Unable to demote domain controller after removing all roles and services to a new DC.

Posted on 2010-09-02
Last Modified: 2012-05-10
Hello Gurus,

I hope you find this one interesting and have pleasure in solving it:

We created a fresh out of the box forest and domain for a client having replication problems with their old domain.

The new domain and forest was created using a vmware virtual machine. An exchange 2010 was configured on a physical box on this new domain. After this the old (and last) DC (a physical box) from the old domain, was demoted and joined to a workgroup, added to the new domain and promoted to a DC as well. Everything went well and all FSMO roles were transferred to the physical DC; DHCP DNS and Global catalog were all transfered as well and removed from the DC in vmware. All client computers are all pointing to the new DC in the physical server.
Of course, our goal is to demote the vmWare server and give other usage to it. The problem is that everytime we shut down the virtual DC, people stop being able to log in, exchange stops, ISA stops, everything stops!

So, after all this testing, it's obvious that we wouldn't try to simply demote the VM domain controller server to a simple member server without consulting you Gurus!

Can anyone help us out on this one?

Much appreciated!


Question by:kodilu
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
LVL 24

Expert Comment

by:Mike Thomas
ID: 33586106
Has the new DC been configured as a Global Catalouge server?> and are all DNS of member server set to use your NEW DC/DNS server for name resolution? also is the new DC pointing to itself for DNS?

LVL 11

Expert Comment

ID: 33591396
Is the DNS Active Directory integrated?
What do the SRV resource records point to in DNS? The old one or the new one?
How long ago did you promote the new DC? It can take time to replicate, so maybe that's your problem.
Run DCDIAG on both servers to see if you get any errors.

Accepted Solution

kodilu earned 0 total points
ID: 33594513
MojoTech: to all of your questions, the answer is yes.. we got that part covered.

The DNS is AD integrated. The migration was done months ago, and the new DC was promoted on the very first day.
We had already ran DCDIAG on both servers, and we got no errors..
I have now checked the SRV resourse records, and it is pointing to both servers because they both are DC's and DNS servers.. But our DHCP is sending leases pointing only to the new DC/DNS server..

Is it possible that by demoting the vmware DC, it cleans all records from DNS (and leaving only the records to the new DC) and it solves our problem?
As somebody actually done that to confirm it?!
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

LVL 24

Expert Comment

by:Mike Thomas
ID: 33594538
Is it possible that by demoting the vmware DC, it cleans all records from DNS (and leaving only the records to the new DC) and it solves our problem?
As somebody actually done that to confirm it?!"

Yes it should do that.
LVL 11

Expert Comment

ID: 33594628
With two DCs, when you shut one off the other one should take over. That's why it's recommended to have two DCs or more. Theoretically, demoting the VMware DC should clean out the AD and DNS but just as theoretically your domain should keep on functioning when you shut down the VMware DC.

I'd find out first what's causing the problem.
BTW, will you be running only one DC? Why not two? Can you promote another server (virtual or otherwise) and see if you can then shut down the VMware DC without problems?

Author Comment

ID: 34257791
No full solution was found. Problem persists.

Author Closing Comment

ID: 34289808
No full solution was found. Problem persists.

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question