?
Solved

Cannot demote Windows 2008 DC, generates error in dcdiag resolving to an IP - DNS problems

Posted on 2010-08-13
4
Medium Priority
?
1,989 Views
Last Modified: 2012-06-27
Hi, I am trying to demote a new DC using dcpromo but I am getting the error message:

"The operation failed because:

Active Directory Domain Services could not transfer the remaining data in the directory partition.
CN=Schema, etc, etc
Active directory domain controller beta.xxxxxxx.co.uk

The DSA operation is unable to proceed because of a DNS lookup failure."

Where Beta is one of our Windows 2000 server DC's and xxxxxxx.co.uk is our domain.

I have been following various fixes online which I think may have caused more problems.  In short I am not bothered what information is on this DC I am trying to demote.  I just want it to be removed from AD Sites and services for our main domain.  I know I will have problems trying to reattach a new DC with the same name if not.

I have run DCDIAG and the main error seems to be:

 Testing server: Maher\OMEGA
    Starting test: Connectivity
       The host 58c1d790-512c-43d2-acd3-6312a350e4cf._msdcs.xxxxxxxx.co.uk
       could not be resolved to an IP address. Check the DNS server, DHCP,
       server name, etc.
       ......................... OMEGA failed test Connectivity

I can ping the other DC's (in other domain) from this machine and visa versa.


IPCONFIG =
Windows IP Configuration

   Host Name . . . . . . . . . . . . : OMEGA
   Primary Dns Suffix  . . . . . . . : xxxxxAMP.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : xxxxxAMP.com

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS
 VBD Client)
   Physical Address. . . . . . . . . : 00-1A-64-B6-3C-1C
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::710d:1287:dfd3:5618%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.137(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Default Gateway . . . . . . . . . : 192.168.0.40
   DHCPv6 IAID . . . . . . . . . . . : 251664996
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-F4-4A-84-00-1A-64-B6-3C-1C

   DNS Servers . . . . . . . . . . . : 192.168.0.9
                                       192.168.0.137
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 11:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{052AF582-80C2-4B92-A497-9C2ECDCE50CA}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Within Dnsmgmt I canconnect to the server OMEGA and can see the domain.  There wasnt a _msdcs Alias (CNAME) entry for the server so I manually added.  

Checking DNS events I can see

Event Type:      Error
Event Source:      DNS
Event Category:      None
Event ID:      4007
Date:            13/08/2010
Time:            14:32:16
User:            N/A
Computer:      OMEGA.xxxxxAMP.com
Description:
The DNS server was unable to open zone AMP.xxxxxLTD.CO.UK in the Active Directory from the application directory partition DomainDnsZones.AMP.xxxxxLTD.CO.UK. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.


Like I said, I am not bothered what I do to remove this DC from the list, I just want to make sure everything is fine when I come round to putting it back on again.
0
Comment
Question by:MaherLimited
  • 2
4 Comments
 
LVL 70

Accepted Solution

by:
KCTS earned 1000 total points
ID: 33430526
do DCPROMO /forceremoval
and then do a metadata cleanup (as for a failed DC) http://www.petri.co.il/delete_failed_dcs_from_ad.htm
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 1000 total points
ID: 33430547
Since the DC is not demoting properly you can run a "metadata cleanup"  

You can use the command line way still in 2008  http://www.petri.co.il/delete_failed_dcs_from_ad.htm

ntdsutil to remove it is tried and true

...but things got much easier in 2008 and 2008 R2...you just delete the compuer object

http://blogs.technet.com/b/activedirectoryua/archive/2009/08/07/windows-server-2008-and-windows-server-2008-r2-automate-metadata-cleanup.aspx

Thanks

Mike
0
 
LVL 1

Author Comment

by:MaherLimited
ID: 33443770
DCPROMO /forceremoval seemed to work fine but whilst working through NTDSUTIL I get the following error:

Binding to omega ...
DsBindW error 0x6d9(There are no more endpoints available from the endpoint mapp
er.)
0
 
LVL 1

Author Comment

by:MaherLimited
ID: 33443928
Ignore last comment.  I was trying to connect to the controller that no longer existed.  I need to run metadata cleanup on a DC thats available then select the DC that failed to remove.
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question