• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1187
  • Last Modified:

Last Domain Controller in the domain

Good Evening-  I'm having a problem removing my old 2003 domain controller from my domain.  I current have a windows 2003R2 SP2 Server that is the original domain controller.  Next I have my new 2008R2 server that is my new domain controller.  I have ran all the adprep commands to prepare the domain, forest and gpo for the new 2008 domain.  Currently the domain and forest is at 2003 level.  I have moved all the fsmo roles to the new 2008R2 server and it is the GC also,

So my problem is when I run dcpromo on my original domian controller it think it's the last domain controller on the domain and can contact any other domin controller.

As a test I create a new 2003R2 server, made it a domain controller and moved all the FSMO role to it.  Then I tried to dcpromo the original controller to remove it but it still thinks it's the last DC on the domain.

Can someone please get me back on track or give me some idea on what is goning on?

Thanks for any help.
1 Solution
djsharmaTechnical ConsultantCommented:
Prerequisites for a domain rename in a simple single domain forest for windows 2003/2008:
 •Enterprise Administrator credentials are required.
 •The domain should be well formed and healthy. Ran dcdiag /q and repadmin /replsum to check for any errors and fix the same before you proceed. Ran gpotool can check all the policies are OK.
 •The forest functional level must be Windows Server 2003 or 2008, and all DC’s running at least Server 2003.
 •A DNS zone for the new domain must be in place.
The Rendom and Gpfixup tools must be copied to a domain member workstation to perform the rename operations. The operations should not be initiated from a domain controller.
See the TechNet link below for details on requirements if you’re using DFS redirection, roaming profiles, running a CA, or Exchange Server.
The domain rename is performed using the Rendom tool, which is installed with Active Directory when running dcpromo. Once this process is started, you must ensure that no changes are made to the forest configuration until complete. The steps are as follows.
1.To generate the current forest description file
 Run “rendom /list” to generate a state file named Domainlist.xml. This file contains the current forest configuration.
2.To edit the domainlist.xml file
 Using a simple text editor such as notepad, edit the state file, changing the and fields to the desired values for the new domain name.
3.To review the new forest description in domainlist.xml
 Run “rendom /showforest” to show the potential changes; this step does not actually make any changes.
4.To generate the domain rename instructions and upload them to the domain naming master
 Run “rendom /upload” to upload the rename instructions to the configuration directory partition on the domain controller holding the domain naming operations master role. The instructions are then replicated to all other DC’s in the forest. Once replicated to all DC’s, the rename instructions are ready to be carried out. You can force replication by running the “repadmin /syncall” command.
5.To verify the readiness of domain controllers in the forest
 Run “rendom /prepare” to verify the readiness of each domain controller in the forest to carry out the rename instructions. This should contact all DC’s successfully and return no errors before proceeding.
6.To execute the domain rename instructions on all domain controllers
 Run “rendom /execute”, this verifies readiness of all DC’s, then performs the rename action on each one. There will be a service interruption during this period. Upon completion domain controllers will be rebooted. If an error occurs on a DC during this phase, the entire transaction is rolled back. Any DC’s that don’t complete successfully after this phase must be demoted and removed from service.
7.To fix up Group Policy in every renamed domain
 Run “gpfixup” to refresh all intradomain references and links to group policy objects.
 For example,
 Gpfixup /olddns:xyz.com.au /newdns:abc.com.au /oldnb: xyz /newnb: abc /dc:dc.zyz.com.au
8.Reboot client computers and member servers twice to obtain new domain name.
 Because the GUID’s of the domain remain the same during the rename process, domain membership is not affected. The DNS suffix of the client machines will also be updated assuming the default option of “Change primary DNS suffix when domain membership changes” is enabled.
9.To perform attribute clean up after domain rename
 Run “rendom /clean” to remove references of the old domain name from Active Directory.
10.To unfreeze the forest configuration
 Run “rendom /end” to unfreeze the forest configuration and allow further changes. This was frozen during the rendom /upload step. \
 Should you have any problems with clients recognizing the new domain name, you can remove them by running “netdom remove /Domain : /Force”, rebooting, and then rejoining the new domain. Once the rename is complete, there is one final change required on domain controllers. The DNS suffix of a DC is not changed as part of this process. This must be changed manually or the DC’s will have a DNS suffix that differs from the AD domain name.
For further details on renaming Server 2008 domains, reference this TechNet article: http://technet.microsoft.com/en-us/library/cc794869.aspx
Sushil SonawaneCommented:
Run dcdiag /q and repadmin /replsum to check for any errors and fix the same before you proceed.

As you mention you ran the command dcpromo but unable to perfrom so run the command Dcpromo /forceremoval to remove the domain controller.

Refer below article to Forcing the Removal of a Domain Controller.

