Nick Daniels
asked on
DCPROMO Failed to Demote a DC
We stood up a Domain Controller on a virtual (hyper-V) Windows Server 2008 R2 Enterprise edition Server for the purpose of installing Exchange 2010. We installed Exchange and doing so made some mistakes. We had to uninstall exchange from it. I created a new VM to put exchange on correctly. Now that Exchange is removed from that old DC, I want to remove AD from it and shut it down permanently. The problem is that it won't go down without a fight.
The old server I want to demote is "Exchange1.mydomain.net" and it is also a DNS Server
The primary DC is "server1.mydomain.net" and it is also a DNS Server
This is the error I get when I try to remove AD:
--
When attempting to remove AD using DCPROMO I get this error: "The operation failed because: the attempt at remote directory server server1.mydomain.net to remove directory server CN=Exchange1,CN=Servers,CN =mydomain, CN=Sites,C N=Configur ation...
was unsuccessful. "Access is denied"
--
I have tried several different Domain Admin accounts and made sure that they were also
Enterprise Admins. Exchange1 can ping the primary domain controller. It is also a global catalog. To prove there wasn't some problem with the domain in general, I stood up another Test DC as global catalog and demoted it without any problems (without making it a DNS server).
What do the experts think I should do next?
Thanks in advance!
The old server I want to demote is "Exchange1.mydomain.net" and it is also a DNS Server
The primary DC is "server1.mydomain.net" and it is also a DNS Server
This is the error I get when I try to remove AD:
--
When attempting to remove AD using DCPROMO I get this error: "The operation failed because: the attempt at remote directory server server1.mydomain.net to remove directory server CN=Exchange1,CN=Servers,CN
was unsuccessful. "Access is denied"
--
I have tried several different Domain Admin accounts and made sure that they were also
Enterprise Admins. Exchange1 can ping the primary domain controller. It is also a global catalog. To prove there wasn't some problem with the domain in general, I stood up another Test DC as global catalog and demoted it without any problems (without making it a DNS server).
What do the experts think I should do next?
Thanks in advance!
You can use DCPROMO /forceremoval to force the removal
If you run the /forceremoval make sure to cleanup the metadata of that DC
http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx
Thanks
Mike
http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx
Thanks
Mike
ASKER
The /forceremoval is something that I am aware of, but was hoping there was a trick to remove it properly. What are the hazards of doing a forceremoval?
@kdyer, where would I go to check for tombstoned records in DNS? I snooped around a bit and googled it, but couldn't find where I should be looking.
Thanks
@kdyer, where would I go to check for tombstoned records in DNS? I snooped around a bit and googled it, but couldn't find where I should be looking.
Thanks
with 2008R2 if you remove the account from AD it automatically does a metadata cleanup
ASKER
I found this warning in the event viewer under the AD section:
Note the screen shot for title and ID #.
---
The Knowledge Consistency Checker (KCC) has detected that successive attempts to replicate with the following directory service has consistently failed.
Attempts:
9
Directory service:
CN=NTDS Settings,CN=server1,CN=Ser vers,CN=my company,CN =Sites,CN= Configurat ion,DC=myd omain,DC=n et
Period of time (minutes):
128
The Connection object for this directory service will be ignored, and a new temporary connection will be established to ensure that replication continues. Once replication with this directory service resumes, the temporary connection will be removed.
Additional Data
Error value:
1256 The remote system is not available. For information about network troubleshooting, see Windows Help.
---
AD-Warning-on-Exchange1-EE.png
Note the screen shot for title and ID #.
---
The Knowledge Consistency Checker (KCC) has detected that successive attempts to replicate with the following directory service has consistently failed.
Attempts:
9
Directory service:
CN=NTDS Settings,CN=server1,CN=Ser
Period of time (minutes):
128
The Connection object for this directory service will be ignored, and a new temporary connection will be established to ensure that replication continues. Once replication with this directory service resumes, the temporary connection will be removed.
Additional Data
Error value:
1256 The remote system is not available. For information about network troubleshooting, see Windows Help.
---
AD-Warning-on-Exchange1-EE.png
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Also make sure the account you are using to remove the DC is in the Schema Admins group. When changing the DC's, you are changing the schema. So, note that the only two things to cause this is, if the object is protected from deletion, or the user account isn't in the schema admin group.
ASKER
Venurajav was right, it was the "Protect object from accidental deletion" check boxes. I found three locations that had this option, and when I unchecked the one under NTDS settings, it allowed me to remove it from the domain. At the end of the wizard a dialog warning popped up, i just want to confirm that this doesn't matter because the domain ".net" doesn't really exist under my roof. My domain is "mydomain.net" so i assume it already removed the DNS delegations from my DNS servers right? How do I confirm this on my DNS server? (See attachement)
DNS-Delegations.png
DNS-Delegations.png
You asked:
/forceremoval is considered a "proper" removal techinque.
From the KB link below:
But only use it if nothing else works.
Why? The /forceremoval assumes that you've already does that and it's not something that you can easily recover from if you do it wrong.
In a nutshell, it's just like deleting the Computer Accounts and doesn't do any checks which the GUI deletion options may have added.
Here is the Microsoft KB for this scenario:
http://support.microsoft.com/kb/332199
The /forceremoval is something that I am aware of, but was hoping there was a trick to remove it properly. What are the hazards of doing a forceremoval?
/forceremoval is considered a "proper" removal techinque.
From the KB link below:
Microsoft has tested and supports the forced demotion of domain controllers that are running Windows 2000 or Windows Server 2003.
But only use it if nothing else works.
Why? The /forceremoval assumes that you've already does that and it's not something that you can easily recover from if you do it wrong.
In a nutshell, it's just like deleting the Computer Accounts and doesn't do any checks which the GUI deletion options may have added.
Here is the Microsoft KB for this scenario:
http://support.microsoft.com/kb/332199
Warning Before you use either of the following workarounds, make sure that the you can successfully start in Directory Services Restore mode. Otherwise, you will not be able to log on after you forcefully demote the computer. If you do not remember the Directory Services Restore mode password, you can reset the password by using the Setpwd.exe utility that is located in the Winnt\System32 folder. In Windows Server 2003, the functionality of the Setpwd.exe utility has been integrated into the Set DSRM Password command of the NTDSUTIL tool. For more information how to perform this procedure, click the following article number to view the article in the Microsoft Knowledge Base:
271641 (http://support.microsoft.com/kb/271641/ ) Configure Your Server Wizard sets a blank recovery mode password
Yes, you can ignore that warning about DNS delegation, since you do not control the "net" domain. That's only important if you're working within a child domain, and you also control the parent or can contact someone who does.
ASKER
Thanks for all the awesome help all!
HTH,
Kent