Unable do demote an old DC

Sirs,

We have the following setup:

Windows 2003 R2 Domain with 3 Servers,

01 - SRVDATA01 - Win2003-R2 - Domain Controller with all 5 FSMO roles
02 - SRVMAIL01 - Win2003-R2 - Old Exchange 2003, Domain Controller, no roles
03 - SRVXCH01 - Win2008-SP1 - New Exchange 2007

We are experiencing the following problems:

We are unable to demote the old SRVMAIL01, although it is holding no more roles. It passes all tests DcDiag and NetDiag, except 1 test:

Command: DCdiag /test: CheckSecurityError /repLsource: SRVDATA01
Answer: Source DC SRVDATA01 has possible security error 1980

If we turn SRVMAIL01 off (shut down the machine) both SRVDATA01 and SRVXCH01 go crazy, unable to find a domain controller, although the DC with all 5 FSMO roles (SRVDATA01 ) is up and running.

If we run DcPromo on SRVMAIL01 to Demote it, not being the last DC in the domain, the error message is that no DC's are available...

Any help is highly appreciated!
Thanks in advance!
kodiluAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

thabashCommented:
Be sure
U didn't select the option of this is the last dc on the domain
Otherwise the error will come as u said
0
snusgubbenCommented:
Who is the Global Catalog(s)?

dsquery server -isgc
0
kodiluAuthor Commented:
Thanks, this option is NOT selected.
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

kodiluAuthor Commented:
@snusgubben: Both are Global Catalogues
0
B HCommented:
is srvmail01 the dns controller?  you need to make something else the dns controller and make sure the other servers point to the new dns controller on their network cards (and nothing else in the secondary, unless you have 2 live dns servers)

then reboot all 3 so they understand what just happened, and dcpromo him down as intended
0
kodiluAuthor Commented:
@bryon44035v3: SRVMAIL01 os the one being demoted, all services and FSMO roles are transferred to SRVDATA01 and the latter is the only DNS server. Yes, the other servers point ONLY to the new dns controller on their network cards.
0
thabashCommented:
Remove the global catalog from the old and try
0
kodiluAuthor Commented:
@thabash: Hi! We just did that, tried DCpromo to demote again and got the same problem :( Thanks anyway!
0
thabashCommented:
Can u post the image of the error
0
B HCommented:
how about dcpromo /forceremoval

http://support.microsoft.com/kb/332199
0
kodiluAuthor Commented:
A print screen is attached here:

Screen-shot-2010-04-10-at-4.14.4.jpg
0
B HCommented:
where's the error, just click yes
0
thabashCommented:
I agree with bryon
Press yes
And send the screenshot after that to us
0
kodiluAuthor Commented:
bryon44035v3: If we force remove it with dcpromo /forceremoval will happen the same as when we shut it down: the other 2 servers go bananas in search of "something" on it... :(
0
thabashCommented:
Then as bryon said about dns
Be careful seems u have a problem with dns and might screw ur system
Slow down and donmt demote any server now, as u might after demoting it no body be able to logon.
Send the screenshot of ur dns settings
0
B HCommented:
hmm.  are you sure ALL the roles were really transferred, and this machine we want to go away is not running the dns server?
0
kodiluAuthor Commented:
@bryon44035v3 +
@thabash:
OK, but if we click YES we're afraid it will do the demote and after that the other 2 servers will keep on looking for that "something" on it and AD goes crazy...
But we're doing backup of System State and will go ahead with hitting YES. Then we'll see...of the Domain goes crazy again, we'll restore! Will let you know of the final result ASAP.
0
snusgubbenCommented:
When you turn off the DC and the other DCs can't find any DC I think DNS issues.

