Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1160
  • Last Modified:

Demote old DC

I'm trying to demote an old 2003 master Domain Controller with a new 2008 server.
I have successfully transferred all FSMO roles to the new DC. And temporary the new DC is a secondary DNS server.
My problem is that the SYSVOL  and NETLOGON share was not created when promoting the new DC.
I tried to edit the BurFlags but this only helped med create the SYVOL share, not NETLOGON.
The “SYSVOL\domain name” is empty.
I got a third domain controller on the same domain that has worked as a secondary domain controller for the master DC I’m trying to demote. And I discovered that the SYSVOL share was empty on that server to.
I have checked that all 3 servers are registered correctly in DNS. And all servers are listed in “Sites and Services”.
Now I’m stuck!
0
elit2007
Asked:
elit2007
  • 20
  • 18
  • 5
  • +2
2 Solutions
 
KenMcFCommented:
Can you post the results from DCDIAG and "repadmin /showrepl"
0
 
snusgubbenCommented:
Is the SYSVOL populated on the "master" DC?

Did you set the Burflags to "D2" on the 2008 DC?

If SYSVOL is shared, but not NETLOGON on the 2008 DC, try this:

http://support.microsoft.com/kb/947022/en-us
0
 
elit2007Author Commented:
I tried to set Burflags to D4 on the new 2008 DC. This created a empty SYSVOL share but not NETLOGON.
Both SYSVOL and NETLOGON is working on the old master DC.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
David_HagermanCommented:
First check that FRS is running in services. if not here is an link to resolve this issue.

http://support.microsoft.com/kb/327341

This seems to be a replication problem if the server sees itself as the only server on the domain then it won't create these folders

There could have been a problem when the new server created the junction points. Try to rebuild the sysvol from this article. Please note this is a last resort. I am sure we can fix the replication problem

http://support.microsoft.com/kb/315457/en-us

let us know
0
 
elit2007Author Commented:
Here's the output of repadmin /showrepl

DS1: old master DC
x3200: Old secondary DC
DSDC: New 2008 DC
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\DSDC
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 8d9ee249-49d5-4ab0-b0a1-94aa3934975f
DSA invocationID: f64d8f3c-7231-4c15-aa61-8ea146654539

==== INBOUND NEIGHBORS ======================================

DC=DENTALSOR,DC=LOCAL
    Default-First-Site-Name\DS1 via RPC
        DSA object GUID: 28fa45b5-4470-46a3-92b8-0fb59c8d6faf
        Last attempt @ 2011-02-17 12:45:31 was successful.
    Default-First-Site-Name\X3200 via RPC
        DSA object GUID: f8e6b626-6cba-4bb2-ad49-88169125acd9
        Last attempt @ 2011-02-17 12:45:34 was successful.

CN=Configuration,DC=DENTALSOR,DC=LOCAL
    Default-First-Site-Name\DS1 via RPC
        DSA object GUID: 28fa45b5-4470-46a3-92b8-0fb59c8d6faf
        Last attempt @ 2011-02-17 12:08:08 was successful.
    Default-First-Site-Name\X3200 via RPC
        DSA object GUID: f8e6b626-6cba-4bb2-ad49-88169125acd9
        Last attempt @ 2011-02-17 12:37:22 was successful.

CN=Schema,CN=Configuration,DC=DENTALSOR,DC=LOCAL
    Default-First-Site-Name\DS1 via RPC
        DSA object GUID: 28fa45b5-4470-46a3-92b8-0fb59c8d6faf
        Last attempt @ 2011-02-17 11:47:15 was successful.
    Default-First-Site-Name\X3200 via RPC
        DSA object GUID: f8e6b626-6cba-4bb2-ad49-88169125acd9
        Last attempt @ 2011-02-17 11:47:15 was successful.

DC=DomainDnsZones,DC=DENTALSOR,DC=LOCAL
    Default-First-Site-Name\DS1 via RPC
        DSA object GUID: 28fa45b5-4470-46a3-92b8-0fb59c8d6faf
        Last attempt @ 2011-02-17 11:47:15 was successful.
    Default-First-Site-Name\X3200 via RPC
        DSA object GUID: f8e6b626-6cba-4bb2-ad49-88169125acd9
        Last attempt @ 2011-02-17 11:47:15 was successful.

