?
Solved

Unable do demote an old DC

Posted on 2010-04-10
46
Medium Priority
?
681 Views
Last Modified: 2012-05-09
Sirs,

We have the following setup:

Windows 2003 R2 Domain with 3 Servers,

01 - SRVDATA01 - Win2003-R2 - Domain Controller with all 5 FSMO roles
02 - SRVMAIL01 - Win2003-R2 - Old Exchange 2003, Domain Controller, no roles
03 - SRVXCH01 - Win2008-SP1 - New Exchange 2007

We are experiencing the following problems:

We are unable to demote the old SRVMAIL01, although it is holding no more roles. It passes all tests DcDiag and NetDiag, except 1 test:

Command: DCdiag /test: CheckSecurityError /repLsource: SRVDATA01
Answer: Source DC SRVDATA01 has possible security error 1980

If we turn SRVMAIL01 off (shut down the machine) both SRVDATA01 and SRVXCH01 go crazy, unable to find a domain controller, although the DC with all 5 FSMO roles (SRVDATA01 ) is up and running.

If we run DcPromo on SRVMAIL01 to Demote it, not being the last DC in the domain, the error message is that no DC's are available...

Any help is highly appreciated!
Thanks in advance!
0
Comment
Question by:kodilu
  • 19
  • 13
  • 8
  • +1
45 Comments
 
LVL 5

Expert Comment

by:thabash
ID: 30307627
Be sure
U didn't select the option of this is the last dc on the domain
Otherwise the error will come as u said
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 30309483
Who is the Global Catalog(s)?

dsquery server -isgc
0
 

Author Comment

by:kodilu
ID: 30309544
Thanks, this option is NOT selected.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 

Author Comment

by:kodilu
ID: 30309608
@snusgubben: Both are Global Catalogues
0
 
LVL 24

Expert Comment

by:B H
ID: 30309669
is srvmail01 the dns controller?  you need to make something else the dns controller and make sure the other servers point to the new dns controller on their network cards (and nothing else in the secondary, unless you have 2 live dns servers)

then reboot all 3 so they understand what just happened, and dcpromo him down as intended
0
 

Author Comment

by:kodilu
ID: 30309914
@bryon44035v3: SRVMAIL01 os the one being demoted, all services and FSMO roles are transferred to SRVDATA01 and the latter is the only DNS server. Yes, the other servers point ONLY to the new dns controller on their network cards.
0
 
LVL 5

Expert Comment

by:thabash
ID: 30310033
Remove the global catalog from the old and try
0
 

Author Comment

by:kodilu
ID: 30310909
@thabash: Hi! We just did that, tried DCpromo to demote again and got the same problem :( Thanks anyway!
0
 
LVL 5

Expert Comment

by:thabash
ID: 30311367
Can u post the image of the error
0
 
LVL 24

Expert Comment

by:B H
ID: 30311815
how about dcpromo /forceremoval

http://support.microsoft.com/kb/332199
0
 

Author Comment

by:kodilu
ID: 30312115
A print screen is attached here:

Screen-shot-2010-04-10-at-4.14.4.jpg
0
 
LVL 24

Expert Comment

by:B H
ID: 30312425
where's the error, just click yes
0
 
LVL 5

Expert Comment

by:thabash
ID: 30312633
I agree with bryon
Press yes
And send the screenshot after that to us
0
 

Author Comment

by:kodilu
ID: 30312783
bryon44035v3: If we force remove it with dcpromo /forceremoval will happen the same as when we shut it down: the other 2 servers go bananas in search of "something" on it... :(
0
 
LVL 5

Expert Comment

by:thabash
ID: 30313127
Then as bryon said about dns
Be careful seems u have a problem with dns and might screw ur system
Slow down and donmt demote any server now, as u might after demoting it no body be able to logon.
Send the screenshot of ur dns settings
0
 
LVL 24

Expert Comment

by:B H
ID: 30313143
hmm.  are you sure ALL the roles were really transferred, and this machine we want to go away is not running the dns server?
0
 

Author Comment

by:kodilu
ID: 30313157
@bryon44035v3 +
@thabash:
OK, but if we click YES we're afraid it will do the demote and after that the other 2 servers will keep on looking for that "something" on it and AD goes crazy...
But we're doing backup of System State and will go ahead with hitting YES. Then we'll see...of the Domain goes crazy again, we'll restore! Will let you know of the final result ASAP.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 30313317
When you turn off the DC and the other DCs can't find any DC I think DNS issues.

