Unable to Promote DC in server 2008

Hi There,

we had a server running windows server 2008 Foundation that needed to be upgraded to 2008 Standard. i read that for the upgrade to work the server had to be demoted from DC then promoted again after the successful upgrade. the Demote seemed to go fine (no FSMO roles on the server all on the other DC) no errors.

however, after the successful upgrade, i cannot promote it back to DC again, it fails with the following error:

The Operation Failed because:

Active Directory Domain Services could not create the NTDS settings object for this Active Directory Domain Controller CN=NTDS Settings,CN=[servername],CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurations,DC=[domainname],DC=com on the remote AD DC [otherDC]@[domainname].com. Ensure the provided network credentials have sufficient permissions.

"the RPC server is unavailable"

i have tried using the NTDSUTIL to do a metadata cleanup but there is no record of this server on there so i could not do that/it did not need doing.

any ideas why this is happening?

thanks
catomaxAsked:
Who is Participating?
 
JamesSenior Cloud Infrastructure EngineerCommented:
The extra NIC's self-registering record in DNS may be the reason for the problem when resulting in round-robin for the hostname and the replication tries to use the unreachable IP.
0
 
catomaxAuthor Commented:
uh,

for want of a more eloquent sentence: i have no idea what you just said :)
are you saying i have to remove some setting from one of the NIC's?

thanks.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
JamesSenior Cloud Infrastructure EngineerCommented:
Are you using extra NICs on the server in question. If you are these could be registering themselves in DNS. Also, check DNS for previous records of when the Server was a DC.
0
 
catomaxAuthor Commented:
in the DNS there are no mentions of the old server being a DC it is registered in there as a static A record and as a NS (it has been a DNS server since before the demotion) the DNS records on the demoted server are completely empty as it receives its records only when it is a DC.

it has 2 ethernet ports, not sure if that counts as 2 NIC's or 1 NIC with 2 ports, they are both onboard and through the same controller.
0
 
JamesSenior Cloud Infrastructure EngineerCommented:
Are you using both NICs on the Server?
0
 
catomaxAuthor Commented:
just one is connected, the other is disabled, not sure why disabled, but i enabled it and there is no cable plugged in.
0
 
haim96Commented:
also make sure firewall is down... just in case...
0
 
haim96Commented:
http://social.technet.microsoft.com/Forums/en/winserverMigration/thread/ab0e4c07-cd6a-4df7-8613-08f82a8d38c5

firewall can cause this error as well. and it's on when installing server 2008. try to turn it off.

try to telnet other dc with port 135 or \\otherDC\ipc$
if it's not available so this is you problem...
0
 
AwinishCommented:
How many dc's you have & since you demoted dc on foundation server, do you have any other dc's in the domain?

0
 
catomaxAuthor Commented:
yeah, one other, which is running 2008 std.

i have removed the DNS role from the demoted server and now the error has changed when trying to promote.

Active directory Services could not setup replication notifications for the directory partition CN=Schema,CN=configuration,DC=[domainname],DC=com
the remote Active Directory Domain Controller [DCname].[domainname].com

"The RPC server is unavailable"
0
 
haim96Commented:
did you tried to access IPC$ on the other server?
0
 
catomaxAuthor Commented:
i am a little confused by the IPC$, what is the exact command? is it for explorer or CMD?

0
 
AwinishCommented:
Are you using same hostname & IP address of demoted DC for configuring additional domain controller.
If yes,there can be the problem

the account require to configured dc should be member of administrators,domain admin,enterprise admin etc.

The RPC error are due to firewall & ports, you can use wireshark or router log to determine.

Wireshark is free & you can get it from below
 http://www.wireshark.org/

 
0
 
haim96Commented:
open RUN and then enter:
\\yourotherDCname\IPC$

IPC$ is used by AD and if it's not available you may get RPC errors.
0
 
catomaxAuthor Commented:
ok, it seems bizarre that the firewall would have changed at all though, i basically used DCpromo to demote, ran the upgrade, then DCpromo to promote and something has changed?

the windows firewall settings are all still the same, and the hardware firewall will not have changed at all. i will run that program and see what happens
0
 
AwinishCommented:
There can be issue with multihome.