DC=ForestDnsZones,DC=DENTALSOR,DC=LOCAL
    Default-First-Site-Name\DS1 via RPC
        DSA object GUID: 28fa45b5-4470-46a3-92b8-0fb59c8d6faf
        Last attempt @ 2011-02-17 11:47:15 was successful.
    Default-First-Site-Name\X3200 via RPC
        DSA object GUID: f8e6b626-6cba-4bb2-ad49-88169125acd9
        Last attempt @ 2011-02-17 11:47:15 was successful.

Open in new window

0
 
elit2007Author Commented:
FRS is running on all three servers
0
 
elit2007Author Commented:
Mmm , It looks like there is references to an old offline (failed) domain controller with the name DSX3200.
I don’t know if this is creating trouble ?

See the results of dcdiag
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\administrator.DENTALSOR>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = DSDC
   * Identified AD Forest.
   Ldap search capabality attribute search failed on server DSX3200, return
   value = 81
   Got error while checking if the DC is using FRS or DFSR. Error:
   Win32 Error 81The VerifyReferences, FrsEvent and DfsrEvent tests might fail
   because of this error.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DSDC
      Starting test: Connectivity
         ......................... DSDC passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DSDC
      Starting test: Advertising
         ......................... DSDC passed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... DSDC passed test FrsEvent
      Starting test: DFSREvent
         ......................... DSDC passed test DFSREvent
      Starting test: SysVolCheck
         ......................... DSDC passed test SysVolCheck
      Starting test: KccEvent
         ......................... DSDC passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... DSDC passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... DSDC passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=DENTALSOR,DC=LOCAL
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=DENTALSOR,DC=LOCAL
         ......................... DSDC failed test NCSecDesc
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\DSDC\netlogon)
         [DSDC] An net use or LsaPolicy operation failed with error 67,
         The network name cannot be found..
         ......................... DSDC failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... DSDC passed test ObjectsReplicated
      Starting test: Replications
         REPLICATION-RECEIVED LATENCY WARNING
         DSDC:  Current time is 2011-02-17 12:59:09.
            CN=Schema,CN=Configuration,DC=DENTALSOR,DC=LOCAL
               Last replication received from DSX3200 at
          2008-06-04 08:59:42
               WARNING:  This latency is over the Tombstone Lifetime of 60
         days!
            CN=Configuration,DC=DENTALSOR,DC=LOCAL
               Last replication received from DSX3200 at
          2008-06-04 09:09:33
               WARNING:  This latency is over the Tombstone Lifetime of 60
         days!
            DC=DENTALSOR,DC=LOCAL
               Last replication received from DSX3200 at
          2008-06-04 09:37:29
               WARNING:  This latency is over the Tombstone Lifetime of 60
         days!
         ......................... DSDC passed test Replications
      Starting test: RidManager
         ......................... DSDC passed test RidManager
      Starting test: Services
         ......................... DSDC passed test Services
      Starting test: SystemLog
         ......................... DSDC passed test SystemLog
      Starting test: VerifyReferences
         ......................... DSDC passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : DENTALSOR
      Starting test: CheckSDRefDom
         ......................... DENTALSOR passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DENTALSOR passed test CrossRefValidation

   Running enterprise tests on : DENTALSOR.LOCAL
      Starting test: LocatorCheck
         ......................... DENTALSOR.LOCAL passed test LocatorCheck
      Starting test: Intersite
         ......................... DENTALSOR.LOCAL passed test Intersite

C:\Users\administrator.DENTALSOR>

Open in new window

0
 
snusgubbenCommented:
Orphan DCs will cause problems. Clean it out: http://www.petri.co.il/delete_failed_dcs_from_ad.htm

You should never set the Burflags to D4 on a DC that has an empty SYSVOL. This tells this DC that its authoritative for the SYSVOL replica. You should have set the flag to D2.
0
 
elit2007Author Commented:
Okey, now I have cleaned up my domain and removed the offline DC. I sat the flag to D2 on the new server and restartet FRS service. But still no netlogon share and sysvol is empty.
0
 
snusgubbenCommented:
Is sysvol and netlogon shared on your other DCs?

