Solved

2003 dc demote 2008 dc promote

Posted on 2011-09-08
57
1,179 Views
Last Modified: 2012-05-12
first the topology. current dc is server 2003 . added a 2nd server with server 2008 as member server. ran the adpreps. all seemed good.  dcpromoed the server 2008 .all seemed good. started demoting the 2003 to member server and thats where it went wrong. the 2003 server tells me that it is the las dc on domain and warns that "no other active directory domain controller for tha tdomain can be contacted" need help urgently. please help. thanks
0
Comment
Question by:ssiremote
  • 29
  • 10
  • 9
  • +4
57 Comments
 
LVL 17

Expert Comment

by:Spartan_1337
Comment Utility
Run DCDIAG on 2008 both servers. Post results.

http://technet.microsoft.com/en-us/library/cc731968(WS.10).aspx
0
 

Author Comment

by:ssiremote
Comment Utility
@spartan. only one server is a 2008. do you want me to run dcdiag on both the 2008 and 2003 servers?
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
This is normally an indication of incorrect DNS/Network config.
Run DCDIAG and check your network settings on both servers.
Make sure that the 2008 server is a GC AND that you have transfered ALL of the FSMO roles from 2003 server to 2008 server BEFORE you demote it.
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
BUT

The question is.....Why demote it if you ONLY have the two domain controllers? You should NEVER run an AD environment with only ONE AD server. More importantly you should have at least two and BOTH should be GC's.
0
 

Author Comment

by:ssiremote
Comment Utility
now i have a bigger issue. the 2003 dc has a local ip of 192.168.1.1 . the 2008 lan  dns had 192.168.1.1 in it. the 2008 server hasip 192.168.1.2. i manually changed the dns on 2008 to 192.168.1.2 and not the server is in a reboot loop . cant get back in to change the dns back. damn. sorry folks.
0
 

Author Comment

by:ssiremote
Comment Utility
@neilsr. the owner of the equioment insists that he have only 1 server. the 2003 server is 6 -7 years old and failing.
0
 
LVL 11

Expert Comment

by:madhatter5501
Comment Utility
can you boot into safe mode and reset the ip?  doesn't sound like an ip error though, usually with an ip error it comes up with an error, not reboot.

can you do a startup repair by going to advanced on F8?  I have never had to use the advanced menu on startup for server 2008, but I would assume it is there.
0
 

Author Comment

by:ssiremote
Comment Utility
it wont go past the ctrl-alt-del screen in any mode. trying last good configuration now. fingers crossed.
0
 
LVL 11

Expert Comment

by:madhatter5501
Comment Utility
going into safemode would be before it boots into windows, when you get into the bios screen, start pressing F8 (thats the normal button, some models are different)

then you will see a menu that should let you into startup repair
0
 

Author Comment

by:ssiremote
Comment Utility
last known configuration worked. running dcdiag now
0
 