Please post the output of your last replication cycle:

repadmin /replsum

and a dcdiag:

dcdiag /v /e /c /f:dcdiag.txt

0
snusgubbenCommented:
You should NOT press 'Yes'
0
thabashCommented:
Ok take backup for full drive c and for the system state
And then don't worry click yes
Only u will be worried if ur dns is on this server

The dns will make u creaze, not the demoting
0
kodiluAuthor Commented:
@bryon44035v3: Yes - all 5 roles are being held by SRVDATA01 and DNS is also on SRVDATA01, the only DNS. If you check the ROLES on SRVDATA01 when SRVMAIL01 is up and running, the 5 ROLES show up on SRVDATA01 as being held by itself (SRVDATA01), but when we disconnect SRVMAIL01 and go back to SRVDATA01 to check the ROLES this server no longer knows anything...

We ran the Microsoft IT Health Scanner and all is OK - Green, except for only one error:
- "Domain Controllers are not hosting the root DNS zone. DNS Delegation for the "OUR-TROUBLED-DOMAIN" on the SRVDATA01 server could not be verified as functioning correctly."

We're trying to investigate this now. Any ideas?
0
B HCommented:
so it seems like your srvdata server either isnt running dns, or doesnt have all the srv records in there

is it integrated into AD or just a basic copy of what the demoting server had?
0
snusgubbenCommented:
Which DC is authoritative for the root zone?

If srvdata01 has a delegated zone, you should remove the delegation and make it autoritative for the root zone.
0
kodiluAuthor Commented:
@snusgubben: thanks for your input. Pressing YES is put on HOLD!
Here are the requested outputs. Thanks in advance!

dcdiag.txt
repadmin.txt
0
snusgubbenCommented:
You have delegated the _msdcs zone to the DC you're trying to demote and the delegation is broken.

From the dcdiag log: "Delegation is broken for the domain _msdcs.charmetours.local. on the DNS server 192.168.1.152"

You should remove the delegation (it will appear as a "greyed out" _msdcs folder)
0
snusgubbenCommented:
I'll be gone for some time, but I'm sure you and the other experts can handle this (as long as you stay away from the 'Yes' :)

For client to find DC's DNS is vital. If you have DNS issues, then you will have domain issues. You're replication is fine, so my bet is the delegated zone.

Here is a little input on delegation: http://www.experts-exchange.com/Networking/Protocols/DNS/Q_24349599.html

Good luck!

SG
0
snusgubbenCommented:
One other thing. I hope you have removed Exchange from the DC you're going to demote. If Exchange is still on this DC and in production, a DCPROMO will destroy Exchange.
0
thabashCommented:
i agree with snusgubben:

you have problem here
  TEST: Delegations (Del)
                  Delegation information for the zone: charmetours.local.
                     Delegated domain name: _msdcs.charmetours.local.
                        DNS server: srvdata01.charmetours.local. IP:192.168.1.153 [Valid]
                        Error: DNS server: srvmail01.charmetours.local. IP:192.168.1.152 [Broken delegation]
               
solution
Add the missing NS records for all server that have the full
_msdcs.mydomain.com zone.

or remove the delegation
0
kodiluAuthor Commented:
@snusgubben: Thanks! We deleted the "greyed out" _msdcs folder from DNS and we think now it is Authoritative for the Domain as per Print Screen attached.
The problem is that the symptoms are the same: when we unplug SRVMAIL01, then the new Exchange 2007 SRVXCH01 cannot find the Configuration Domain Controller and stays down. When we re-connect SRVMAIL01 and reboot the other servers, all comes up and running normally. DCpromo of SRVMAIL01 results in the same Exclamation Mark...
DcDiag and RepAdmin outputs are now clean 100% without fails
Screen-shot-2010-04-10-at-5.27.5.jpg
0
snusgubbenCommented:
Both DC's are GC's.

I'm not much into Exchange but in Exch2003 you got the Recipient Update Service (RUS) that pointed to a Global Catalog. If you remove this GC you had to manually change it on the RUS otherwise the Exchange could not function since it uses the GC and not any FSMO's.

How this works in Exchange 2007 I have no idea of. Maybe as a question in the Exchange zone.

How are your other clients (PC) working when you shut the DC you're going to demote?

