bradlee27514
asked on
trouble demoting a dc
I have 2 DCs, I'm trying to demote one. When I do it prompts me for a new password. After I enter one the wizard fails and says
The operation failed because:
Managing the network session with dnspokey.tpai.local failed
logon failure: the target account name is incorrect
The operation failed because:
Managing the network session with dnspokey.tpai.local failed
logon failure: the target account name is incorrect
ASKER
I selected "I want to demote this dc from the domain and continue using it as a computer"
other options are:
i want to restart ad replication for this dc
and
this dc is permanently offline and can no longer be demoted using the ad isntallation wizard
I get:
deleting this object directly should only be used to delete a dc that is permanently offline. use dcpromo to demote a dc that is still functioning.
other options are:
i want to restart ad replication for this dc
and
this dc is permanently offline and can no longer be demoted using the ad isntallation wizard
I get:
deleting this object directly should only be used to delete a dc that is permanently offline. use dcpromo to demote a dc that is still functioning.
Hi,
Turn off the DC (the one you want to remove) and choose this dc is permanently office and can not longer be demoted etc...
then proceed with the steps mentioned in my first post.
let me know what happens,
Khaled,
Turn off the DC (the one you want to remove) and choose this dc is permanently office and can not longer be demoted etc...
then proceed with the steps mentioned in my first post.
let me know what happens,
Khaled,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Excellent :)
wish you all the luck ;)
wish you all the luck ;)
did it work ?
ASKER
yes, thank goodness :) thanks for your input!
Hang on a minute! If I can interject, and stop me if I have misunderstood, but just simply deleting the Domain Controller object from ADUC isn't enough to remove it from AD completely.
If you cannot gracefully demote a DC, or the demotion failed for some reason, try running dcpromo /forceremoval on the server. This will remove AD from the server even if it cannot contact the other DCs. Then you will need to run a metadata cleanup of the failed DC using ntdsutil.
http://www.petri.co.il/del
Are you also sure that the server doesn't hold any FSMO roles? If it does you will have to seize these roles onto the remaining DC: http://www.petri.co.il/seizing_fsmo_roles.htm
After this, if /forceremoval didn't work, you will need to re-install the OS on the failed server and re-join it from scratch.These are important steps that you must take in this situation.
If you require any further help I would recommend that you re-open this question.
If you cannot gracefully demote a DC, or the demotion failed for some reason, try running dcpromo /forceremoval on the server. This will remove AD from the server even if it cannot contact the other DCs. Then you will need to run a metadata cleanup of the failed DC using ntdsutil.
http://www.petri.co.il/del
Are you also sure that the server doesn't hold any FSMO roles? If it does you will have to seize these roles onto the remaining DC: http://www.petri.co.il/seizing_fsmo_roles.htm
After this, if /forceremoval didn't work, you will need to re-install the OS on the failed server and re-join it from scratch.These are important steps that you must take in this situation.
If you require any further help I would recommend that you re-open this question.
ASKER
Perhaps I am the one confused. I simply wanted this server to not be a DC. It is a terminal server, and from what I read it is not a good idea to have a DC something my users log into. I read this in several places.
"try running dcpromo /forceremoval on the server. "
that's exactly what i did. that's what i meant by "i forced it" AD is no longer on this server.
"Then you will need to run a metadata cleanup of the failed DC using ntdsutil."
I was told elsewhere to do this on the other server that is a functioning DC (and also is where my FSMO roles are). Is that not correct? You are saying I should run the metadata cleanup on the server i did the forced removal for???
"try running dcpromo /forceremoval on the server. "
that's exactly what i did. that's what i meant by "i forced it" AD is no longer on this server.
"Then you will need to run a metadata cleanup of the failed DC using ntdsutil."
I was told elsewhere to do this on the other server that is a functioning DC (and also is where my FSMO roles are). Is that not correct? You are saying I should run the metadata cleanup on the server i did the forced removal for???
Because you have had to use the /forceremoval switch, the chances are that there are remnants of the failed DC still in Active Directory.
You've removed AD from the server, but you haven't removed the server from AD.
So you need to follow the steps in the article to connect to your existing DC, and then remove any traces of the failed DC from the good server's copy of AD. So on your remaining DC, follow the steps and when you connect to a server, connect to the good DC, then target the failed DC for removal. Also follow the additional steps in the article relating to AD Sites and Services, and DNS.
Hope this explains.
You've removed AD from the server, but you haven't removed the server from AD.
So you need to follow the steps in the article to connect to your existing DC, and then remove any traces of the failed DC from the good server's copy of AD. So on your remaining DC, follow the steps and when you connect to a server, connect to the good DC, then target the failed DC for removal. Also follow the additional steps in the article relating to AD Sites and Services, and DNS.
Hope this explains.
ASKER
Right, i think we're saying the same thing. I used that very article while I did this. I followed those steps on the working DC, all appears well.
I've even set up a third server as the new additional DC. The only remaining work I have planned on this task is to make that third server a secondary DNS server.
I've even set up a third server as the new additional DC. The only remaining work I have planned on this task is to make that third server a secondary DNS server.
If the domain controller is not holding any of the operation masters, try to delete it from dsa.msc, the console will inform you that its a domain controller, choose the option that says the domain controller is not working.
after that, perform replication to replicate the settings to all domain controllers in the domain.