Author Comment

by:ssiremote
Comment Utility
An error event occurred.  EventID: 0xC0001B58
            Time Generated: 09/08/2011   13:15:04
            Event String:
            The Allscripts Process Import Linking service failed to start due to
 the following error:
         An error event occurred.  EventID: 0xC0001B58
            Time Generated: 09/08/2011   13:15:19
            Event String:
            The Allscripts Process Messages service failed to start due to the f
ollowing error:
         An error event occurred.  EventID: 0x0000041E
            Time Generated: 09/08/2011   13:15:22
            Event String:
            The processing of Group Policy failed. Windows could not obtain the
name of a domain controller. This could be caused by a name resolution failure.
Verify your Domain Name System (DNS) is configured and working correctly.
         An error event occurred.  EventID: 0xC0001B58
            Time Generated: 09/08/2011   13:15:34
            Event String:
            The Allscripts Process Scheduled Events service failed to start due
to the following error:
         A warning event occurred.  EventID: 0x00001696
            Time Generated: 09/08/2011   13:15:37
            Event String:
            Dynamic registration or deregistration of one or more DNS records fa
iled with the following error:
         An error event occurred.  EventID: 0xC0001B81
            Time Generated: 09/08/2011   13:15:37
            Event String:
            The msftesql service was unable to log on as CEFM-DOM\Amhs-services
with the currently configured password due to the following error:
         An error event occurred.  EventID: 0xC0001B58
            Time Generated: 09/08/2011   13:15:37
            Event String:
            The SQL Server FullText Search (MSSQLSERVER) service failed to start
 due to the following error:
         An error event occurred.  EventID: 0xC0001B81
            Time Generated: 09/08/2011   13:15:38
            Event String:
            The MSSQLSERVER service was unable to log on as CEFM-DOM\Amhs-servic
es with the currently configured password due to the following error:
         An error event occurred.  EventID: 0xC0001B58
            Time Generated: 09/08/2011   13:15:38
            Event String:
            The SQL Server (MSSQLSERVER) service failed to start due to the foll
owing error:
         A warning event occurred.  EventID: 0x80050004
            Time Generated: 09/08/2011   13:18:10
            Event String:
            Broadcom BCM5709C: The network link is down.  Check to make sure the
 network cable is properly connected.
         A warning event occurred.  EventID: 0xA004001B
            Time Generated: 09/08/2011   13:18:12
            Event String: Intel(R) Gigabit ET Dual Port Server Adapter
         A warning event occurred.  EventID: 0x80040020
            Time Generated: 09/08/2011   13:18:14
            Event String:
            The driver detected that the device \Device\Harddisk0\DR0 has its wr
ite cache enabled. Data corruption may occur.
         A warning event occurred.  EventID: 0x80040020
            Time Generated: 09/08/2011   13:18:14
            Event String:
            The driver detected that the device \Device\Harddisk0\DR0 has its wr
ite cache enabled. Data corruption may occur.
         A warning event occurred.  EventID: 0x80040020
            Time Generated: 09/08/2011   13:18:14
            Event String:
            The driver detected that the device \Device\Harddisk0\DR0 has its wr
ite cache enabled. Data corruption may occur.
         An error event occurred.  EventID: 0x80001778
            Time Generated: 09/08/2011   13:18:18
            Event String:
            The previous system shutdown at 1:15:24 PM on 9/8/2011 was unexpecte
d.
         A warning event occurred.  EventID: 0x8000001D
            Time Generated: 09/08/2011   13:18:21
            Event String:
            The Key Distribution Center (KDC) cannot find a suitable certificate
 to use for smart card logons, or the KDC certificate could not be verified. Sma
rt card logon may not function correctly if this problem is not resolved. To cor
rect this problem, either verify the existing KDC certificate using certutil.exe
 or enroll for a new KDC certificate.
         A warning event occurred.  EventID: 0x00000C18
            Time Generated: 09/08/2011   13:18:53
            Event String:
            The primary Domain Controller for this domain could not be located.
         An error event occurred.  EventID: 0xC0001B81
            Time Generated: 09/08/2011   13:18:58
            Event String:
            The csimProcessJobScheduleService service was unable to log on as CE
FM-DOM\AMHS-Services with the currently configured password due to the following
 error:
         An error event occurred.  EventID: 0xC0001B58
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
"@neilsr. the owner of the equioment insists that he have only 1 server"

Then you should be advising him of the danger AND getting him to sign a waiver that sayd "You told him so".
When this one breaks and NOBODY can log in, it will be your fault, he will swear by it.
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
The DNS settings of the two servers should be:

Primary DNS: Points to self
Secondary DNS: Points to other server

This is why you could not boot and login correctly
0
 

Author Comment

by:ssiremote
Comment Utility
when i manually change the dns settings as u advised nielsr it gives me warning  warning warning
0
 
LVL 11

Expert Comment

by:madhatter5501
Comment Utility
you can only have 1 default gateway on your network
0
 
LVL 17

Expert Comment

by:Spartan_1337
Comment Utility
You are using multiple nics? Is this necessary?
If not, then disable one and only use one NIC for your network connection.
0
 

Author Comment

by:ssiremote
Comment Utility
looked at fsmo roles. and found out that the only the schema role still pointing to the old server is the schema master. could that be causing the demote issue?
0
 

Author Comment

by:ssiremote
Comment Utility
yeah im using only the one nic. i had enabled the other ones while i was trying to get it to boot back up.
0
 
LVL 17

Expert Comment

by:Spartan_1337
Comment Utility
can you run ipconfig /all and paste results??
Conflicting gateways will create all sorts of connectivity issues.
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
Ensure only one NIC is enabled. The error you have does not relate to the DNS settings i asked you to change.
0
 
LVL 3

Expert Comment

by:shahravish
Comment Utility
Hi ssiremote,
To answer your question about schema master - yes,that would definately be 1 of the reasons. Please ensure that all FSMO roles have been transfered to the 2008 server.
You can follow steps detailed here - http://support.microsoft.com/kb/324801

Once that is done, please ensure both servers have dns roles installed and point primary DNS to new server and secondary DNS to old server.
Once you have confirmed all FSMO roles have been transferred, you should be able to successfully demote the 2003 server from AD roles.
0
 
LVL 3

Expert Comment

by:shahravish
Comment Utility
in reference to the multiple default gateway error message - you are getting it as other nics have another gateway defined. If you have the other nics unplugged or not used, you shouldnt worry about it, as its a warning message. This does come up when you have multiple NIC's and no teaming setup.
0
 

Author Comment

by:ssiremote
Comment Utility
This is what i get during the role transfer




Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server dbserver.cefm-dom.local
Binding to dbserver.cefm-dom.local ...
Connected to dbserver.cefm-dom.local using credentials of locally logged on user
.
server connections: q
fsmo maintenance: transfer schema master
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-032103CB, problem 5002 (UN
AVAILABLE), data 3

Win32 error returned is 0x20af(The requested FSMO operation failed. The current
FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Server "dbserver.cefm-dom.local" knows about 5 roles
Schema - CN=NTDS Settings,CN=CEFM-HMO,CN=Servers,CN=Default-First-Site-Name,CN=S
ites,CN=Configuration,DC=CEFM-DOM,DC=local
Domain - CN=NTDS Settings,CN=DBSERVER,CN=Servers,CN=Default-First-Site-Name,CN=S
ites,CN=Configuration,DC=CEFM-DOM,DC=local
PDC - CN=NTDS Settings,CN=DBSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Site
s,CN=Configuration,DC=CEFM-DOM,DC=local
RID - CN=NTDS Settings,CN=DBSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Site
s,CN=Configuration,DC=CEFM-DOM,DC=local
Infrastructure - CN=NTDS Settings,CN=DBSERVER,CN=Servers,CN=Default-First-Site-N
ame,CN=Sites,CN=Configuration,DC=CEFM-DOM,DC=local
fsmo maintenance:
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
I did state right at the beining....
"Make sure that the 2008 server is a GC AND that you have transfered ALL of the FSMO roles from 2003 server to 2008 server BEFORE you demote it."
0
 

Author Comment

by:ssiremote
Comment Utility
i did check when you advised. the 2008 server is a gc. somehow all roles had transferred but the schema master.  when i tried to move the schema master i get the error that i had previously posted.
0
 
LVL 3

Expert Comment

by:shahravish
Comment Utility
To transfer Schema Master Roles:

Register Schmmgmt.dll
Click Start, and then click Run.
Type regsvr32 schmmgmt.dll in the Open box, and then click OK.
Click OK when you receive the message that the operation succeeded.
Transfer the Schema Master Role
Click Start, click Run, type mmc in the Open box, and then click OK.
On the File, menu click Add/Remove Snap-in.
Click Add.
Click Active Directory Schema, click Add, click Close, and then click OK.
In the console tree, right-click Active Directory Schema, and then click Change Domain Controller.
Click Specify Name, type the name of the domain controller that will be the new role holder, and then click OK.
In the console tree, right-click Active Directory Schema, and then click Operations Master.
Click Change.
Click OK to confirm that you want to transfer the role, and then click Close.

------
Use the primary DNS as the old server and follow above steps
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
What is server CEFM-HMO ? Your 2003 server?
0
 

Author Comment

by:ssiremote
Comment Utility
that is correct nielsr
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
From your 2008 server can you ping CEFM-HMO ?
0
 

Author Comment

by:ssiremote
Comment Utility
yes i can and i can use admin shares
0
 

Author Comment

by:ssiremote
Comment Utility
"point primary DNS to new server and secondary DNS to old server"

is this correct . i currently have is as nielsr had advised " Primary DNS: Points to self
Secondary DNS: Points to other server"
0
 

Author Comment

by:ssiremote
Comment Utility
ok so after multiple tries i got the schema master role transferred too. am rebooting both servers. will keep you guys apprised. thanks
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
So long as both servers had DNS role installed and upto date it shouldnt matter  what way round you have the DNS servers except it will slow boot times down.
0
 

Author Comment

by:ssiremote
Comment Utility
ALL ROLES TRASFERRED successfully . dns server roles running on both . but during demote on server 2003 i still get the box indicating that this dc is the last controller for this domain is unchecked. however o other active directory domain controllers for domain can be contacted. do u wish to proceed?
0
 
LVL 3

Expert Comment

by:shahravish
Comment Utility
Yes, as neilsr mentioned as long as both servers have DNS installed. Once you have rebooted the server, check through the steps to see that the roles have been migrated, after which you should be able to demote.
0
 

Author Comment

by:ssiremote
Comment Utility
so even if the msg says that no other active directory domains can be contacted i should go ahead with the demote?
0
 
LVL 3

Expert Comment

by:shahravish
Comment Utility
Try and perofrm a manual replication between the 2 DC's and try agian
0
 
LVL 3

Expert Comment

by:shahravish
Comment Utility
Sorry I just read the message throughly! It is prompting you to confirm if this is the LAST domain controller. If you levae that option UNCHECKED, it means this is NOT the last DC
The messag eis saying that it is able to communicate to other DC's which is fine.

Just make sure before you proceeed, that the option is UNCHECKED.

You should only check that option if it is the last DC, otherwise proceed with it unchecked and it will reboot as a normal member server of the domain
0
 
LVL 3

Expert Comment

by:shahravish
Comment Utility
Just thought Ill paste the points of demoting here too.
Removing a domain controller by using the Windows interface

You can use the Active Directory Domain Services Installation Wizard to remove a domain controller from an existing domain.

Administrative credentials

To perform this procedure, you must be a member of the Domain Admins group in the domain.

To remove a domain controller by using the Windows interface
Click Start, click Run, type dcpromo, and then press ENTER.

On the Welcome to the Active Directory Domain Services Installation Wizard page, click Next.

If the domain controller is a global catalog server, a message appears to warn you about the effect of removing a global catalog server from the environment. Click OK to continue.

On the Delete the Domain page, make no selection, and then click Next.

If the domain controller has application directory partitions, on the Application Directory Partitions page, view the application directory partitions in the list, and then remove or retain application directory partitions, as follows:

If you do not want to retain any application directory partitions that are stored on the domain controller, click Next.

If you want to retain an application directory partition that an application has created on the domain controller, use the application that created the partition to remove it, and then click Refresh to update the list.

If the Confirm Deletion page appears, select the option to delete all application directory partitions on the domain controller, and then click Next.

On the Remove DNS Delegation page, verify that the Delete the DNS delegations pointing to this server check box is selected, and then click Next.

If necessary, enter administrative credentials for the server that hosts the DNS zones that contain the DNS delegation for this server, and then click OK.

On the Administrator Password page, type and confirm a secure password for the local Administrator account, and then click Next.

On the Summary page, to save the settings that you selected to an answer file that you can use to automate subsequent operations in Active Directory Domain Services (AD DS), click Export settings. Type a name for your answer file, and then click Save. Review your selections, and then click Next to remove AD DS.