Did you check the SysvolReady bit on the Win2008 DC?
0
 
elit2007Author Commented:
Yes SYVOL and NETLOGON is shared on the old master DC and reachable from the new 2008 DC.
No, have not checked SysvolReady bit.
0
 
snusgubbenCommented:
0
 
elit2007Author Commented:
Didn't help with the SysvolReady trick.
I got this warning message in event log.
File Replication Service is initializing the system volume with data from another domain controller. Computer DSDC cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL. 
 
To check for the SYSVOL share, at the command prompt, type: 
net share 
 
When File Replication Service completes the initialization process, the SYSVOL share will appear. 
 
The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replication interval between domain controllers.

Open in new window

0
 
elit2007Author Commented:
This is my DCDIAG status right now.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\administrator.DENTALSOR>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = DSDC
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DSDC
      Starting test: Connectivity
         ......................... DSDC passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DSDC
      Starting test: Advertising
         ......................... DSDC passed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... DSDC passed test FrsEvent
      Starting test: DFSREvent
         ......................... DSDC passed test DFSREvent
      Starting test: SysVolCheck
         ......................... DSDC passed test SysVolCheck
      Starting test: KccEvent
         ......................... DSDC passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... DSDC passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... DSDC passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=DENTALSOR,DC=LOCAL
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=DENTALSOR,DC=LOCAL
         ......................... DSDC failed test NCSecDesc
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\DSDC\netlogon)
         [DSDC] An net use or LsaPolicy operation failed with error 67,
         The network name cannot be found..
         ......................... DSDC failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... DSDC passed test ObjectsReplicated
      Starting test: Replications
         ......................... DSDC passed test Replications
      Starting test: RidManager
         ......................... DSDC passed test RidManager
      Starting test: Services
         ......................... DSDC passed test Services
      Starting test: SystemLog
         A warning event occurred.  EventID: 0x8000001D
            Time Generated: 02/17/2011   13:17:10
            Event String:
            The Key Distribution Center (KDC) cannot find a suitable certificate
 to use for smart card logons, or the KDC certificate could not be verified. Sma
rt card logon may not function correctly if this problem is not resolved. To cor
rect this problem, either verify the existing KDC certificate using certutil.exe
 or enroll for a new KDC certificate.
         ......................... DSDC passed test SystemLog
      Starting test: VerifyReferences
         ......................... DSDC passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : DENTALSOR
      Starting test: CheckSDRefDom
         ......................... DENTALSOR passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DENTALSOR passed test CrossRefValidation

   Running enterprise tests on : DENTALSOR.LOCAL
      Starting test: LocatorCheck
         ......................... DENTALSOR.LOCAL passed test LocatorCheck
      Starting test: Intersite
         ......................... DENTALSOR.LOCAL passed test Intersite

C:\Users\administrator.DENTALSOR>

Open in new window

0
 
snusgubbenCommented:
Can you run: dcdiag /v /c /f:dcdiag.txt

attach the logfile
0
 
snusgubbenCommented:
*run it on the 2008 server
0
 
elit2007Author Commented:
Here you go :)
dcdiag.txt
0
 
David_HagermanCommented:
There are three steps in the txt file that is already pointing you in the right direction, Can you try them and let us know the outcome.
[1] FRS can not correctly resolve the DNS name ds1.DENTALSOR.LOCAL from this computer.
[2] FRS is not running on ds1.DENTALSOR.LOCAL.
[3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
0
 
David_HagermanCommented:
Here is an article to clean up the metadata from the old server

http://www.petri.co.il/delete_failed_dcs_from_ad.htm
0
 
snusgubbenCommented:
1. DS1: old master DC -> SYSVOL and NETLOGON shared. Correct? (run "net share" to verify)

2. x3200: Old secondary DC -> If #1 is ok and sysvol/netlogon is not shared? Stop ntfrs > Set Burflags = D2 (hex) > Start ntfrs. cmd -> verify if they are shared

3. DSDC: New 2008 DC: If #2 is ok.  Stop ntfrs > Set Burflags = D2 (hex) > Start ntfrs. cmd -> verify if they are shared

You got FRS event:

