Last Domain Controller in the domain

Posted on 2012-09-14
Last Modified: 2012-09-29
Good Evening-  I'm having a problem removing my old 2003 domain controller from my domain.  I current have a windows 2003R2 SP2 Server that is the original domain controller.  Next I have my new 2008R2 server that is my new domain controller.  I have ran all the adprep commands to prepare the domain, forest and gpo for the new 2008 domain.  Currently the domain and forest is at 2003 level.  I have moved all the fsmo roles to the new 2008R2 server and it is the GC also,

So my problem is when I run dcpromo on my original domian controller it think it's the last domain controller on the domain and can contact any other domin controller.

As a test I create a new 2003R2 server, made it a domain controller and moved all the FSMO role to it.  Then I tried to dcpromo the original controller to remove it but it still thinks it's the last DC on the domain.

Can someone please get me back on track or give me some idea on what is goning on?

Thanks for any help.
Question by:tribaltrout
    LVL 9

    Expert Comment

    Prerequisites for a domain rename in a simple single domain forest for windows 2003/2008:
     •Enterprise Administrator credentials are required.
     •The domain should be well formed and healthy. Ran dcdiag /q and repadmin /replsum to check for any errors and fix the same before you proceed. Ran gpotool can check all the policies are OK.
     •The forest functional level must be Windows Server 2003 or 2008, and all DC’s running at least Server 2003.
     •A DNS zone for the new domain must be in place.
    The Rendom and Gpfixup tools must be copied to a domain member workstation to perform the rename operations. The operations should not be initiated from a domain controller.
    See the TechNet link below for details on requirements if you’re using DFS redirection, roaming profiles, running a CA, or Exchange Server.
    The domain rename is performed using the Rendom tool, which is installed with Active Directory when running dcpromo. Once this process is started, you must ensure that no changes are made to the forest configuration until complete. The steps are as follows.
    1.To generate the current forest description file
     Run “rendom /list” to generate a state file named Domainlist.xml. This file contains the current forest configuration.
    2.To edit the domainlist.xml file
     Using a simple text editor such as notepad, edit the state file, changing the and fields to the desired values for the new domain name.
    3.To review the new forest description in domainlist.xml
     Run “rendom /showforest” to show the potential changes; this step does not actually make any changes.
    4.To generate the domain rename instructions and upload them to the domain naming master
     Run “rendom /upload” to upload the rename instructions to the configuration directory partition on the domain controller holding the domain naming operations master role. The instructions are then replicated to all other DC’s in the forest. Once replicated to all DC’s, the rename instructions are ready to be carried out. You can force replication by running the “repadmin /syncall” command.
    5.To verify the readiness of domain controllers in the forest
     Run “rendom /prepare” to verify the readiness of each domain controller in the forest to carry out the rename instructions. This should contact all DC’s successfully and return no errors before proceeding.
    6.To execute the domain rename instructions on all domain controllers
     Run “rendom /execute”, this verifies readiness of all DC’s, then performs the rename action on each one. There will be a service interruption during this period. Upon completion domain controllers will be rebooted. If an error occurs on a DC during this phase, the entire transaction is rolled back. Any DC’s that don’t complete successfully after this phase must be demoted and removed from service.
    7.To fix up Group Policy in every renamed domain
     Run “gpfixup” to refresh all intradomain references and links to group policy objects.
     For example,
     Gpfixup / / /oldnb: xyz /newnb: abc /
    8.Reboot client computers and member servers twice to obtain new domain name.
     Because the GUID’s of the domain remain the same during the rename process, domain membership is not affected. The DNS suffix of the client machines will also be updated assuming the default option of “Change primary DNS suffix when domain membership changes” is enabled.
    9.To perform attribute clean up after domain rename
     Run “rendom /clean” to remove references of the old domain name from Active Directory.
    10.To unfreeze the forest configuration
     Run “rendom /end” to unfreeze the forest configuration and allow further changes. This was frozen during the rendom /upload step. \
     Should you have any problems with clients recognizing the new domain name, you can remove them by running “netdom remove /Domain : /Force”, rebooting, and then rejoining the new domain. Once the rename is complete, there is one final change required on domain controllers. The DNS suffix of a DC is not changed as part of this process. This must be changed manually or the DC’s will have a DNS suffix that differs from the AD domain name.
    For further details on renaming Server 2008 domains, reference this TechNet article:
    LVL 18

    Expert Comment

    by:Sushil Sonawane
    Run dcdiag /q and repadmin /replsum to check for any errors and fix the same before you proceed.

    As you mention you ran the command dcpromo but unable to perfrom so run the command Dcpromo /forceremoval to remove the domain controller.

    Refer below article to Forcing the Removal of a Domain Controller.

    To complete this task, perform the following procedures:

    1)   Identify replication partners. Connect to one of these domain controllers when you    
            clean up server metadata in procedure 3.