On the Completing the Active Directory Domain Services Installation Wizard page, click Finish.

You can either select the Reboot on completion check box to have the server restart automatically or you can restart the server to complete the AD DS removal when you are prompted to do so.

Open Server Manager. Click Start, point to Administrative Tools, and then click Server Manager.

In Roles Summary, click Remove Roles.

If necessary, review the information on the Before You Begin page, and then click Next.

On the Remove Server Roles page, clear the Active Directory Domain Services check box, and then click Next.

On the Confirm Removal Selections page, click Remove.

On the Removal Results page, click Close, and then click Yes to restart the server.
0
 

Author Comment

by:ssiremote
Comment Utility
problem is it says that it says this "however o other active directory domain controllers for domain can be contacted. do u wish to proceed?"
0
 

Author Comment

by:ssiremote
Comment Utility
o = no
0
 
LVL 3

Expert Comment

by:shahravish
Comment Utility
The new server has the DNS? Try using the new server as primary DNS and try again?
0
 

Author Comment

by:ssiremote
Comment Utility
the new server has its own ip as primary dns and old servers ip as alternate. the old server has its own ip as primary and new server ip as alternate
0
 

Author Comment

by:ssiremote
Comment Utility
The new server has the DNS? Try using the new server as primary DNS and try again? i did not understand this.
0
 
LVL 3

Expert Comment

by:shahravish
Comment Utility
On the Old Server, setup the new server as primary DNS and keep local host as secondary DNS.
0
 

Author Comment

by:ssiremote
Comment Utility
changed as advised. rebooting now
0
 
LVL 3

Expert Comment

by:shahravish
Comment Utility
Did you get that prompt again?
0
 

Author Comment

by:ssiremote
Comment Utility
waiting for reboot. i will run the dcpromo in just a bit and let u know.
0
 

Author Comment

by:ssiremote
Comment Utility
yes same prompt . see attached screenshot
Untitled1.jpg
0
 
LVL 11

Expert Comment

by:madhatter5501
Comment Utility
what about using adsi edit?
0
 

Author Comment

by:ssiremote
Comment Utility
no joy so far. switching primary dns on both to old server ip and rebooting. any ideas?
0
 

Author Comment

by:ssiremote
Comment Utility
no joy yet. any help ?
0
 

Author Comment

by:ssiremote
Comment Utility
i get this on the server 2003 that im trying to demote

Event Type:      Warning
Event Source:      NTDS Replication
Event Category:      DS RPC Client
Event ID:      2088
Date:            9/8/2011
Time:            6:01:59 PM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      CEFM-HMO
Description:
Active Directory could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of Security groups, group policy, users and computers and their passwords, Active Directory successfully replicated using the NetBIOS or fully qualified computer name of the source domain controller.
 
Invalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory forest, including logon authentication or access to network resources.
 
You should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using DNS.
 
Alternate server name:
 DBSERVER
Failing DNS host name:
 8b3c9615-02bb-4fd5-aef2-be94756dd686._msdcs.CEFM-DOM.local
0
 
LVL 13

Expert Comment

by:Greg Hejl
Comment Utility
open dns

navigate to _msdcs.cefm-dom.local

look for that server guid number, look at the server name look it up in domain dns and make sure the IP reflects the actual IP address of the server.

also run DCDIAG /fix

the DCDIAG /test:dns

post results please
0
 

Accepted Solution

by:
ssiremote earned 0 total points
Comment Utility
i give up. going to call ms tech support. been working on this for 2 days straight with no luck. thanks all for all the advice and help.
0
 

Author Closing Comment

by:ssiremote
Comment Utility
too many variables. something is very wrong . going to try luck with ms tech support before taking the leap and redoing the dc.
0
 
LVL 26

Expert Comment

by:Leon Fester
Comment Utility
This really looks like a failed DCPROMO.
And should be treated as such.

Recommendations are roll back to your previous known state, i.e. get your 2K3 Server to be the only DC on the network and ensure that it is in a healthy state.

Updated comments for this and other post can be found in http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_27298994.html
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now