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/a1583d7f-fa59-4497-89de-666d683e53a0

Remove any other IP has been assigned to one nic,so there should be only one IP & if IPv6 is manually configured disable it & try it then make it automatic.
0
 
catomaxAuthor Commented:
Thanks haim.

i get the following:
\\[server]\IPC$ is not accessible. you might not have permission to use this network resource. Contact the Administrator of this server to find out if you have access permissions.

Incorrect Function.
-

that is weird, anyway, there is only one domain administrator account at the moment so i know that i am not using an account with insufficient permissions.
0
 
AwinishCommented:
I hope firewall has been disabled on the server where you are trying promote dc.

Multihome dc has lot of problem.

Its for your reference just,read when you get time.

May be with same iP different host records has been created in dns,check under each folder under  _msdcs folder no hostname is listed of old dc & new dc doesn't have multiple IP registered with same hostname either.
0
 
haim96Commented:
OK... in fact the error is fine that say that it find the IPC$ but you don't have permissions.
(and it's normal since you shouldn't go there any way)

try to run CMD and then: TELNET youDCip 135
just to make sure it's not firewall
0
 
haim96Commented:
also make sure you can ping the other DC by netbios name (short name)
do you have wins configured on the network?
0
 
catomaxAuthor Commented:
telnet gets through straight away (though there is no message on the screen)
i can ping it fine too. not sure about WINS. but again, surely it must just be some DNS issue, all that has happened from AD's point of view is that i have demoted a DC and now i want to promote the same DC with same IP and everything, no other changes. it just seems like it must be a DNS mess up somewhere but i have gone through the DNS and there is no mention of the server apart from an A record or 2, which are both correct.
0
 
AwinishCommented:
If you can change a name & try with new name, if possible use new IP too but if not possible, just try new hostname & same IP & then promote it to DC, see if it works.

I have seen the issue in past.
0
 
haim96Commented:
are they both in the same IP segment?

i would try to remove it from domain and then add it again.
maybe with new name... just to make sure.
0
 
catomaxAuthor Commented:
ok, but this might cause an issue, it seems like its saying that i cannot change the name back to what it should be after this?

all the servers have quite specific names, so to change it is fine as long as i can change it back, but i cannot just change the name and leave it that way without causing a fair amount more work.
0
 
AwinishCommented:
Yes,once you are using the new new you can't change it back.

Ok try to do the adsiedit & change the value & give sometime for replication & try to configure the dc with the same name i.e old name.

I ad once same issue & i did name change & was able to do it.

Follow the article & see if that works.
0
 
catomaxAuthor Commented:
Sorry Awinish,

you say do the adsiedit and change the value, the value of what? i have used adsiedit before but i am not sure which part you are referring to.

thanks.
0
 
AwinishCommented:
0
 
catomaxAuthor Commented:
Sorry Awinish, that was just me being a little bit stupid and not reading the whole article!

thanks.
0
 
AwinishCommented:
But be careful,prior making any changes,take system state backup 7 changing anything in ADSIEDIT w/o care & attention can be troublesome.

So,Pay heed to while making changes in ADSIEDIT.MSC..:)
0
 
catomaxAuthor Commented:
uh, will do, i guess it would be too late to say that i have already made the changes?
the actual Server in question has absolutely nothing on it so a backup would not really be necessary anyway, but hopefully it has not adversely affected any other part of AD!
0
 
AwinishCommented:
It should not but when its production network,i would always have backup first.
0
 
catomaxAuthor Commented:
ok. i will make sure that it is backed up before any more changes are made.
0
 
catomaxAuthor Commented:
YAY! it worked!

thanks Awinish.
0
 
AwinishCommented:
Wow, congrats..Finally it worked...:)
0
 
haim96Commented:
Awinish, well done!
0
 
AwinishCommented:
Thank you very much haim96..:)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.