The logged on user, do it have a home folder? Thinking if it's located on the old DC...

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kodiluAuthor Commented:
snusgubben:
WE MISSED YOU! :)
Thanks for your last input. We checked about RUS and found out that Exchange 2007 does not use RUS anymore. I will give you feedback regarding the Client PC's behavior when SRVMAIL01 is down. ASAP.
--------------
Some info on RUS in XCH 2007:..."Before you begin uninstalling the Exchange 2003 Server, we first need to assign the Recipient Update Service (RUS) to our Exchange 2007 Server. Not because RUS should be used (in fact Exchange 2007 no longer uses RUS), but because the Exchange 2003 Setup program wont let us uninstall Exchange 2003, before RUS has been assigned to another server."...

I'll be back soon...
0
kodiluAuthor Commented:
Meanwhile, besides the Exchange 2007 issues, the old DC/XCHG, SRVMAIL01, still prompts us with a YES | NO buttons when we try to demote :(

Checking the clients now....BRB
0
kodiluAuthor Commented:
@snusgubben:
Back from clients: when SRVMAIL01 is down, clients take longer (aprox 1-2 min) to logon. After the wait at the logon screen, it takes another 10-15 min to apply settings :( ...and counting...
0
snusgubbenCommented:
Try and run:

nltest /dclist:charmetours.local

from both DC. Do they both list the two DC's?
0
kodiluAuthor Commented:
@snusgubben:
running this we get the same on both (now we did not run on SRVMAIL01 since it is down, but an hour ago we ran it on both servers and had the same responce). This is tha result from SRVDATA01

C:\>nltest /dclist:charmetours.local
Get list of DCs in domain 'charmetours.local' from '\\SRVDATA01.charmetours.loca
l'.
    srvmail01.charmetours.local       [DS] Site: Default-First-Site-Name
    SRVDATA01.charmetours.local [PDC] [DS] Site: Default-First-Site-Name
The command completed successfully
0
snusgubbenCommented:
Please post:

netdiag /v > netdiag.txt

Also run: dnslint /ad /s <ip-address of SRVDATA01> /v

(it will create a htm report about DNS registrations. See if you spot something)
0
kodiluAuthor Commented:
Ran dnslint /ad /s <ip-address of SRVDATA01> /v
No errors, only a note:
One or more DNS servers may not be authoritative for the domain

Output is attached
dnslint.htm
0
snusgubbenCommented:
could you post "netdiag /v"?
0
snusgubbenCommented:
Do all your clients use SRVDATA01 as prefered DNS?
0
kodiluAuthor Commented:
Yes, all clients use SRVDATA01 as prefered and only DNS!
Please find attached the "netdiag /v" output.
netdiag2012.txt
0
kodiluAuthor Commented:
@snusgubben: we're dying! We're going home. We'll leave this for next week. While SRVMAIL01 is UP all is OK! But we need to remove-it and format the server for other uses. We'll keep on trying and we'll count on your help. How can we get in touch with you the next time? Thanks for all the help. We'll accept your posts as solutions and award the points. Regards
0
snusgubbenCommented:
If you leave this question open I'll see when you're back and ready if you add a comment.

Or start a new question which can be sometimes cleaver, since additional experts may come into play.
0
thabashCommented:
I'm so exciting to know how u gonna solve this issue

Snusgubben
What do u think his problem,
He send the result
Could u pls add the commenta
I'm waiting ur comments as well
As I faced the same issue 5 months back and tell now I don't understand what was the problem
0
kodiluAuthor Commented:
Guys, thank you so much, @thabash - you too!
OK, lets leave the question open for now until we get back to the client and we shall give it a second try.
Regards and a good weekend to all.
Kostadin
0
kodiluAuthor Commented:
@DEMAZTER, hello! We did get a LOT of help from @snusgubben and a lot of HELPFUL answers, unfortunately to all of us, there was no definitive solution to the problem. @Thabash also participated activelly.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.