Solved

Unable to Promote DC in server 2008

Posted on 2010-11-15
38
2,975 Views
Last Modified: 2012-05-10
Hi There,

we had a server running windows server 2008 Foundation that needed to be upgraded to 2008 Standard. i read that for the upgrade to work the server had to be demoted from DC then promoted again after the successful upgrade. the Demote seemed to go fine (no FSMO roles on the server all on the other DC) no errors.

however, after the successful upgrade, i cannot promote it back to DC again, it fails with the following error:

The Operation Failed because:

Active Directory Domain Services could not create the NTDS settings object for this Active Directory Domain Controller CN=NTDS Settings,CN=[servername],CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurations,DC=[domainname],DC=com on the remote AD DC [otherDC]@[domainname].com. Ensure the provided network credentials have sufficient permissions.

"the RPC server is unavailable"

i have tried using the NTDSUTIL to do a metadata cleanup but there is no record of this server on there so i could not do that/it did not need doing.

any ideas why this is happening?

thanks
0
Comment
Question by:catomax
  • 14
  • 12
  • 9
  • +1
38 Comments
 
LVL 15

Expert Comment

by:JBond2010
Comment Utility
The extra NIC's self-registering record in DNS may be the reason for the problem when resulting in round-robin for the hostname and the replication tries to use the unreachable IP.
0
 

Author Comment

by:catomax
Comment Utility
uh,

for want of a more eloquent sentence: i have no idea what you just said :)
are you saying i have to remove some setting from one of the NIC's?

thanks.
0
 
LVL 15

Expert Comment

by:JBond2010
Comment Utility
Are you using extra NICs on the server in question. If you are these could be registering themselves in DNS. Also, check DNS for previous records of when the Server was a DC.
0
 

Author Comment

by:catomax
Comment Utility
in the DNS there are no mentions of the old server being a DC it is registered in there as a static A record and as a NS (it has been a DNS server since before the demotion) the DNS records on the demoted server are completely empty as it receives its records only when it is a DC.

it has 2 ethernet ports, not sure if that counts as 2 NIC's or 1 NIC with 2 ports, they are both onboard and through the same controller.
0
 
LVL 15

Expert Comment

by:JBond2010
Comment Utility
Are you using both NICs on the Server?
0
 

Author Comment

by:catomax
Comment Utility
just one is connected, the other is disabled, not sure why disabled, but i enabled it and there is no cable plugged in.
0
 
LVL 13

Expert Comment

by:haim96
Comment Utility
0
 
LVL 13

Expert Comment

by:haim96
Comment Utility
also make sure firewall is down... just in case...
0
 
LVL 13

Expert Comment

by:haim96
Comment Utility
http://social.technet.microsoft.com/Forums/en/winserverMigration/thread/ab0e4c07-cd6a-4df7-8613-08f82a8d38c5

firewall can cause this error as well. and it's on when installing server 2008. try to turn it off.

try to telnet other dc with port 135 or \\otherDC\ipc$
if it's not available so this is you problem...
0
 
LVL 24

Expert Comment

by:Awinish
Comment Utility
How many dc's you have & since you demoted dc on foundation server, do you have any other dc's in the domain?

0
 

Author Comment

by:catomax
Comment Utility
yeah, one other, which is running 2008 std.

i have removed the DNS role from the demoted server and now the error has changed when trying to promote.

Active directory Services could not setup replication notifications for the directory partition CN=Schema,CN=configuration,DC=[domainname],DC=com
the remote Active Directory Domain Controller [DCname].[domainname].com

"The RPC server is unavailable"
0
 
LVL 13

Expert Comment

by:haim96
Comment Utility
did you tried to access IPC$ on the other server?
0
 

Author Comment

by:catomax
Comment Utility
i am a little confused by the IPC$, what is the exact command? is it for explorer or CMD?

0
 
LVL 24

Expert Comment

by:Awinish
Comment Utility
Are you using same hostname & IP address of demoted DC for configuring additional domain controller.
If yes,there can be the problem

the account require to configured dc should be member of administrators,domain admin,enterprise admin etc.

The RPC error are due to firewall & ports, you can use wireshark or router log to determine.

Wireshark is free & you can get it from below
 http://www.wireshark.org/

 
0
 
LVL 13

Expert Comment

by:haim96
Comment Utility
open RUN and then enter:
\\yourotherDCname\IPC$

IPC$ is used by AD and if it's not available you may get RPC errors.
0
 

Author Comment

by:catomax
Comment Utility
ok, it seems bizarre that the firewall would have changed at all though, i basically used DCpromo to demote, ran the upgrade, then DCpromo to promote and something has changed?

the windows firewall settings are all still the same, and the hardware firewall will not have changed at all. i will run that program and see what happens
0
 
LVL 24

Expert Comment

by:Awinish
Comment Utility
There can be issue with multihome.