Please post the output of your last replication cycle:

repadmin /replsum

and a dcdiag:

dcdiag /v /e /c /f:dcdiag.txt

0
 
LVL 21

Expert Comment

by:snusgubben
ID: 30313358
You should NOT press 'Yes'
0
 
LVL 5

Expert Comment

by:thabash
ID: 30313488
Ok take backup for full drive c and for the system state
And then don't worry click yes
Only u will be worried if ur dns is on this server

The dns will make u creaze, not the demoting
0
 

Author Comment

by:kodilu
ID: 30313696
@bryon44035v3: Yes - all 5 roles are being held by SRVDATA01 and DNS is also on SRVDATA01, the only DNS. If you check the ROLES on SRVDATA01 when SRVMAIL01 is up and running, the 5 ROLES show up on SRVDATA01 as being held by itself (SRVDATA01), but when we disconnect SRVMAIL01 and go back to SRVDATA01 to check the ROLES this server no longer knows anything...

We ran the Microsoft IT Health Scanner and all is OK - Green, except for only one error:
- "Domain Controllers are not hosting the root DNS zone. DNS Delegation for the "OUR-TROUBLED-DOMAIN" on the SRVDATA01 server could not be verified as functioning correctly."

We're trying to investigate this now. Any ideas?
0
 
LVL 24

Expert Comment

by:B H
ID: 30314087
so it seems like your srvdata server either isnt running dns, or doesnt have all the srv records in there

is it integrated into AD or just a basic copy of what the demoting server had?
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 30314090
Which DC is authoritative for the root zone?

If srvdata01 has a delegated zone, you should remove the delegation and make it autoritative for the root zone.
0
 

Author Comment

by:kodilu
ID: 30314126
@snusgubben: thanks for your input. Pressing YES is put on HOLD!
Here are the requested outputs. Thanks in advance!

dcdiag.txt
repadmin.txt
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 30315749
You have delegated the _msdcs zone to the DC you're trying to demote and the delegation is broken.

From the dcdiag log: "Delegation is broken for the domain _msdcs.charmetours.local. on the DNS server 192.168.1.152"

You should remove the delegation (it will appear as a "greyed out" _msdcs folder)
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 30317062
I'll be gone for some time, but I'm sure you and the other experts can handle this (as long as you stay away from the 'Yes' :)

For client to find DC's DNS is vital. If you have DNS issues, then you will have domain issues. You're replication is fine, so my bet is the delegated zone.

Here is a little input on delegation: http://www.experts-exchange.com/Networking/Protocols/DNS/Q_24349599.html

Good luck!

SG
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 30317314
One other thing. I hope you have removed Exchange from the DC you're going to demote. If Exchange is still on this DC and in production, a DCPROMO will destroy Exchange.
0
 
LVL 5

Expert Comment

by:thabash
ID: 30317472
i agree with snusgubben:

you have problem here
  TEST: Delegations (Del)
                  Delegation information for the zone: charmetours.local.
                     Delegated domain name: _msdcs.charmetours.local.
                        DNS server: srvdata01.charmetours.local. IP:192.168.1.153 [Valid]
                        Error: DNS server: srvmail01.charmetours.local. IP:192.168.1.152 [Broken delegation]
               
solution
Add the missing NS records for all server that have the full
_msdcs.mydomain.com zone.

or remove the delegation
0
 

Author Comment

by:kodilu
ID: 30317590
@snusgubben: Thanks! We deleted the "greyed out" _msdcs folder from DNS and we think now it is Authoritative for the Domain as per Print Screen attached.
The problem is that the symptoms are the same: when we unplug SRVMAIL01, then the new Exchange 2007 SRVXCH01 cannot find the Configuration Domain Controller and stays down. When we re-connect SRVMAIL01 and reboot the other servers, all comes up and running normally. DCpromo of SRVMAIL01 results in the same Exclamation Mark...
DcDiag and RepAdmin outputs are now clean 100% without fails
Screen-shot-2010-04-10-at-5.27.5.jpg
0
 
LVL 21

Accepted Solution

by:
snusgubben earned 2000 total points
ID: 30321547
Both DC's are GC's.

I'm not much into Exchange but in Exch2003 you got the Recipient Update Service (RUS) that pointed to a Global Catalog. If you remove this GC you had to manually change it on the RUS otherwise the Exchange could not function since it uses the GC and not any FSMO's.

