Dcpromo is failing
I'm trying to remove a DC and I'm getting the message below. I've transferred all 5 FSMO roles to the other two DC's. 1 DC has PDC, Operation mgr, Schema and RID, the other has Infrastructure. Both of the other DC's are Global Catalog servers.
Before I do Dcpromo /force, I'd like some input from EE.
All servers are 2008 R2
active directory domain services could not transfer the remaining data in directory partition
Before I do Dcpromo /force, I'd like some input from EE.
All servers are 2008 R2
active directory domain services could not transfer the remaining data in directory partition
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I followed the article and changed the fsmoroleowner to the Infrastructure DC. The DC I want to remove still gets the error. I also noticed that DC properties are set to our old IP string. See attached. Our correct IP should be 1.18.172. In the attachment it is 1.16.172.
I'm very nervous about making any more changes and crashing my Domain.
I need advice please.
DC-DNS.png
I'm very nervous about making any more changes and crashing my Domain.
I need advice please.
DC-DNS.png
ASKER
I corrected the problem in the attachment. It was an old reverse lookup zone.
I still can't Dcpromo the old DC. I went back through the article and I did initially miss one of the settings. However, now the FSMORoleOwner setting is correct. Is it possible it takes a while for the changes to replicate?
I still can't Dcpromo the old DC. I went back through the article and I did initially miss one of the settings. However, now the FSMORoleOwner setting is correct. Is it possible it takes a while for the changes to replicate?
ASKER
I just tried it again Twice. The first time it stated it couldn't transfer the information to spcala185 (not the infrastructure DC) the 2nd time it stated it couldn't transfer it to DCLBVM (which is the infrastructure DC).
Hope someone gets back to me on this soon.
Hope someone gets back to me on this soon.
ASKER
What if I put the Infrastructure back on the DC I'm trying to remove. Then fix the settings using Adsiedit. Wait for replication and then move the Infrastructure to the other DC and try to remove the DC I've been trying to remove?
you could always use ntdsutil to get it out of the domain by cleaning up metadata. We use this for failed domain controllers with no backups
http://wintelteams.wordpress.com/2012/06/29/metadata-cleanup-using-ntdsutil-in-windows-server-2008-r2/
http://wintelteams.wordpress.com/2012/06/29/metadata-cleanup-using-ntdsutil-in-windows-server-2008-r2/
Can you run and share output
netdom query FSMO
nltest /dsgetdc:< your domain name >
Is this server a GC or holds and other roles as well ?
- Rancy
netdom query FSMO
nltest /dsgetdc:< your domain name >
Is this server a GC or holds and other roles as well ?
- Rancy
I would run a round of DCDIAG's on all DC's to check their health... in general, doing DCPROMO while you do not have a health AD is risky.
Does DCDIAG report errors (other than system log errors) on any DC? If so, resolve them before forcing the DCPROMO
Does DCDIAG report errors (other than system log errors) on any DC? If so, resolve them before forcing the DCPROMO
ASKER
Attached are the results from netdom and dcdiag. dcdiag was run from the server that won't DCpromo
dcdiag-spcala144.txt
netdom-query.png
dcdiag-spcala144.txt
netdom-query.png
ASKER
there was one failure on the other DC. See below.
