2008 DCpromo fails

Starquest321
Starquest321 used Ask the Experts™
on
Looks like the dcpromo on a 2008 fails in a mixed environment. I found the same problem by a different user:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_26234271.html?sfQueryTermInfo=1+10+30+determin+float+master+oper+ownership+role+singl+unabl

And he eventually had to force the removal and do the cleanup.

Is this the only answer?

I checked the ALL the FSMO roles are held by another domain ..  .domain1 and I am removing domain2
 
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2011
Commented:
what DC is holding the child FSMO? You have three of them
There is forest wide role and domain wide roles

Domain Naming Master and Schema master is forest wide role

PDC,RID,Infratstructure is the domain wide role.

Now if you are removing the domain then run the command "netdom query fsmo" on the DC in parent domain and this will give you the info for the Domain naming master and schema naming master .These two must be on good DC in parent domain.

Now DC in another domain which you want to remove is the only dc then run DCPROMO on this DC
and select the option that "This is the last domain controller in the domain" it it fails then you have to use the metdata cleanup for cleaning the DC and as well as domain

Author

Commented:
I have domain1, domain2, and domain3. Domain1 holds ALL 5 FSMO roles. I am trying to remove domain2 which is in the same domain . . .
Do the following steps to make sure that nothing is pending in the server before DCpromo.

i) Check if the DC (the one you want to remove) is  in proper sync with another DC (holding the roles)

ii) Are all the roles are properly transferred.

iii) If roles are transferred and proper sync is happening then removal should not be a problem. If not then use the meta data cleanup and remove the DC details from the working correct DC. Once completed force demote the required DC.
Commented:
Just trying to think outside the box:

Tell us about the OS versions and types that you are trying to interconnect DCs to.

Example:
DC1: FSMO role holder, 2003 server SBS,
DC2: 2003 server STD
This DC: 2008 server STD

If promotion of  a DC fails, you really do need to start from scratch, I would check for metadata on the current servers, and THEN before trying to repromote the system, I would install DNS application prior to PREPPING the domain for a mixed-mode environment.

1) demote it again, and perform a metadata cleanup
2) DNS install, pointing the 08 server to istelf as primary and 03 server FSMO role holder as secondary DNS. Once you make it a DNS server (authorized for the zones) make sure the zones transfer to the 08 server. This ensures DNS will work good between the 03 servers and the 08 server, so the 08 server recognizes it's not a solo and first domain controller on the domain. DNS is CRITICAL to promoting a server into a domain.
3) Prep the domain for mixed mode
4) promote the DC from being a member server of the domain to another domain controller.

Author

Commented:
DC1: OS2003 - HOLD ALL 5 roles
DC2: OS2008r2
DC3: OS2003

If I do a force remove what are the implication of that?
first make sure that you remove the server details of require server using metadata cleanup on the main server once completed then you can go ahead using force removal which has no implications, Yes untill you are sure that formal DCPROMO cannot work!

Author

Commented:
"server details of require server "  - sorry that did not make sense. Can you explain?

Author

Commented:
I ran a DCDIAG on domain2 the server I am try demote and got this error:

dcdiag /q
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=domain,DC=us
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=domain,DC=us
         ......................... DOMAIN2 failed test NCSecDesc

What is that?
server details i mean here is when you go through metadata cleanup you will see the DC details so just remove the required details from the Domain information

Author

Commented:
But which details to remove?
ok then probably you want to know about the metadata details.... here is the best link


http://www.petri.co.il/delete_failed_dcs_from_ad.htm

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial