Unable to demote domain controller after removing all roles and services to a new DC.

Posted on 2010-09-02
Last Modified: 2012-05-10
Hello Gurus,

I hope you find this one interesting and have pleasure in solving it:

We created a fresh out of the box forest and domain for a client having replication problems with their old domain.

The new domain and forest was created using a vmware virtual machine. An exchange 2010 was configured on a physical box on this new domain. After this the old (and last) DC (a physical box) from the old domain, was demoted and joined to a workgroup, added to the new domain and promoted to a DC as well. Everything went well and all FSMO roles were transferred to the physical DC; DHCP DNS and Global catalog were all transfered as well and removed from the DC in vmware. All client computers are all pointing to the new DC in the physical server.
Of course, our goal is to demote the vmWare server and give other usage to it. The problem is that everytime we shut down the virtual DC, people stop being able to log in, exchange stops, ISA stops, everything stops!

So, after all this testing, it's obvious that we wouldn't try to simply demote the VM domain controller server to a simple member server without consulting you Gurus!

Can anyone help us out on this one?

Much appreciated!


Question by:kodilu
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
LVL 24

Expert Comment

by:Mike Thomas
ID: 33586106
Has the new DC been configured as a Global Catalouge server?> and are all DNS of member server set to use your NEW DC/DNS server for name resolution? also is the new DC pointing to itself for DNS?

LVL 11

Expert Comment

ID: 33591396
Is the DNS Active Directory integrated?
What do the SRV resource records point to in DNS? The old one or the new one?
How long ago did you promote the new DC? It can take time to replicate, so maybe that's your problem.
Run DCDIAG on both servers to see if you get any errors.

Accepted Solution

kodilu earned 0 total points
ID: 33594513
MojoTech: to all of your questions, the answer is yes.. we got that part covered.

The DNS is AD integrated. The migration was done months ago, and the new DC was promoted on the very first day.
We had already ran DCDIAG on both servers, and we got no errors..
I have now checked the SRV resourse records, and it is pointing to both servers because they both are DC's and DNS servers.. But our DHCP is sending leases pointing only to the new DC/DNS server..

Is it possible that by demoting the vmware DC, it cleans all records from DNS (and leaving only the records to the new DC) and it solves our problem?
As somebody actually done that to confirm it?!
Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

LVL 24

Expert Comment

by:Mike Thomas
ID: 33594538
Is it possible that by demoting the vmware DC, it cleans all records from DNS (and leaving only the records to the new DC) and it solves our problem?
As somebody actually done that to confirm it?!"

Yes it should do that.
LVL 11

Expert Comment

ID: 33594628
With two DCs, when you shut one off the other one should take over. That's why it's recommended to have two DCs or more. Theoretically, demoting the VMware DC should clean out the AD and DNS but just as theoretically your domain should keep on functioning when you shut down the VMware DC.

I'd find out first what's causing the problem.
BTW, will you be running only one DC? Why not two? Can you promote another server (virtual or otherwise) and see if you can then shut down the VMware DC without problems?

Author Comment

ID: 34257791
No full solution was found. Problem persists.

Author Closing Comment

ID: 34289808
No full solution was found. Problem persists.

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question