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/a1583d7f-fa59-4497-89de-666d683e53a0

Remove any other IP has been assigned to one nic,so there should be only one IP & if IPv6 is manually configured disable it & try it then make it automatic.
0
 

Author Comment

by:catomax
Comment Utility
Thanks haim.

i get the following:
\\[server]\IPC$ is not accessible. you might not have permission to use this network resource. Contact the Administrator of this server to find out if you have access permissions.

Incorrect Function.
-

that is weird, anyway, there is only one domain administrator account at the moment so i know that i am not using an account with insufficient permissions.
0
 
LVL 24

Expert Comment

by:Awinish
Comment Utility
I hope firewall has been disabled on the server where you are trying promote dc.

Multihome dc has lot of problem.

Its for your reference just,read when you get time.

May be with same iP different host records has been created in dns,check under each folder under  _msdcs folder no hostname is listed of old dc & new dc doesn't have multiple IP registered with same hostname either.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 13

Expert Comment

by:haim96
Comment Utility
OK... in fact the error is fine that say that it find the IPC$ but you don't have permissions.
(and it's normal since you shouldn't go there any way)

try to run CMD and then: TELNET youDCip 135
just to make sure it's not firewall
0
 
LVL 13

Expert Comment

by:haim96
Comment Utility
also make sure you can ping the other DC by netbios name (short name)
do you have wins configured on the network?
0
 

Author Comment

by:catomax
Comment Utility
telnet gets through straight away (though there is no message on the screen)
i can ping it fine too. not sure about WINS. but again, surely it must just be some DNS issue, all that has happened from AD's point of view is that i have demoted a DC and now i want to promote the same DC with same IP and everything, no other changes. it just seems like it must be a DNS mess up somewhere but i have gone through the DNS and there is no mention of the server apart from an A record or 2, which are both correct.
0
 
LVL 24

Expert Comment

by:Awinish
Comment Utility
If you can change a name & try with new name, if possible use new IP too but if not possible, just try new hostname & same IP & then promote it to DC, see if it works.

I have seen the issue in past.
0
 
LVL 13

Expert Comment

by:haim96
Comment Utility
are they both in the same IP segment?

i would try to remove it from domain and then add it again.
maybe with new name... just to make sure.
0
 
LVL 24

Accepted Solution

by:
Awinish earned 500 total points
Comment Utility
0
 

Author Comment

by:catomax
Comment Utility
ok, but this might cause an issue, it seems like its saying that i cannot change the name back to what it should be after this?

all the servers have quite specific names, so to change it is fine as long as i can change it back, but i cannot just change the name and leave it that way without causing a fair amount more work.
0
 
LVL 24

Expert Comment

by:Awinish
Comment Utility
Yes,once you are using the new new you can't change it back.

Ok try to do the adsiedit & change the value & give sometime for replication & try to configure the dc with the same name i.e old name.

I ad once same issue & i did name change & was able to do it.

Follow the article & see if that works.
0
 

Author Comment

by:catomax
Comment Utility
Sorry Awinish,

you say do the adsiedit and change the value, the value of what? i have used adsiedit before but i am not sure which part you are referring to.

thanks.
0
 
LVL 24

Expert Comment

by:Awinish
Comment Utility
0
 

Author Comment

by:catomax
Comment Utility
Sorry Awinish, that was just me being a little bit stupid and not reading the whole article!

thanks.
0
 
LVL 24

Expert Comment

by:Awinish
Comment Utility
But be careful,prior making any changes,take system state backup 7 changing anything in ADSIEDIT w/o care & attention can be troublesome.

So,Pay heed to while making changes in ADSIEDIT.MSC..:)
0
 

Author Comment

by:catomax
Comment Utility
uh, will do, i guess it would be too late to say that i have already made the changes?
the actual Server in question has absolutely nothing on it so a backup would not really be necessary anyway, but hopefully it has not adversely affected any other part of AD!
0
 
LVL 24

Expert Comment

by:Awinish
Comment Utility
It should not but when its production network,i would always have backup first.
0
 

Author Comment

by:catomax
Comment Utility
ok. i will make sure that it is backed up before any more changes are made.
0
 

Author Comment

by:catomax
Comment Utility
YAY! it worked!

thanks Awinish.
0
 
LVL 24

Expert Comment

by:Awinish
Comment Utility
Wow, congrats..Finally it worked...:)
0
 
LVL 13

Expert Comment

by:haim96
Comment Utility
Awinish, well done!
0
 
LVL 24

Expert Comment

by:Awinish
Comment Utility
Thank you very much haim96..:)
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlleā€¦
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stopā€¦

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now