Link to home
Start Free TrialLog in
Avatar of ZFass
ZFass

asked on

Can't demote a Domain Controller

Hello everyone,

First let me start by saying this site has been a huge resource for me for understanding how networks are setup and built - especially in my new job running a network. I work for a small firm and that doesn't have a full time network administrator. The job is handled by me and a friend of mine. My main job focus is business consulting and my friend does production for us, but we both love computers. I have 4 years of experience as Desktop Support so know my way pretty well around the computer (enough to be dangerous), but not so much on the server side of things and how those components work.  

Now on to my problem. We've been running off of a beastly server as our domain controller, it is also our file server, and intranet, and I have a few other ideas i'd like to use it for like application deployment (like auto install office or symantec) once I add a new machineto the domain - this is long term but to start this process i had to add a new PDC.

We bought a new server and i followed the instructions Here and it worked great until the demoting of the old DC. when i run dcpromo on the old server i get error "The box indicating that this domain controller is the last controller for the domain is unchecked. however, no other active directory domain controll....blah blah blah" and i have no idea how to fix this issue. I've been looking at settings and comparing the 2 servers, the old DC has DHCP setup through a scope and I'm not sure how or if i should transfer that over to the new server. same with DNS.

The goal here is to have the new server promoted as the PDC and the old server just be a regular file/print server and in the future be setup as an application server too - and not own any of the DC roles. how do i know which roles to transfer to allow the new server to take ownership of the domain and demote the other?

Thanks for any help you can provide and sorry for any poor explaination of what is going on. If anything needs clarification just let me know, i'll be staring at this computer screen all day.
Avatar of Mike Kline
Mike Kline
Flag of United States of America image

Did  you install DNS on the new server.  If you did not you should do that.  DNS info will replicate automatically.   Also make the new DC a global catalog server.  

Transfer the FSMO roles to the new box too.  

Point your clients (DHCP, static, apps) to the new box for DNS too.

Are you planning to run with only one DC...that is definitely not recommended.  I'd keep both up.

Thanks

Mike
Did you join the new DC to the exising Domain?

Run dcdiag post results

Run netdom query fsmo
In Windows Active Directory domains there is no such thing really as a PDC as all DCs have write access to the security information or active directory database. I would do as mkline71 has recommended and keep both as DCs.  If you really want to demote the legacy DC then use "ntdsutil roles" command to transfer all FSMO roles from the old DC to the new.  Once you've transfered the roles make sure you've installed DNS on the new DC and that its replicated and then demote the original DC.
Avatar of ZFass
ZFass

ASKER

I did transfer the FSMO roles and it is also on the domain and a global catalog. I can even turn off the old DC and everyone can still connect to the internet and log into the network fine

running dcdiag on the new server gets " 'netdiag' is not recognized as an internal or external command, operable program or batch file. " netdom is not running either so i'm guessing these have to run off the cd, i'll try that in a second

running netdom query fsmo on the old DC- the new server is the owner/manager of all the services

when i run dcdiag on the old DC i get: ( note that i got no errors from dcdiag when i first started setting up the new DC yesterday)

        KB960859
        KB961063
        KB961118
        KB961260-IE7
        KB961371
        KB961371-v2
        KB961373
        KB961501
        KB963027-IE7
        KB967715
        KB967723
        KB968389
        KB968537
        KB968816
        KB969059
        KB969805
        KB969897-IE7
        KB969898
        KB969947
        KB970238
        KB970430
        KB970483
        KB970653-v3
        KB971032
        KB971468
        KB971486
        KB971513
        KB971557
        KB971633
        KB971657
        KB971737
        KB971961
        KB971961-IE8
        KB972260-IE7
        KB972270
        KB973037
        KB973346
        KB973354
        KB973507
        KB973525
        KB973540
        KB973687
        KB973815
        KB973825
        KB973869
        KB973904
        KB973917
        KB973917-v2
        KB974112
        KB974318
        KB974392
        KB974455-IE7
        KB974455-IE8
        KB974571
        KB975025
        KB975364-IE8
        KB975467
        KB975558_WM8
        KB975560
        KB975562
        KB975713
        KB976098-v2
        KB976325-IE8
        KB976662-IE8
        KB976749-IE7
        KB976749-IE8
        KB977165
        KB977290
        KB977816
        KB977914
        KB978037
        KB978207-IE8
        KB978251
        KB978262
        KB978338
        KB978542
        KB978601
        KB978695
        KB978706
        KB979306
        KB979309
        KB979482
        KB979559
        KB979683
        KB979687
        KB979907
        KB980182-IE8
        KB980195
        KB980218
        KB980232
        KB980436
        KB981322
        KB981332-IE8
        KB981550
        KB981793
        KB981957
        KB982132
        KB982214
        KB982381-IE8
        KB982632-IE8
        KB982666
        KB982802
        Q147222


Netcard queries test . . . . . . . : Passed



Per interface results:

    Adapter : Local Area Connection

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : Documents
        IP Address . . . . . . . . : 192.168.20.8
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . : 192.168.20.1
        Dns Servers. . . . . . . . : 192.168.20.8
                                     167.206.7.4
                                     96.56.33.74


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
r Service', <20> 'WINS' names is missing.

        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interface.


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{2C96E6D4-BA22-444D-B63C-91020F9C2FC0}
    1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server '192.168.20.8
' and other DCs also have some of the names registered.
    [WARNING] The DNS entries for this DC are not registered correctly on DNS se
rver '167.206.7.4'. Please wait for 30 minutes for DNS server replication.
    PASS - All the DNS entries for DC are registered on DNS server '96.56.33.74'
 and other DCs also have some of the names registered.


Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{2C96E6D4-BA22-444D-B63C-91020F9C2FC0}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{2C96E6D4-BA22-444D-B63C-91020F9C2FC0}
    The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Passed
    Secure channel for domain 'FCGHQ' is to '\\HAL'.


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
    No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information


The command completed successfully

C:\Documents and Settings\Administrator>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DOCUMENTS
      Starting test: Connectivity
         ......................... DOCUMENTS passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DOCUMENTS
      Starting test: Replications
         ......................... DOCUMENTS passed test Replications
      Starting test: NCSecDesc
         ......................... DOCUMENTS passed test NCSecDesc
      Starting test: NetLogons
         ......................... DOCUMENTS passed test NetLogons
      Starting test: Advertising
         ......................... DOCUMENTS passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... DOCUMENTS passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... DOCUMENTS passed test RidManager
      Starting test: MachineAccount
         ......................... DOCUMENTS passed test MachineAccount
      Starting test: Services
         ......................... DOCUMENTS passed test Services
      Starting test: ObjectsReplicated
         ......................... DOCUMENTS passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... DOCUMENTS passed test frssysvol
      Starting test: frsevent
         ......................... DOCUMENTS passed test frsevent
      Starting test: kccevent
         ......................... DOCUMENTS passed test kccevent
      Starting test: systemlog
         ......................... DOCUMENTS passed test systemlog
      Starting test: VerifyReferences
         ......................... DOCUMENTS passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : fcghq
      Starting test: CrossRefValidation
         ......................... fcghq passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... fcghq passed test CheckSDRefDom

   Running enterprise tests on : fcghq.fassforward.inc
      Starting test: Intersite
         ......................... fcghq.fassforward.inc passed test Intersite
      Starting test: FsmoCheck
         ......................... fcghq.fassforward.inc passed test FsmoCheck

C:\Documents and Settings\Administrator>
Is   167.206.7.4 your current DC?
ASKER CERTIFIED SOLUTION
Avatar of ipajones
ipajones
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ZFass

ASKER

I wouldn't mind keeping the old DC up and being redundant, however, one thing i wanted to do with the old DC was make it an application server - specifically for symantec enterprise - it has the option to do it, but it cannot run on the DC - i tried and in the setup process it specifically called out that i was  trying to install it on a DC and wouldn't continue
Avatar of ZFass

ASKER

is it ok to run the DNS configuration again on the new server? even though it was already setup on the old?
Have you actually installed DNS on the new server.  What do you get when running "dnsmgmt.msc" on the new server ?
You would just need to install the DNS service on the DC.  Then it will replicate DNS to the new server.

The big issue with only running one DC is if that thing goes down hard you have issues and downtime
Avatar of ZFass

ASKER

it is installed, dnsmgmt opens up when i run the command, perhaps i just didn't set it up properly. I'm running the configuration on it again. selecting the server from dnsmgmt window - Action>configure a dns server. maybe this will solve the problem
Avatar of ZFass

ASKER

heres a question, how do i replication the dns?
Since you are running DNS on your first DC then that is Active Directory Integrated DNS.  When you install the DNS service on DC2 then it automatically replicates using AD replication, you don't have to force that.

Thanks

Mike
As long as you're using Active Directory Integrated Zones the DNS will automatically replicate from the old DC.
You need to remove the external DNS servers listed in your TCP\IP properties.

Avatar of ZFass

ASKER

well I am usiging Active directory Intregrated Zones, but when i open dnsmgmt and click on the HAL (the new DC) in the dns tree, it says in the right panel  (The Domain Name System is a hierarchical nameing system used for lacting computers and network services, DNS is be..... This DNS server has not been configured. configuration.... but under HAL in the DNS tree, it does list all the computers on the network. I also have 3 forward lookup zones - do i need 3 and can i delete them all and recreate them?
Do you have three forward lookup zones on DC1
Avatar of ZFass

ASKER

yes including the one added by me just running the configuration again. i created it on the new server but it replicated to the old as well.
Are you sure that the domain name is correct?
Avatar of ZFass

ASKER

domain name is correct, all isp dns information has been removed. i took out the forwarders except for the one with the right domain name. DHCP is running on the new server and so is DNS. still no luck
Avatar of ZFass

ASKER

ran dcdiag on the old server again and am now getting:

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DOCUMENTS
      Starting test: Connectivity
         The host fd005022-c914-4263-9c01-9619428bf01a._msdcs.fcghq.fassforward.
inc could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (fd005022-c914-4263-9c01-9619428bf01a._msdcs.fcghq.fassforward.inc)
         couldn't be resolved, the server name
         (Documents.fcghq.fassforward.inc) resolved to the IP address
         (192.168.20.8) and was pingable.  Check that the IP address is
         registered correctly with the DNS server.
         ......................... DOCUMENTS failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DOCUMENTS
      Skipping all tests, because server DOCUMENTS is
      not responding to directory service requests

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : fcghq
      Starting test: CrossRefValidation
         ......................... fcghq passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... fcghq passed test CheckSDRefDom

   Running enterprise tests on : fcghq.fassforward.inc
      Starting test: Intersite
         ......................... fcghq.fassforward.inc passed test Intersite
      Starting test: FsmoCheck
         ......................... fcghq.fassforward.inc passed test FsmoCheck

C:\Documents and Settings\Administrator>

could this be the problem: documents is the old DC

Testing server: Default-First-Site-Name\DOCUMENTS
      Starting test: Connectivity
         The host fd005022-c914-4263-9c01-9619428bf01a._msdcs.fcghq.fassforward.
inc could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (fd005022-c914-4263-9c01-9619428bf01a._msdcs.fcghq.fassforward.inc)
         couldn't be resolved, the server name
         (Documents.fcghq.fassforward.inc) resolved to the IP address
         (192.168.20.8) and was pingable.  Check that the IP address is
         registered correctly with the DNS server.
         ......................... DOCUMENTS failed test Connectivity
Avatar of ZFass

ASKER

msdcs.fcghq.fassforward.inc happens to be one of the things i deleted from DNS cause it didn't match the domain name. apparetnly this was needed for authentication. going to try and recreate it
On another note from a question that came in a few minutes ago

https://www.experts-exchange.com/questions/26634101/LSASS-exe-error-after-windows-repair.html?cid=1572&anchorAnswerId=34197736#a34197736

....that is why you want to always have at least two DCs...now he is dealing with an outage downtime.  If he had that second DC...users would not even notice.
Avatar of ZFass

ASKER

ok so ran dcdiag /fix to try and get _msdcs back. and got this

        KB938127-IE7
        KB938464
        KB941569
        KB942288-v4
        KB942830
        KB942831
        KB943055
        KB943460
        KB943485
        KB943729
        KB944338-v2
        KB944653
        KB945553
        KB946026
        KB948496
        KB948590
        KB949014
        KB950762
        KB950974
        KB951066
        KB951072-v2
        KB951698
        KB951746
        KB951748
        KB952004
        KB952069
        KB952954
        KB953298
        KB953838-IE7
        KB954155
        KB954211
        KB954550-v5
        KB954600
        KB955069
        KB955759
        KB955839
        KB956390
        KB956390-IE7
        KB956391
        KB956572
        KB956802
        KB956803
        KB956841
        KB956844
        KB957095
        KB957097
        KB958215-IE7
        KB958469
        KB958644
        KB958687
        KB958690
        KB958869
        KB959426
        KB960225
        KB960714-IE7
        KB960715
        KB960803
        KB960859
        KB961063
        KB961118
        KB961260-IE7
        KB961371
        KB961371-v2
        KB961373
        KB961501
        KB963027-IE7
        KB967715
        KB967723
        KB968389
        KB968537
        KB968816
        KB969059
        KB969805
        KB969897-IE7
        KB969898
        KB969947
        KB970238
        KB970430
        KB970483
        KB970653-v3
        KB971032
        KB971468
        KB971486
        KB971513
        KB971557
        KB971633
        KB971657
        KB971737
        KB971961
        KB971961-IE8
        KB972260-IE7
        KB972270
        KB973037
        KB973346
        KB973354
        KB973507
        KB973525
        KB973540
        KB973687
        KB973815
        KB973825
        KB973869
        KB973904
        KB973917
        KB973917-v2
        KB974112
        KB974318
        KB974392
        KB974455-IE7
        KB974455-IE8
        KB974571
        KB975025
        KB975364-IE8
        KB975467
        KB975558_WM8
        KB975560
        KB975562
        KB975713
        KB976098-v2
        KB976325-IE8
        KB976662-IE8
        KB976749-IE7
        KB976749-IE8
        KB977165
        KB977290
        KB977816
        KB977914
        KB978037
        KB978207-IE8
        KB978251
        KB978262
        KB978338
        KB978542
        KB978601
        KB978695
        KB978706
        KB979306
        KB979309
        KB979482
        KB979559
        KB979683
        KB979687
        KB979907
        KB980182-IE8
        KB980195
        KB980218
        KB980232
        KB980436
        KB981322
        KB981332-IE8
        KB981550
        KB981793
        KB981957
        KB982132
        KB982214
        KB982381-IE8
        KB982632-IE8
        KB982666
        KB982802
        Q147222


Netcard queries test . . . . . . . : Passed



Per interface results:

    Adapter : Local Area Connection

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : Documents
        IP Address . . . . . . . . : 192.168.20.8
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . : 192.168.20.1
        Dns Servers. . . . . . . . : 192.168.20.34


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
r Service', <20> 'WINS' names is missing.

        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interface.


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{2C96E6D4-BA22-444D-B63C-91020F9C2FC0}
    1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Failed
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.gc._msdcs.fcghq.fassforward.i
nc. re-registeration on DNS server '192.168.20.34' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._site
s.gc._msdcs.fcghq.fassforward.inc. re-registeration on DNS server '192.168.20.34
' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.125c7690-07d4-4928-8636-8d4ca
a37cc32.domains._msdcs.fcghq.fassforward.inc. re-registeration on DNS server '19
2.168.20.34' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry gc._msdcs.fcghq.fassforward.inc. re-regi
steration on DNS server '192.168.20.34' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry fd005022-c914-4263-9c01-9619428bf01a._ms
dcs.fcghq.fassforward.inc. re-registeration on DNS server '192.168.20.34' failed
.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _kerberos._tcp.dc._msdcs.fcghq.fassforwa
rd.inc. re-registeration on DNS server '192.168.20.34' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _kerberos._tcp.Default-First-Site-Name._
sites.dc._msdcs.fcghq.fassforward.inc. re-registeration on DNS server '192.168.2
0.34' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.dc._msdcs.fcghq.fassforward.i
nc. re-registeration on DNS server '192.168.20.34' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._site
s.dc._msdcs.fcghq.fassforward.inc. re-registeration on DNS server '192.168.20.34
' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
       [FATAL] File \config\netlogon.dns contains invalid DNS entries.    [FATAL
] No DNS servers have the DNS records for this DC registered.


Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{2C96E6D4-BA22-444D-B63C-91020F9C2FC0}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{2C96E6D4-BA22-444D-B63C-91020F9C2FC0}
    The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Passed
    Secure channel for domain 'FCGHQ' is to '\\HAL'.


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
    No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information


The command completed successfully

C:\Documents and Settings\Administrator>

I can create a new ticket for this problem if needed, but i think it will fix the overall problem if i fix this
What the dcdiag is telling you is that it can't find the msdcs zone. In your DNS console do you have your domain.com zone? Does it have a msdcs folder under it? Is this folder grayed out? Do you have a msdcs.domain.com zone?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ZFass

ASKER

i do have a zone that is fcghq.fassforward.inc - that is my domain. this does have a _msdcs folder within it and it is greyed out. I used to have a msdcs.domain zone but i removed it (stupidly) thinking it wasn't needed. I am attempting to recreate the msdcs.domain zone
Avatar of ZFass

ASKER

ok that definitely helped a lot Dariusq, thanks a lot. I rand dcdiag again and looks like its moving in the right direction. Got another fail however with this one

        KB969805
        KB969897-IE7
        KB969898
        KB969947
        KB970238
        KB970430
        KB970483
        KB970653-v3
        KB971032
        KB971468
        KB971486
        KB971513
        KB971557
        KB971633
        KB971657
        KB971737
        KB971961
        KB971961-IE8
        KB972260-IE7
        KB972270
        KB973037
        KB973346
        KB973354
        KB973507
        KB973525
        KB973540
        KB973687
        KB973815
        KB973825
        KB973869
        KB973904
        KB973917
        KB973917-v2
        KB974112
        KB974318
        KB974392
        KB974455-IE7
        KB974455-IE8
        KB974571
        KB975025
        KB975364-IE8
        KB975467
        KB975558_WM8
        KB975560
        KB975562
        KB975713
        KB976098-v2
        KB976325-IE8
        KB976662-IE8
        KB976749-IE7
        KB976749-IE8
        KB977165
        KB977290
        KB977816
        KB977914
        KB978037
        KB978207-IE8
        KB978251
        KB978262
        KB978338
        KB978542
        KB978601
        KB978695
        KB978706
        KB979306
        KB979309
        KB979482
        KB979559
        KB979683
        KB979687
        KB979907
        KB980182-IE8
        KB980195
        KB980218
        KB980232
        KB980436
        KB981322
        KB981332-IE8
        KB981550
        KB981793
        KB981957
        KB982132
        KB982214
        KB982381-IE8
        KB982632-IE8
        KB982666
        KB982802
        Q147222


Netcard queries test . . . . . . . : Passed



Per interface results:

    Adapter : Local Area Connection

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : Documents
        IP Address . . . . . . . . : 192.168.20.8
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . : 192.168.20.1
        Dns Servers. . . . . . . . : 192.168.20.34


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
r Service', <20> 'WINS' names is missing.

        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interface.


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{2C96E6D4-BA22-444D-B63C-91020F9C2FC0}
    1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Failed
       [FATAL] File \config\netlogon.dns contains invalid DNS entries.    [FATAL
] No DNS servers have the DNS records for this DC registered.


Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{2C96E6D4-BA22-444D-B63C-91020F9C2FC0}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{2C96E6D4-BA22-444D-B63C-91020F9C2FC0}
    The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Passed
    Secure channel for domain 'FCGHQ' is to '\\HAL'.


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
    No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information


The command completed successfully

C:\Documents and Settings\Administrator>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DOCUMENTS
      Starting test: Connectivity
         ......................... DOCUMENTS passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DOCUMENTS
      Starting test: Replications
         [HAL] DsBindWithSpnEx() failed with error 1722,
         The RPC server is unavailable..
         ......................... DOCUMENTS passed test Replications
      Starting test: NCSecDesc
         ......................... DOCUMENTS passed test NCSecDesc
      Starting test: NetLogons
         ......................... DOCUMENTS passed test NetLogons
      Starting test: Advertising
         ......................... DOCUMENTS passed test Advertising
     Starting test: KnowsOfRoleHolders
         Warning: HAL is the Schema Owner, but is not responding to DS RPC Bind.

         [HAL] LDAP search failed with error 58,
         The specified server cannot perform the requested operation..
         Warning: HAL is the Schema Owner, but is not responding to LDAP Bind.
         Warning: HAL is the Domain Owner, but is not responding to DS RPC Bind.

         Warning: HAL is the Domain Owner, but is not responding to LDAP Bind.
         Warning: HAL is the PDC Owner, but is not responding to DS RPC Bind.
         Warning: HAL is the PDC Owner, but is not responding to LDAP Bind.
         Warning: HAL is the Rid Owner, but is not responding to DS RPC Bind.
         Warning: HAL is the Rid Owner, but is not responding to LDAP Bind.
         Warning: HAL is the Infrastructure Update Owner, but is not responding
to DS RPC Bind.
         Warning: HAL is the Infrastructure Update Owner, but is not responding
to LDAP Bind.
        ......................... DOCUMENTS failed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... DOCUMENTS failed test RidManager
      Starting test: MachineAccount
         ......................... DOCUMENTS passed test MachineAccount
      Starting test: Services
         ......................... DOCUMENTS passed test Services
      Starting test: ObjectsReplicated
         ......................... DOCUMENTS passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... DOCUMENTS passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
        ......................... DOCUMENTS failed test frsevent
      Starting test: kccevent
         ......................... DOCUMENTS passed test kccevent
      Starting test: systemlog
         ......................... DOCUMENTS passed test systemlog
      Starting test: VerifyReferences
         ......................... DOCUMENTS passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : fcghq
      Starting test: CrossRefValidation
         ......................... fcghq passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... fcghq passed test CheckSDRefDom

   Running enterprise tests on : fcghq.fassforward.inc
      Starting test: Intersite
         ......................... fcghq.fassforward.inc passed test Intersite
      Starting test: FsmoCheck
         ......................... fcghq.fassforward.inc passed test FsmoCheck

Can you run repadmin /bind on that DC...do you get any errors?
dcdiag /fix
Avatar of ZFass

ASKER

for repadmin /bind only thing that lists "no" is LINKED_VALUE_REPLICATION

C:\Program Files\Support Tools>repadmin /bind

repadmin running command /bind against server localhost

Bind to localhost succeeded.
Extensions supported:
    BASE                             : Yes
    ASYNCREPL                        : Yes
    REMOVEAPI                        : Yes
    MOVEREQ_V2                       : Yes
    GETCHG_COMPRESS                  : Yes
    DCINFO_V1                        : Yes
    RESTORE_USN_OPTIMIZATION         : Yes
    KCC_EXECUTE                      : Yes
    ADDENTRY_V2                      : Yes
    LINKED_VALUE_REPLICATION         : No
    DCINFO_V2                        : Yes
    INSTANCE_TYPE_NOT_REQ_ON_MOD     : Yes
    CRYPTO_BIND                      : Yes
    GET_REPL_INFO                    : Yes
    STRONG_ENCRYPTION                : Yes
    DCINFO_VFFFFFFFF                 : Yes
    TRANSITIVE_MEMBERSHIP            : Yes
    ADD_SID_HISTORY                  : Yes
    POST_BETA3                       : Yes
    GET_MEMBERSHIPS2                 : Yes
    GETCHGREQ_V6 (WHISTLER PREVIEW)  : Yes
    NONDOMAIN_NCS                    : Yes
    GETCHGREQ_V8 (WHISTLER BETA 1)   : Yes
    GETCHGREPLY_V5 (WHISTLER BETA 2) : Yes
    GETCHGREPLY_V6 (WHISTLER BETA 2) : Yes
    ADDENTRYREPLY_V3 (WHISTLER BETA 3): Yes
    GETCHGREPLY_V7 (WHISTLER BETA 3) : Yes
    VERIFY_OBJECT (WHISTLER BETA 3)  : Yes
    XPRESS_COMPRESSION               : Yes

Site GUID: aa3f04c2-bf9f-4fe6-87d7-467f89ae0f86
Repl epoch: 0






after dcdiag /fix

I now have this:



C:\Program Files\Support Tools>dcdiag /fix

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\HAL
      Starting test: Connectivity
         ......................... HAL passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\HAL
      Starting test: Replications
         ......................... HAL passed test Replications
      Starting test: NCSecDesc
         ......................... HAL passed test NCSecDesc
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\HAL\netlogon)
         [HAL] An net use or LsaPolicy operation failed with error 1203, No netw
ork provider accepted the given network path..
         ......................... HAL failed test NetLogons
      Starting test: Advertising
         Warning: DsGetDcName returned information for \\Documents.fcghq.fassfor
ward.inc, when we were trying to reach HAL.
         Server is not responding or is not considered suitable.
         ......................... HAL failed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... HAL passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... HAL passed test RidManager
      Starting test: MachineAccount
         ......................... HAL passed test MachineAccount
      Starting test: Services
         ......................... HAL passed test Services
      Starting test: ObjectsReplicated
         ......................... HAL passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... HAL passed test frssysvol
      Starting test: frsevent
         ......................... HAL passed test frsevent
      Starting test: kccevent
         ......................... HAL passed test kccevent
      Starting test: systemlog
         ......................... HAL passed test systemlog
      Starting test: VerifyReferences
         ......................... HAL passed test VerifyReferences

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : fcghq
      Starting test: CrossRefValidation
         ......................... fcghq passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... fcghq passed test CheckSDRefDom

   Running enterprise tests on : fcghq.fassforward.inc
      Starting test: Intersite
         ......................... fcghq.fassforward.inc passed test Intersite
      Starting test: FsmoCheck
         ......................... fcghq.fassforward.inc passed test FsmoCheck

C:\Program Files\Support Tools>
That is good we have gotten rid of the DNS errors. Now you can demote the server to quickly get it back up and running as a DC properly or you can keep trying to fix the problem

http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Avatar of ZFass

ASKER

it ok to do this even with this:

      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\HAL\netlogon)
         [HAL] An net use or LsaPolicy operation failed with error 1203, No netw
ork provider accepted the given network path..
         ......................... HAL failed test NetLogons
      Starting test: Advertising
         Warning: DsGetDcName returned information for \\Documents.fcghq.fassfor
ward.inc, when we were trying to reach HAL.
         Server is not responding or is not considered suitable.
Yes you want to demote because your server didn't fully promote properly. We can keep trying to fix the above problems or we can move forward with demotion of a Windows 2008 Server and re-promoting  the server so it will be healthly.

What the root cause was I believe was DNS so now since we have DNS running properly we can demote the new server then repromote it so all everything will be setup properly.

Or you can go through the link again to try to get the folders there
Avatar of ZFass

ASKER

ok so if i understand correctly, we're going to demote and the promote the NEW DC to get it to run properly and then demote the OLD DC after?

I just want to make sure of this because i rebooted the servers, and came across an issue on both of them when they rebooted: could not find the domain or it was not typed in correctly. and i couldn't log into either DC. after a few attempts I was able to get into the old DC, (login gave that error a few times and then all of a sudden let me log in) once the old DC was logged in, the other DC logged in no problem.
Correct.

Check your Event Viewer what errors do you have>

Run dcdiag /test:dns
Avatar of ZFass

ASKER

I never figured this process was going to be easy for changing over a DC, but man I never thought it was gonna be this hard either. At this point i'm starting to lean towards just setting up an entirely new domain.

on the old DC: one thing i noticed immediately was the DNS IP 192.168.20.34 - this is not correct, it should be 192.168.20.3. It used to be 34 but had to change it.

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>dcdiag /test:dns

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DOCUMENTS
      Starting test: Connectivity
         The host fd005022-c914-4263-9c01-9619428bf01a._msdcs.fcghq.fassforward.
inc could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (fd005022-c914-4263-9c01-9619428bf01a._msdcs.fcghq.fassforward.inc)
         couldn't be resolved, the server name
         (Documents.fcghq.fassforward.inc) resolved to the IP address
         (192.168.20.8) and was pingable.  Check that the IP address is
         registered correctly with the DNS server.
         ......................... DOCUMENTS failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DOCUMENTS

DNS Tests are running and not hung. Please wait a few minutes...

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : fcghq

   Running enterprise tests on : fcghq.fassforward.inc
      Starting test: DNS
         Test results for domain controllers:

            DC: Documents.fcghq.fassforward.inc
            Domain: fcghq.fassforward.inc


               TEST: Basic (Basc)
                  Error: No LDAP connectivity
                  Warning: adapter [00000001] HP NC105i PCIe Gigabit Server Adap
ter has invalid DNS server: 192.168.20.34 (<name unavailable>)
                  Error: all DNS servers are invalid
                  Error: The A record for this DC was not found

            TEST: Records registration (RReg)
               Error: Record registrations cannot be found for all the network a
dapters

         Summary of test results for DNS servers used by the above domain contro
llers:

            DNS server: 192.168.20.34 (<name unavailable>)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 192.168.20.34
               Name resolution is not functional. _ldap._tcp.fcghq.fassforward.i
nc. failed on the DNS server 192.168.20.34

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
               ________________________________________________________________
            Domain: fcghq.fassforward.inc
               Documents                    PASS FAIL PASS PASS PASS FAIL n/a

         ......................... fcghq.fassforward.inc failed test DNS

C:\Documents and Settings\Administrator>



for the new DC:

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator.FCGHQ>netdiag /test:dns
'netdiag' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\Administrator.FCGHQ>cd..

C:\Documents and Settings>cd..

C:\>cd "Program Files\Support Tools"

C:\Program Files\Support Tools>netdiag /test:dns

........

    Computer Name: HAL
    DNS Host Name: hal.fcghq.fassforward.inc
    System info : Microsoft Windows Server 2003 (Build 3790)
    Processor : x86 Family 6 Model 23 Stepping 10, GenuineIntel
    List of installed hotfixes :
        KB2079403
        KB2115168
        KB2121546
        KB2124261
        KB2141007
        KB2158563
        KB2229593
        KB2259922
        KB2279986
        KB2286198
        KB2296011
        KB2345886
        KB2347290
        KB2360131
        KB2360131-IE8
        KB2360937
        KB2378111
        KB2387149
        KB2388210
        KB2416451
        KB915800-v9
        KB923561
        KB925398_WMP64
        KB925876
        KB925902-v2
        KB926122
        KB927891
        KB929123
        KB932168
        KB933854
        KB936357
        KB938127
        KB941569
        KB942831
        KB943055
        KB944338-v2
        KB944653
        KB945553
        KB946026
        KB948496
        KB950760
        KB950762
        KB950974
        KB951748
        KB952004
        KB952069
        KB952954
        KB953298
        KB954155
        KB954550-v5
        KB956572
        KB956744
        KB956802
        KB956803
        KB956844
        KB958469
        KB958644
        KB958869
        KB959426
        KB960803
        KB960859
        KB961063
        KB961118
        KB961501
        KB967715
        KB967723
        KB968389
        KB969059
        KB969883
        KB970430
        KB970483
        KB971032
        KB971513
        KB971657
        KB971737
        KB971961
        KB971961-IE8
        KB972270
        KB973507
        KB973540
        KB973815
        KB973869
        KB973904
        KB973917-v2
        KB974112
        KB974318
        KB974392
        KB974571
        KB975025
        KB975467
        KB975558_WM8
        KB975560
        KB975562
        KB975713
        KB976662-IE8
        KB977290
        KB977816
        KB977914
        KB978037
        KB978338
        KB978542
        KB978601
        KB978695
        KB978706
        KB979309
        KB979482
        KB979683
        KB979687
        KB979907
        KB980195
        KB980232
        KB980436
        KB981322
        KB981332-IE8
        KB981350
        KB981550
        KB981957
        KB982132
        KB982214
        KB982381-IE8
        KB982632-IE8
        KB982666
        Q147222


Netcard queries test . . . . . . . : Passed



Per interface results:

    Adapter : Local Area Connection 2

        Netcard queries test . . . : Passed


Global results:


Domain membership test . . . . . . : Failed
    [WARNING] Ths system volume has not been completely replicated to the local
machine. This machine is not working properly as a DC.


NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{543804DB-B916-4CC4-98DA-9D2464A2D429}
    1 NetBt transport currently configured.


DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server '192.168.20.3
' and other DCs also have some of the names registered.


The command completed successfully

C:\Program Files\Support Tools>
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ZFass

ASKER

This definitely took way to long to solve, but thank you all for your help. everything is running as it should be on just the one DC and the other one has been demoted successfully