13508: Indicates RPC connectivity problems, but this is likely due to 13562. (AD replication is working, so RPC connectivity is ok)
13562 is indicating missing FRS attributes/objects
13565 indicates non-authoritative restore in progress. (Burflags = D2)
0
 
elit2007Author Commented:
[1] When running a ping test from DSCS against DS1.DENTALSOR.LOCAL it resolves the correct IP address.
[2] In DS1 I assume this is the service called "File Replication" on DSDC and x3200 it's called "File Replication Service". "File Replication" is running on DS1.
[3] Don't know how to check this?

Also found this error message on DS1 under File Replication Service log:


The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR. 
 
 Replica set name is    : "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" 
 Replica root path is   : "e:\windows\sysvol\domain" 
 Replica root volume is : "\\.\E:" 
 A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found.  This can occur because of one of the following reasons. 
 
 [1] Volume "\\.\E:" has been formatted. 
 [2] The NTFS USN journal on volume "\\.\E:" has been deleted. 
 [3] The NTFS USN journal on volume "\\.\E:" has been truncated. Chkdsk can truncate the journal if it finds corrupt entries at the end of the journal. 
 [4] File Replication Service was not running on this computer for a long time. 
 [5] File Replication Service could not keep up with the rate of Disk IO activity on "\\.\E:". 
 Setting the "Enable Journal Wrap Automatic Restore" registry parameter to 1 will cause the following recovery steps to be taken to automatically recover from this error state. 
 [1] At the first poll, which will occur in 5 minutes, this computer will be deleted from the replica set. If you do not want to wait 5 minutes, then run "net stop ntfrs" followed by "net start ntfrs" to restart the File Replication Service. 
 [2] At the poll following the deletion this computer will be re-added to the replica set. The re-addition will trigger a full tree sync for the replica set. 
 
WARNING: During the recovery process data in the replica tree may be unavailable. You should reset the registry parameter described above to 0 to prevent automatic recovery from making the data unexpectedly unavailable if this error condition occurs again. 
 
To change this registry parameter, run regedit. 
 
Click on Start, Run and type regedit. 
 
Expand HKEY_LOCAL_MACHINE. 
Click down the key path: 
   "System\CurrentControlSet\Services\NtFrs\Parameters" 
Double click on the value name 
   "Enable Journal Wrap Automatic Restore" 
and update the value. 
 
If the value name is not present you may add it with the New->DWORD Value function under the Edit Menu item. Type the value name exactly as shown above.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Open in new window

0
 
snusgubbenCommented:
If DS1 is in Journal Wrap, you need to fix that first :)

Is  "x3200" sharing netlogon/sysvol?

0
 
elit2007Author Commented:
x3200 is not sharing netlogon/syvol. Not after setting the  Burflags to D2 either.
How do I fix DS1 Journal Wrap?
0
 
snusgubbenCommented:
Normally to fix JW you set the Burflags to D2, and this DC will rejoin the replica set and pull SYSVOL content from a replica partner.
The solution provided in the Event log, is for post Win2000 SP2.

You are in a situation where you don't have a good replica member. The problem is that if you set it to D2 (or enable "Enable Journal Wrap Automatic Restore") this DC *might* get stuck in a seeding state.

What ever you do, you should make a backup of your GPOs and scripts.
0
 
David_HagermanCommented:
Click on Start, Run and type regedit.
 
Expand HKEY_LOCAL_MACHINE.
Click down the key path:
   "System\CurrentControlSet\Services\NtFrs\Parameters"
Double click on the value name
   "Enable Journal Wrap Automatic Restore"
and update the value.
0
 
elit2007Author Commented:
hey hey :) Setting "Enable Journal Wrap Automatic Restore" to value 1 and then restart FRS service solved my problem with SYSVOL share on all three domain servers :) Now only the NETLOGON share is missing on x3200 and DSDC.
0
 
snusgubbenCommented:
Did you try setting the Burflags = "D2" (hex) on x3200 and DSDC after you got out of the Journal wrap?
0
 