Doing primary tests
Testing server: Default-First-Site-Name\SP
Starting test: Advertising
......................... SPCALA185 passed test Advertising
Starting test: FrsEvent
......................... SPCALA185 passed test FrsEvent
Starting test: DFSREvent
......................... SPCALA185 passed test DFSREvent
Starting test: SysVolCheck
......................... SPCALA185 passed test SysVolCheck
Starting test: KccEvent
......................... SPCALA185 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... SPCALA185 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... SPCALA185 passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=LASPC
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=LASPC
......................... SPCALA185 failed test NCSecDesc
Starting test: NetLogons
......................... SPCALA185 passed test NetLogons
Starting test: ObjectsReplicated
......................... SPCALA185 passed test ObjectsReplicated
Starting test: Replications
......................... SPCALA185 passed test Replications
Starting test: RidManager
......................... SPCALA185 passed test RidManager
Starting test: Services
......................... SPCALA185 passed test Services
Starting test: SystemLog
......................... SPCALA185 passed test SystemLog
Starting test: VerifyReferences
......................... SPCALA185 passed test VerifyReferences
Doing primary tests
Testing server: Default-First-Site-Name\SP
Starting test: Advertising
......................... SPCALA185 passed test Advertising
Starting test: FrsEvent
......................... SPCALA185 passed test FrsEvent
Starting test: DFSREvent
......................... SPCALA185 passed test DFSREvent
Starting test: SysVolCheck
......................... SPCALA185 passed test SysVolCheck
Starting test: KccEvent
......................... SPCALA185 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... SPCALA185 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... SPCALA185 passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=LASPC
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=LASPC
......................... SPCALA185 failed test NCSecDesc
Starting test: NetLogons
......................... SPCALA185 passed test NetLogons
Starting test: ObjectsReplicated
......................... SPCALA185 passed test ObjectsReplicated
Starting test: Replications
......................... SPCALA185 passed test Replications
Starting test: RidManager
......................... SPCALA185 passed test RidManager
Starting test: Services
......................... SPCALA185 passed test Services
Starting test: SystemLog
......................... SPCALA185 passed test SystemLog
Starting test: VerifyReferences
......................... SPCALA185 passed test VerifyReferences
Point the DC you're trying to demote at one of the other DCs for DNS resolution, then try again.
Obviously, run DCPROMO using 'the' domain administrator account.
Obviously, run DCPROMO using 'the' domain administrator account.
ASKER
Please explain how to
Point the DC you're trying to demote at one of the other DCs for DNS resolution, then try again.
Point the DC you're trying to demote at one of the other DCs for DNS resolution, then try again.
The "Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context: "
is superfluous and can be ignored, so I expect there's an issue with time...
Start the Windows Time Service and make sure you see the time sync up in the Event Viewer.
Once time is synced, try the dcpromo again.
is superfluous and can be ignored, so I expect there's an issue with time...
Start the Windows Time Service and make sure you see the time sync up in the Event Viewer.
Once time is synced, try the dcpromo again.
The test for NCSecDesc will fail if you haven't run adprep /rodcprep (not needed if you don't have Read-Only DCs).
Though I haven't seen any indication of problems from the info posted so far, have you run dcdiag /v /test:dns and repadmin /showrepl on all DCs?
To follow craigbeck's advice, change the TCP/IP settings in your NIC properties to only point to another DC's IP for DNS.
Though I haven't seen any indication of problems from the info posted so far, have you run dcdiag /v /test:dns and repadmin /showrepl on all DCs?
To follow craigbeck's advice, change the TCP/IP settings in your NIC properties to only point to another DC's IP for DNS.
ASKER
When I tried to start the time service on the DC I'm trying to remove, I get Access Denied.
I pointed the DC to another DC in DNS on the NIC card.
I pointed the DC to another DC in DNS on the NIC card.
Please explain how to
Point the DC you're trying to demote at one of the other DCs for DNS resolution, then try again.
Configure the NIC on the DC you want to demote to use your other DNS servers...
Your server should have been using itself as the primary server for DNS resolution.
ASKER
@craigbeck, I just did it
ASKER
Tried DCpromo and still failing. See attached.
What about doing dcpromo /forceremoval and then doing a metadata cleanup?
dcpromo.png
What about doing dcpromo /forceremoval and then doing a metadata cleanup?
dcpromo.png
That's what I'd suggest actually!
When you transferred the roles away from the server did you actually transfer them or did you seize them?
When you transferred the roles away from the server did you actually transfer them or did you seize them?
ASKER
They transferred with no problem
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The removal is done and metadata cleanup is one. I want to use the server as a member server, do I need to rename it?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
will do.
ASKER
thanks to all for the help.
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/72640045-616b-4b6c-8fc4-e30dd8463402/