Solved

Trying to unpromote a Dc by running thed DCPROMO

Posted on 2010-11-24
22
920 Views
Last Modified: 2012-05-10
I am running the command to remove the DC and I keep getting this message, I have enterprise admin rights so not sure what the issue is
0
Comment
Question by:Kelly-Brady
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 5
  • 3
  • +2
22 Comments
 

Author Comment

by:Kelly-Brady
ID: 34209883
Here is a screen shot of the error
DCerror.JPG
0
 
LVL 9

Expert Comment

by:IntegrityOffice
ID: 34209888
Dio you have any event ID messages, is your DNS structure good?Have you tried dcpromo /force?
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34209907
Do you have any replication problems or errors?
Can you post DCDiag and Repadmin /showreps

If you do use
dcpromo /forceremoval
you will need to do a metadata cleanup, but I would hold off until you find out why you are getting the rror.
http://technet.microsoft.com/en-us/library/cc736378(WS.10).aspx
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 4

Expert Comment

by:shudman
ID: 34209926
Yuo could look in the DCpromo.log file under \%windir%\debug. Look in there for any issues (towards the end).  Otherwise, you will have to force removal http://support.microsoft.com/?id=216498 

0
 
LVL 7

Expert Comment

by:Reece Dodds
ID: 34209986
I had exactly the same issue in my preparation for our new exchange server.
After numerous DNS setting changes and testing, i ended up using the DCPROMO /forceremoval, then a restart the a NTDSUTIL metadata cleanup.
All is well now.
0
 

Author Comment

by:Kelly-Brady
ID: 34213712
I will post the logs tomorrow When I can get back into work, if I end up running the NTDSUTIL would I need to run it on both the remaining DC's or just one?
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34213772
Just one of them
0
 

Author Comment

by:Kelly-Brady
ID: 34260046
Ok sorry about the delay it has been a busy week. I have added the dcdiag results and the repadmin results. They are both included in the attached text file.
DCDiag.txt
0
 
LVL 9

Expert Comment

by:IntegrityOffice
ID: 34260494
THere are many references to the clocks being out of sync,

http://technet.microsoft.com/en-gb/library/bb727060.aspx

Once that is sorted you need to see if that is why the netlogon service is not able to connect on each DC check that the \\servername\netlogon share is there.
make sure you have these ironed out then run the dcdiag again. Time is really important with domain controllers.
0
 

Author Comment

by:Kelly-Brady
ID: 34261201
Ok on the server that I am trying to un-promote the netlogon is not there or not accessible. So if I force the removal is the NTDSUTIL command still valid for server 08, I see references for it for server 2003. I just want to make sure that this is still the one that I need to use.
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34261256
With 2008 you can either run ntdsutil or just deelte from ADUC, the cleanup is built in to 2008.

"In Windows Server 2008, and Windows Server 2008 R2, the administrator can remove the metadata for a server object by removing the server object in the Active Directory Users and Computers snap-in. "
0
 

Author Comment

by:Kelly-Brady
ID: 34261318
Ok so just run dcpromo /force then go in and remove the Dc from Ad. Would it be wiser to go in and make it part of a work group first?
0
 
LVL 27

Assisted Solution

by:KenMcF
KenMcF earned 250 total points
ID: 34261328
If you use dcpromo /forceremoval it will become part of a workgroup
0
 

Author Comment

by:Kelly-Brady
ID: 34261351
Ok I thought it would make it a member server, so would it still show up in ADUC if it is put into a workgroup?
0
 
LVL 9

Assisted Solution

by:IntegrityOffice
IntegrityOffice earned 250 total points
ID: 34261640
Should make it a member server and then drop it off the domain in the normal way
0
 

Author Comment

by:Kelly-Brady
ID: 34261863
Perfect thank you, I will try this in a few hours and I will let you know tomorrow how it went.
0
 

Author Comment

by:Kelly-Brady
ID: 34263287
Ok I have removed and it is now just a standalone server. I go through the tool listed above and I am still getting an error. It says Access denied on the removal and it will not let me delete the account out of AD. I am attaching a screen shot of the error.
RemovalError.JPG
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34263448
A few things to try

Is the account you are using a member of Domain Admins and Enterprise Admins?

In ADUC make sure that prevent from accidental deletion is not checked. If it is not check and uncheck just to make sure.

Run netdom /query fsmo
make sure the DC you are keeping has all the FSMO roles. If it does not seize them using ntdsutil.

http://www.petri.co.il/seizing_fsmo_roles.htm
0
 

Author Comment

by:Kelly-Brady
ID: 34267775
Yes the account is a member of the Domain Admin and the Enterprise admins. Also the prevent accidental deletion is not checked. And the roles are assigned to a different DC. One thing to note is the on this other DC I can not get Sites and Services to come up. So now it appears that I have created another issue while trying to get rid of this old server. I do not understand why it will not delete the account.
0
 

Accepted Solution

by:
Kelly-Brady earned 0 total points
ID: 34267786
Here is the Sites and Services Error.
SitesAndServicesError.JPG
0
 

Author Comment

by:Kelly-Brady
ID: 34295399
I was able to remove by using the ADSI edit and performing the metadata cleanup manually. Here is all the locations of where you would go and do this.


PROBLEM:       Meta data cleanup

RESOLUTION: --Opened Adsiedit
--Right click >> connect to domain partition
--Right click the DC and delete it successfully from Servers OU
--Opened system Container under Domain partition >> File Replication service >> Servers >> DC is not there already.
--Connecting to Configuration partition >> Able to connect
--Opened sites >> Default-first-site-link >> Servers >> Deleting DC and able to delete.
--Opened AD users and computers >> DC is not longer there,
--Ran netdom query dc >> DC is no longer in the list
--Ran Dcdiag to check if replication is clean >> Its all clean now.

0
 

Author Closing Comment

by:Kelly-Brady
ID: 34328616
After calling Microsoft I found out how to do the metadata cleanup manually. But thank you to all who answered, your info was great and helped get to the final end solution.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

689 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question