David_HagermanCommented:
be sure to re-check snusgubben earlier post to fix this issue

http://support.microsoft.com/kb/947022/en-us 
0
 
tigran_pCommented:
have you made the new domain controller a Global Catalog as well?
0
 
elit2007Author Commented:
Thank's :-)  Netlogon is now working after trying snusgubbens suggestion after first fixing SYVOL.
Yes the new DC also got the Global Catalaog. So now I think the only remaining thing is to make DSDC the master DNS server. And then demote the old master DC. The x3200 server is also running Exchange server. Do i have to do anything else than changing DNS address on the NIC on that server?
0
 
snusgubbenCommented:
If you have AD integrated DNS, you don't have a "master" for the DNS zone. All are multi masters.

If x3200 is also hosting DNS, you can either use itself or a partner as primary DNS on the NIC.

FYI if you can host Exchange on a dedicated server you should do that. Exchange on a DC is not recomended (though it will work)
0
 
elit2007Author Commented:
How will I know if I got AD integrated DNS?

I changed the NIC's DNS  on x3200 (Exchange server), DSCS as primary and x3200 as secondary DNS.
Now DS1 is down again (there's a reason why I want to demote this server ;-)  )   and the Exchange server now complains about this. Are there any settings in Exchange that points to a preferred domain controller that I have to change?
Or will this relation automatically disappear when i demote (dcpromo) DS1?
Event Type:	Error
Event Source:	MSExchangeAL
Event Category:	LDAP Operations 
Event ID:	8026
Date:		19.02.2011
Time:		19:02:10
User:		N/A
Computer:	X3200
Description:
LDAP Bind was unsuccessful on directory ds1.DENTALSOR.LOCAL for distinguished name ''. Directory returned error:[0x51] Server Down.    

For more information, click http://www.microsoft.com/contentredirect.asp.

Open in new window

0
 
snusgubbenCommented:
Open the DNS management consol, right click the domain zone and you will see if it's AD integrated.

As long as you have Exchange installed on a DC, it will never use any other global catalog than itself. I would then make x3200 to point to itself as primary DNS, and DSCS as secondary (if both these are hosting DNS)
0
 
snusgubbenCommented:
* right click -> Properties -> General tab
0
 
elit2007Author Commented:
Status: zone never loaded
Type: Secondary
"Replication:Not an Active Directory-integrated zone" is greyed out.
0
 
elit2007Author Commented:
What about the MSExchangeAL error message? Why is it complaining about the communication against DS1 when you say that it will only use it self if x3200 is also a DC?
0
 
snusgubbenCommented:
You should make the domain zone AD integrated.

x3200 will use the DNS server you set on the NIC, but it will only use the "local" GC. (you lose the redundency for that part)
0
 
elit2007Author Commented:
Now I made DS1 AD integrated. How do I do this for x3200 and DSDC? The alternative is greyed out on teh other two servers.
I waited to see if replacation will do this but the status for both X3200 and DSDC is still "Secondary"
0
 
snusgubbenCommented:
You have to set them as Name Servers on the domain zone. Open DNS mng consol on DS1:

- Properties on the forward lookup zone (domain.com)
- Allow Dynamic updates -> Secure only
- Add the two others as NS's in the Name Servers tab
- "Zone Transfers" -> Allow zone transfers
0
 
elit2007Author Commented:
Sorry, doesn't seem to help.
0
 
snusgubbenCommented:
You could try to remove the DNS role from the two other DCs, and re-add  DNS.

http://support.microsoft.com/kb/198437
0
 
snusgubbenCommented:
Just make sure both points to DS1 as the preferred DNS (on the NIC)
0
 
elit2007Author Commented:
You're the man snusgubben! Worked perfectly removing and re-add the DNS roles. Now all servers are AD-integrated.
So I suppose this is the right time for closing this thread. Thanks for exact and learning full answers and for don’t losing you’re patience. :-) Now I will try to demote DS1 and hope I don’t have to reopen this thread :-)
0
 
snusgubbenCommented:
If you don't feel to happy about the task of yours, I would remove DNS and the GC from it and turn it off for a week.

If no issues, fire it up and demote it.
0
 
elit2007Author Commented:
Okey, I will do that :-)
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

  • 20
  • 18
  • 5
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now