    2)     Force domain controller removal

    3)    Clean up server metadata
    LVL 24

    Expert Comment

    First of  all since you have promoted Win2008 DC check the health of server by running dcdiag /q and repadmin /replsum.If no error is reported you can demote the old Win2003 DC.It seems that while demoting the DC you are getting page which ask is this the last domain controller in domain at this prompt you should not select the option and click next to continue.

    Alternately you can demote the faulty dc forecefully.You need to ran dcpromo/force removal and then run matadata cleanup on other DC(healthy) to remove the instance of faulty DC from AD database and DNS.

    Forcefull removal of DC:
    Metadata cleanup:
    Seize FSMO role:

    Note: Before you proceed check the health of new server also configure authorative time server role on Win2008 assuming that pdc role is moved on the server.
    Authorative time server:

    You also need to point the client pc to new Win2008 DC as well.I would also recommend to have two DC in the network for redundancy.

    If you are facing any issue post the dcdiag /q,repadmin /replsum and ipconfig /all details of both DC.Also post the printsceen of error message you are recieveing while demoting the server if possible.
    LVL 26

    Expert Comment

    by:Leon Fester
    Please hold off on the forceremoval until you've done all the health checks, otherwise you'd lose your whole AD domain.

    Run the following tests:
    nltest /dclist:<domain_name>
    Will give you a list of all the domain controllers in your <domain_name>

    DCDIAG /e /v /f:dcdiag.txt and post the dcdiag.txt results.
    Will run a health check on all domain controllers in your domain

    netdom /query fsmo
    Will show you the FSMO role holders in your domain.

    Are you sure that you've read the message correctly?
    Is the message saying "this IS the last domain controller" or does it say "IF THIS IS the last domain controller". The one is only a warning

    Please post a screenshot of the error.

    Author Comment

    Thanks for all the help-

    I would like to make myself clear for this post.
    Windows 2003 server that's my original DC is call TOWEL.
    Windows 2008R2 server that's my new DC is DC2.
    At the time I was trying to dcpromo TOWEL and removed it as a DC,
    all of the FSMO roles were on DC2 and it was a GC.

    When I ran dcpromo on TOWEL it pops up the message like all controllers do and asks if this is the last DC on the domain, I didn't put a check in the box because it wasn't.  When I clicked next it came back and told me it couldn't find another DC on the domain and it was the last DC and if I continued it would remove everything from the domain and all would be lost.  I stopped at that point and then ran the commands as asked.

    C:\>dcdiag /q
             Warning: DsGetDcName returned information for \\towel.vondrehle.local,
             when we were trying to reach DC2.
             ......................... DC2 failed test Advertising
             Unable to connect to the NETLOGON share! (\\DC2\netlogon)
             [DC1] An net use or LsaPolicy operation failed with error 67,
             The network name cannot be found..
             ......................... DC2 failed test NetLogons

    Now, I can understand why this failed because the share and folder is not there.
    Not sure why though.

    C:\>repadmin /replsum
    Replication Summary Start Time: 2012-09-17 08:45:13
    Beginning data collection for replication summary, this may take awhile:
    Source DSA          largest delta    fails/total %%   error
     DC2                       59m:02s    0 /  10    0
     TOWEL                     55m:38s    0 /  10    0
    Destination DSA     largest delta    fails/total %%   error
     DC2                       46m:27s    0 /  10    0
     TOWEL                     59m:00s    0 /  10    0

    C:\>nltest /dclist:vondrehle.local
    Get list of DCs in domain 'vondrehle.local' from '\\towel.vondrehle.local'.
        towel.vondrehle.local [PDC] [DS] Site: Default-First-Site-Name
          DC2.vondrehle.local       [DS] Site: Default-First-Site-Name

    Attached is the dcdiag.txt file.  At the time I ran this test I had moved the FSMO roles back to the TOWEL server.

    Thanks for any help.
    LVL 26

    Accepted Solution

    Great! It doesn't look like replication completed successfully after DC2 was added.

    OK, so you've moved the FSMO roles back to TOWEL.
    Now you can try rebuilding the sysvol shares by triggering an non-authoritative restore.
    - reference domain controller with the D4 registry entry set = TOWEL
    - all other domain controllers in the domain with the D2 registry entry set = DC2

    Give it at least 1 hour, and then run the DCDIAG tests again.

    Otherwise, you should be able to run the DCPROMO /forceremoval [on DC2] and then finishing up with the metadata and DNS cleanups.

    Author Closing Comment

    Thanks DVT_localboy, this solution worked perfectly.  Sorry it took a week to get back to you, I have to back off and reschedule it but everything is working great.  Thanks again.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Don't lose your head updating email signatures!

    Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users should you!

    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
    This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now