, the chances are that there are remnants of the failed DC still in Active Directory.
You've removed AD from the server, but you haven't removed the server from AD.
So you need to follow the steps in the article to connect to your existing DC, and then remove any traces of the failed DC from the good server's copy of AD. So on your remaining DC, follow the steps and when you connect to a server, connect to the good DC, then target the failed DC for removal. Also follow the additional steps in the article relating to AD Sites and Services, and DNS.
Hope this explains.

Author

Commented:
Right, i think we're saying the same thing.  I used that very article while I did this.  I followed those steps on the working DC, all appears well.

I've even set up a third server as the new additional DC.  The only remaining work I have planned on this task is to make that third server a secondary DNS server.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial