Solved

Trying to unpromote a Dc by running thed DCPROMO

Posted on 2010-11-24
22
916 Views
Last Modified: 2012-05-10
I am running the command to remove the DC and I keep getting this message, I have enterprise admin rights so not sure what the issue is
0
Comment
Question by:Kelly-Brady
  • 12
  • 5
  • 3
  • +2
22 Comments
 

Author Comment

by:Kelly-Brady
ID: 34209883
Here is a screen shot of the error
DCerror.JPG
0
 
LVL 9

Expert Comment

by:IntegrityOffice
ID: 34209888
Dio you have any event ID messages, is your DNS structure good?Have you tried dcpromo /force?
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34209907
Do you have any replication problems or errors?
Can you post DCDiag and Repadmin /showreps

If you do use
dcpromo /forceremoval
you will need to do a metadata cleanup, but I would hold off until you find out why you are getting the rror.
http://technet.microsoft.com/en-us/library/cc736378(WS.10).aspx
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 4

Expert Comment

by:shudman
ID: 34209926
Yuo could look in the DCpromo.log file under \%windir%\debug. Look in there for any issues (towards the end).  Otherwise, you will have to force removal http://support.microsoft.com/?id=216498 

0
 
LVL 7

Expert Comment

by:Reece Dodds
ID: 34209986
I had exactly the same issue in my preparation for our new exchange server.
After numerous DNS setting changes and testing, i ended up using the DCPROMO /forceremoval, then a restart the a NTDSUTIL metadata cleanup.
All is well now.
0
 

Author Comment

by:Kelly-Brady
ID: 34213712
I will post the logs tomorrow When I can get back into work, if I end up running the NTDSUTIL would I need to run it on both the remaining DC's or just one?
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34213772
Just one of them
0
 

Author Comment

by:Kelly-Brady
ID: 34260046
Ok sorry about the delay it has been a busy week. I have added the dcdiag results and the repadmin results. They are both included in the attached text file.
DCDiag.txt
0
 
LVL 9

Expert Comment

by:IntegrityOffice
ID: 34260494
THere are many references to the clocks being out of sync,

http://technet.microsoft.com/en-gb/library/bb727060.aspx

Once that is sorted you need to see if that is why the netlogon service is not able to connect on each DC check that the \\servername\netlogon share is there.
make sure you have these ironed out then run the dcdiag again. Time is really important with domain controllers.
0
 

Author Comment

by:Kelly-Brady
ID: 34261201
Ok on the server that I am trying to un-promote the netlogon is not there or not accessible. So if I force the removal is the NTDSUTIL command still valid for server 08, I see references for it for server 2003. I just want to make sure that this is still the one that I need to use.
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34261256
With 2008 you can either run ntdsutil or just deelte from ADUC, the cleanup is built in to 2008.

"In Windows Server 2008, and Windows Server 2008 R2, the administrator can remove the metadata for a server object by removing the server object in the Active Directory Users and Computers snap-in. "
0
 

Author Comment

by:Kelly-Brady
ID: 34261318
Ok so just run dcpromo /force then go in and remove the Dc from Ad. Would it be wiser to go in and make it part of a work group first?
0
 
LVL 27

Assisted Solution

by:KenMcF
KenMcF earned 250 total points
ID: 34261328
If you use dcpromo /forceremoval it will become part of a workgroup
0
 

Author Comment

by:Kelly-Brady
ID: 34261351
Ok I thought it would make it a member server, so would it still show up in ADUC if it is put into a workgroup?
0
 
LVL 9

Assisted Solution

by:IntegrityOffice
IntegrityOffice earned 250 total points
ID: 34261640
Should make it a member server and then drop it off the domain in the normal way
0
 

Author Comment

by:Kelly-Brady
ID: 34261863
Perfect thank you, I will try this in a few hours and I will let you know tomorrow how it went.
0
 

Author Comment

by:Kelly-Brady
ID: 34263287
Ok I have removed and it is now just a standalone server. I go through the tool listed above and I am still getting an error. It says Access denied on the removal and it will not let me delete the account out of AD. I am attaching a screen shot of the error.
RemovalError.JPG
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34263448
A few things to try

Is the account you are using a member of Domain Admins and Enterprise Admins?

In ADUC make sure that prevent from accidental deletion is not checked. If it is not check and uncheck just to make sure.

Run netdom /query fsmo
make sure the DC you are keeping has all the FSMO roles. If it does not seize them using ntdsutil.

http://www.petri.co.il/seizing_fsmo_roles.htm
0
 

Author Comment

by:Kelly-Brady
ID: 34267775
Yes the account is a member of the Domain Admin and the Enterprise admins. Also the prevent accidental deletion is not checked. And the roles are assigned to a different DC. One thing to note is the on this other DC I can not get Sites and Services to come up. So now it appears that I have created another issue while trying to get rid of this old server. I do not understand why it will not delete the account.
0
 

Accepted Solution

by:
Kelly-Brady earned 0 total points
ID: 34267786
Here is the Sites and Services Error.
SitesAndServicesError.JPG
0
 

Author Comment

by:Kelly-Brady
ID: 34295399
I was able to remove by using the ADSI edit and performing the metadata cleanup manually. Here is all the locations of where you would go and do this.


PROBLEM:       Meta data cleanup

RESOLUTION: --Opened Adsiedit
--Right click >> connect to domain partition
--Right click the DC and delete it successfully from Servers OU
--Opened system Container under Domain partition >> File Replication service >> Servers >> DC is not there already.
--Connecting to Configuration partition >> Able to connect
--Opened sites >> Default-first-site-link >> Servers >> Deleting DC and able to delete.
--Opened AD users and computers >> DC is not longer there,
--Ran netdom query dc >> DC is no longer in the list
--Ran Dcdiag to check if replication is clean >> Its all clean now.

0
 

Author Closing Comment

by:Kelly-Brady
ID: 34328616
After calling Microsoft I found out how to do the metadata cleanup manually. But thank you to all who answered, your info was great and helped get to the final end solution.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question