How this works in Exchange 2007 I have no idea of. Maybe as a question in the Exchange zone.

How are your other clients (PC) working when you shut the DC you're going to demote?

The logged on user, do it have a home folder? Thinking if it's located on the old DC...

0
 

Author Comment

by:kodilu
ID: 30322712
snusgubben:
WE MISSED YOU! :)
Thanks for your last input. We checked about RUS and found out that Exchange 2007 does not use RUS anymore. I will give you feedback regarding the Client PC's behavior when SRVMAIL01 is down. ASAP.
--------------
Some info on RUS in XCH 2007:..."Before you begin uninstalling the Exchange 2003 Server, we first need to assign the Recipient Update Service (RUS) to our Exchange 2007 Server. Not because RUS should be used (in fact Exchange 2007 no longer uses RUS), but because the Exchange 2003 Setup program wont let us uninstall Exchange 2003, before RUS has been assigned to another server."...

I'll be back soon...
0
 

Author Comment

by:kodilu
ID: 30322853
Meanwhile, besides the Exchange 2007 issues, the old DC/XCHG, SRVMAIL01, still prompts us with a YES | NO buttons when we try to demote :(

Checking the clients now....BRB
0
 

Author Comment

by:kodilu
ID: 30323609
@snusgubben:
Back from clients: when SRVMAIL01 is down, clients take longer (aprox 1-2 min) to logon. After the wait at the logon screen, it takes another 10-15 min to apply settings :( ...and counting...
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 30323695
Try and run:

nltest /dclist:charmetours.local

from both DC. Do they both list the two DC's?
0
 

Author Comment

by:kodilu
ID: 30324063
@snusgubben:
running this we get the same on both (now we did not run on SRVMAIL01 since it is down, but an hour ago we ran it on both servers and had the same responce). This is tha result from SRVDATA01

C:\>nltest /dclist:charmetours.local
Get list of DCs in domain 'charmetours.local' from '\\SRVDATA01.charmetours.loca
l'.
    srvmail01.charmetours.local       [DS] Site: Default-First-Site-Name
    SRVDATA01.charmetours.local [PDC] [DS] Site: Default-First-Site-Name
The command completed successfully
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 30324217
Please post:

netdiag /v > netdiag.txt

Also run: dnslint /ad /s <ip-address of SRVDATA01> /v

(it will create a htm report about DNS registrations. See if you spot something)
0
 

Author Comment

by:kodilu
ID: 30324841
Ran dnslint /ad /s <ip-address of SRVDATA01> /v
No errors, only a note:
One or more DNS servers may not be authoritative for the domain

Output is attached
dnslint.htm
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 30325333
could you post "netdiag /v"?
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 30325399
Do all your clients use SRVDATA01 as prefered DNS?
0
 

Author Comment

by:kodilu
ID: 30325920
Yes, all clients use SRVDATA01 as prefered and only DNS!
Please find attached the "netdiag /v" output.
netdiag2012.txt
0
 

Author Comment

by:kodilu
ID: 30326095
@snusgubben: we're dying! We're going home. We'll leave this for next week. While SRVMAIL01 is UP all is OK! But we need to remove-it and format the server for other uses. We'll keep on trying and we'll count on your help. How can we get in touch with you the next time? Thanks for all the help. We'll accept your posts as solutions and award the points. Regards
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 30328468
If you leave this question open I'll see when you're back and ready if you add a comment.

Or start a new question which can be sometimes cleaver, since additional experts may come into play.
0
 
LVL 5

Expert Comment

by:thabash
ID: 30328978
I'm so exciting to know how u gonna solve this issue

Snusgubben
What do u think his problem,
He send the result
Could u pls add the commenta
I'm waiting ur comments as well
As I faced the same issue 5 months back and tell now I don't understand what was the problem
0
 

Author Comment

by:kodilu
ID: 30331384
Guys, thank you so much, @thabash - you too!
OK, lets leave the question open for now until we get back to the client and we shall give it a second try.
Regards and a good weekend to all.
Kostadin
0
 

Author Comment

by:kodilu
ID: 32940423
@DEMAZTER, hello! We did get a LOT of help from @snusgubben and a lot of HELPFUL answers, unfortunately to all of us, there was no definitive solution to the problem. @Thabash also participated activelly.
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Native ability to set a user account password via AD GPO was removed because the passwords can be easily decrypted by any authenticated user in the domain. Microsoft recommends LAPS as a replacement and I have written an article that does something …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

592 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question