To complete this task, perform the following procedures:

1)   Identify replication partners. Connect to one of these domain controllers when you    
        clean up server metadata in procedure 3.

2)     Force domain controller removal

3)    Clean up server metadata
SandeshdubeySenior Server EngineerCommented:
First of  all since you have promoted Win2008 DC check the health of server by running dcdiag /q and repadmin /replsum.If no error is reported you can demote the old Win2003 DC.It seems that while demoting the DC you are getting page which ask is this the last domain controller in domain at this prompt you should not select the option and click next to continue.

Alternately you can demote the faulty dc forecefully.You need to ran dcpromo/force removal and then run matadata cleanup on other DC(healthy) to remove the instance of faulty DC from AD database and DNS.

Forcefull removal of DC: http://support.microsoft.com/kb/332199
Metadata cleanup: http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Seize FSMO role: http://www.petri.co.il/seizing_fsmo_roles.htm

Note: Before you proceed check the health of new server also configure authorative time server role on Win2008 assuming that pdc role is moved on the server.
Authorative time server: http://support.microsoft.com/kb/816042

You also need to point the client pc to new Win2008 DC as well.I would also recommend to have two DC in the network for redundancy.

If you are facing any issue post the dcdiag /q,repadmin /replsum and ipconfig /all details of both DC.Also post the printsceen of error message you are recieveing while demoting the server if possible.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Leon FesterSenior Solutions ArchitectCommented:
Please hold off on the forceremoval until you've done all the health checks, otherwise you'd lose your whole AD domain.

Run the following tests:
nltest /dclist:<domain_name>
Will give you a list of all the domain controllers in your <domain_name>

DCDIAG /e /v /f:dcdiag.txt and post the dcdiag.txt results.
Will run a health check on all domain controllers in your domain

netdom /query fsmo
Will show you the FSMO role holders in your domain.

Are you sure that you've read the message correctly?
Is the message saying "this IS the last domain controller" or does it say "IF THIS IS the last domain controller". The one is only a warning

Please post a screenshot of the error.
tribaltroutAuthor Commented:
Thanks for all the help-

I would like to make myself clear for this post.
Windows 2003 server that's my original DC is call TOWEL.
Windows 2008R2 server that's my new DC is DC2.
At the time I was trying to dcpromo TOWEL and removed it as a DC,
all of the FSMO roles were on DC2 and it was a GC.

When I ran dcpromo on TOWEL it pops up the message like all controllers do and asks if this is the last DC on the domain, I didn't put a check in the box because it wasn't.  When I clicked next it came back and told me it couldn't find another DC on the domain and it was the last DC and if I continued it would remove everything from the domain and all would be lost.  I stopped at that point and then ran the commands as asked.

C:\>dcdiag /q
         Warning: DsGetDcName returned information for \\towel.vondrehle.local,
         when we were trying to reach DC2.
         ......................... DC2 failed test Advertising
         Unable to connect to the NETLOGON share! (\\DC2\netlogon)
         [DC1] An net use or LsaPolicy operation failed with error 67,
         The network name cannot be found..
         ......................... DC2 failed test NetLogons

Now, I can understand why this failed because the share and folder is not there.
Not sure why though.

C:\>repadmin /replsum
Replication Summary Start Time: 2012-09-17 08:45:13
Beginning data collection for replication summary, this may take awhile:
Source DSA          largest delta    fails/total %%   error
 DC2                       59m:02s    0 /  10    0
 TOWEL                     55m:38s    0 /  10    0
Destination DSA     largest delta    fails/total %%   error
 DC2                       46m:27s    0 /  10    0
 TOWEL                     59m:00s    0 /  10    0

C:\>nltest /dclist:vondrehle.local
Get list of DCs in domain 'vondrehle.local' from '\\towel.vondrehle.local'.
    towel.vondrehle.local [PDC] [DS] Site: Default-First-Site-Name
      DC2.vondrehle.local       [DS] Site: Default-First-Site-Name

Attached is the dcdiag.txt file.  At the time I ran this test I had moved the FSMO roles back to the TOWEL server.

Thanks for any help.
Leon FesterSenior Solutions ArchitectCommented:
Great! It doesn't look like replication completed successfully after DC2 was added.

OK, so you've moved the FSMO roles back to TOWEL.
Now you can try rebuilding the sysvol shares by triggering an non-authoritative restore.

- reference domain controller with the D4 registry entry set = TOWEL
- all other domain controllers in the domain with the D2 registry entry set = DC2

Give it at least 1 hour, and then run the DCDIAG tests again.

Otherwise, you should be able to run the DCPROMO /forceremoval [on DC2] and then finishing up with the metadata and DNS cleanups.
tribaltroutAuthor Commented:
Thanks DVT_localboy, this solution worked perfectly.  Sorry it took a week to get back to you, I have to back off and reschedule it but everything is working great.  Thanks again.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now