Solved

Replication errors after AD 2003->2008 Schema upgrade

Posted on 2011-03-07
5
749 Views
Last Modified: 2012-05-11
Hi EEr's

Have recently taken over a new client who have a small network with a couple of servers:
Previous IT guru attempted (and successfully?) upgraded their AD schema to 2008 (in preparation for their move to Exchange 2010 & new 2008 Servers), however one of their DCs failed the upgrade. Server was due to be decommissioned but was overlooked during the upgrade, has some serious OS issues that prevent communication to the network.

Should I manually remove it from the AD environment with NTDSutil (following steps identified here:http://www.petri.co.il/delete_failed_dcs_from_ad.htm) or am I better off trying to repair the OS and decommission via DCPromo?

Previous IT guy had attempted repairs, but AD replication errors & DNS resolution issues (due to non-replication of AD) that are piling up encouraged him to find greener pastures.

All FSMO roles, DHCP & DNS services have been transferred off the old server some time ago, and DCDiag doesn't report any issues with their primary DC (Secondary GC Servers are reporting replication warnings!).

Any advice?!

Regards
Mike

0
Comment
Question by:GTMike
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 21

Accepted Solution

by:
snusgubben earned 250 total points
ID: 35060481
That's up to you if you chose to fix and demote, or run a MD Cleanup.

If you're in a hurry, a MD Cleanup will save you some time. Just remember to run dcpromo /forceremoval on it in case you do a MD Cleanup.
0
 

Author Comment

by:GTMike
ID: 35060536
HI Snusgubben

Am considering trying to repair it (Was an old Win2000 that was upgraded to Win2003 by the look of it), but wondering if it'll even communicate properly once online given that its AD infrastructure missed the Schema upgrade?

Given that the old server won't even communicate with the domain in its present configuration (DCDiag fails to connect with a RPC error when run from the existing DC), should I just save time and do the MD cleanup?  DCPromo /forceremoval probably won't run given then RPC errors I'm seeing on the old server!

Regards
Mike
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 35060648
When you say "successfully?" you can verify that  http://technet.microsoft.com/en-us/library/dd464018(WS.10).aspx#BKMK_VerifyForestPrep

See if your schema is at 44 for 2008 or 47 for 2008 R2.

I'd also go with the removal and metadata cleanup.

Thanks

Mike
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 35060793
"dcpromo /forceremoval" will just uninstall AD from this old DC and place it in a workgroup. It will not replicate the "demotion" to its old replication partners. Thus you need to run the MD Cleanup.

You can compare the schema version on this DC and see if the schema extension has been replicated to the old DC. But I'd not hesitate. Force it out :)



0
 

Author Closing Comment

by:GTMike
ID: 35061323
Great advice for confirmation of a fix, thank you!
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question