Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Dcpromo is failing

Posted on 2013-05-16
28
Medium Priority
?
887 Views
Last Modified: 2013-05-18
I'm trying to remove a DC and I'm getting the message below.  I've transferred all 5 FSMO roles to the other two DC's.  1 DC has PDC, Operation mgr, Schema and RID, the other has Infrastructure.  Both of the other DC's are Global Catalog servers.  
Before I do Dcpromo /force, I'd like some input from EE.

All servers are 2008 R2

active directory domain services could not transfer the remaining data in directory partition
0
Comment
Question by:J.R. Sitman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 5
  • 2
  • +5
28 Comments
 
LVL 7

Expert Comment

by:tolinrome
ID: 39171820
0
 
LVL 8

Assisted Solution

by:Dipak
Dipak earned 800 total points
ID: 39171996
“The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles. This error occurs if ownership of the FSMO role is set to a server which is deleted or does not exist.

You will have to  Change the ForestDnsZone fSMORoleOwner

To do so follow below mentioned link.
http://www.more2know.nl/tag/fsmoroleowner/
0
 

Author Comment

by:J.R. Sitman
ID: 39172243
I followed the article and changed the fsmoroleowner to the Infrastructure DC.  The DC I want to remove still gets the error.  I also noticed that DC properties are set to our old IP string.  See attached.  Our correct IP should be 1.18.172.  In the attachment it is 1.16.172.  

I'm very nervous about making any more changes and crashing my Domain.  

I need advice please.
DC-DNS.png
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:J.R. Sitman
ID: 39172382
I corrected the problem in the attachment.  It was an old reverse lookup zone.

I still can't Dcpromo the old DC.  I went back through the article and I did initially miss one of the settings.  However, now the FSMORoleOwner setting is correct.  Is it possible it takes a while for the changes to replicate?
0
 

Author Comment

by:J.R. Sitman
ID: 39172410
I just tried it again Twice.  The first time it stated it couldn't transfer the information to spcala185 (not the infrastructure DC) the 2nd time it stated it couldn't transfer it to DCLBVM (which is the infrastructure DC).

Hope someone gets back to me on this soon.
0
 

Author Comment

by:J.R. Sitman
ID: 39172613
What if I put the Infrastructure back on the DC I'm trying to remove.  Then fix the settings using Adsiedit.  Wait for replication and then move the Infrastructure to the other DC and try to remove the DC I've been trying to remove?
0
 
LVL 42

Expert Comment

by:paulsolov
ID: 39177255
you could always use ntdsutil to get it out of the domain by cleaning up metadata.  We use this for failed domain controllers with no backups

http://wintelteams.wordpress.com/2012/06/29/metadata-cleanup-using-ntdsutil-in-windows-server-2008-r2/
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 39177290
Can you run and share output

netdom query FSMO
nltest /dsgetdc:< your domain name >

Is this server a GC or holds and other roles as well ?

- Rancy
0
 
LVL 11

Expert Comment

by:FastFngrz
ID: 39177330
I would run a round of DCDIAG's on all DC's to check their health... in general, doing DCPROMO while you do not have a health AD is risky.

Does DCDIAG report errors (other than system log errors) on any DC?  If so, resolve them before forcing the DCPROMO
0
 

Author Comment

by:J.R. Sitman
ID: 39177457
Attached are the results from netdom and dcdiag.  dcdiag was run from the server that won't DCpromo
dcdiag-spcala144.txt
netdom-query.png
0
 

Author Comment

by:J.R. Sitman
ID: 39177482
there was one failure on the other DC.  See below.


Doing primary tests

   Testing server: Default-First-Site-Name\SPCALA185
      Starting test: Advertising
         ......................... SPCALA185 passed test Advertising
      Starting test: FrsEvent
         ......................... SPCALA185 passed test FrsEvent
      Starting test: DFSREvent
         ......................... SPCALA185 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... SPCALA185 passed test SysVolCheck
      Starting test: KccEvent
         ......................... SPCALA185 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... SPCALA185 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... SPCALA185 passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=LASPCA,DC=LOCAL
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=LASPCA,DC=LOCAL
         ......................... SPCALA185 failed test NCSecDesc
      Starting test: NetLogons
         ......................... SPCALA185 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... SPCALA185 passed test ObjectsReplicated
      Starting test: Replications
         ......................... SPCALA185 passed test Replications
      Starting test: RidManager
         ......................... SPCALA185 passed test RidManager
      Starting test: Services
         ......................... SPCALA185 passed test Services
      Starting test: SystemLog
         ......................... SPCALA185 passed test SystemLog
      Starting test: VerifyReferences
         ......................... SPCALA185 passed test VerifyReferences
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39177567
Point the DC you're trying to demote at one of the other DCs for DNS resolution, then try again.

Obviously, run DCPROMO using 'the' domain administrator account.
0
 

Author Comment

by:J.R. Sitman
ID: 39177585
Please explain how  to
Point the DC you're trying to demote at one of the other DCs for DNS resolution, then try again.
0
 
LVL 11

Expert Comment

by:FastFngrz
ID: 39177599
The "Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have    Replicating Directory Changes In Filtered Set         access rights for the naming context: "

is superfluous and can be ignored, so I expect there's an issue with time...

Start the Windows Time Service and make sure you see the time sync up in the Event Viewer.

Once time is synced, try the dcpromo again.
0
 
LVL 41

Expert Comment

by:footech
ID: 39177601
The test for NCSecDesc will fail if you haven't run adprep /rodcprep (not needed if you don't have Read-Only DCs).

Though I haven't seen any indication of problems from the info posted so far, have you run dcdiag /v /test:dns and repadmin /showrepl on all DCs?

To follow craigbeck's advice, change the TCP/IP settings in your NIC properties to only point to another DC's IP for DNS.
0
 

Author Comment

by:J.R. Sitman
ID: 39177622
When I tried to start the time service on the DC I'm trying to remove, I get Access Denied.
I pointed the DC to another DC in DNS on the NIC card.
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39177626
Please explain how  to
Point the DC you're trying to demote at one of the other DCs for DNS resolution, then try again.

Configure the NIC on the DC you want to demote to use your other DNS servers...
Your server should have been using itself as the primary server for DNS resolution.
0
 

Author Comment

by:J.R. Sitman
ID: 39177638
@craigbeck, I just did it
0
 

Author Comment

by:J.R. Sitman
ID: 39177649
Tried DCpromo and still failing.  See attached.

What about doing dcpromo /forceremoval and then doing a metadata cleanup?
dcpromo.png
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39177654
That's what I'd suggest actually!

When you transferred the roles away from the server did you actually transfer them or did you seize them?
0
 

Author Comment

by:J.R. Sitman
ID: 39177697
They transferred with no problem
0
 
LVL 47

Accepted Solution

by:
Craig Beck earned 1200 total points
ID: 39177725
Hmmm.  I'd go ahead and /forceremoval then do a metadata cleanup.
0
 

Author Comment

by:J.R. Sitman
ID: 39177749
The removal is done and metadata cleanup is one.  I want to use the server as a member server, do I need to rename it?
0
 
LVL 47

Assisted Solution

by:Craig Beck
Craig Beck earned 1200 total points
ID: 39177795
To be perfectly honest you should reinstall it, or at the very least generate a new SID for it.

Once you remove an object using ntdsutil it should never reappear in the same domain.
0
 

Author Comment

by:J.R. Sitman
ID: 39177798
will do.
0
 

Author Closing Comment

by:J.R. Sitman
ID: 39177867
thanks to all for the help.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question