Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Dcpromo is failing

Posted on 2013-05-16
28
Medium Priority
?
899 Views
Last Modified: 2013-05-18
I'm trying to remove a DC and I'm getting the message below.  I've transferred all 5 FSMO roles to the other two DC's.  1 DC has PDC, Operation mgr, Schema and RID, the other has Infrastructure.  Both of the other DC's are Global Catalog servers.  
Before I do Dcpromo /force, I'd like some input from EE.

All servers are 2008 R2

active directory domain services could not transfer the remaining data in directory partition
0
Comment
Question by:J.R. Sitman
  • 14
  • 5
  • 2
  • +5
28 Comments
 
LVL 7

Expert Comment

by:tolinrome
ID: 39171820
0
 
LVL 8

Assisted Solution

by:Dipak
Dipak earned 800 total points
ID: 39171996
“The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles. This error occurs if ownership of the FSMO role is set to a server which is deleted or does not exist.

You will have to  Change the ForestDnsZone fSMORoleOwner

To do so follow below mentioned link.
http://www.more2know.nl/tag/fsmoroleowner/
0
 

Author Comment

by:J.R. Sitman
ID: 39172243
I followed the article and changed the fsmoroleowner to the Infrastructure DC.  The DC I want to remove still gets the error.  I also noticed that DC properties are set to our old IP string.  See attached.  Our correct IP should be 1.18.172.  In the attachment it is 1.16.172.  

I'm very nervous about making any more changes and crashing my Domain.  

I need advice please.
DC-DNS.png
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 

Author Comment

by:J.R. Sitman
ID: 39172382
I corrected the problem in the attachment.  It was an old reverse lookup zone.

I still can't Dcpromo the old DC.  I went back through the article and I did initially miss one of the settings.  However, now the FSMORoleOwner setting is correct.  Is it possible it takes a while for the changes to replicate?
0
 

Author Comment

by:J.R. Sitman
ID: 39172410
I just tried it again Twice.  The first time it stated it couldn't transfer the information to spcala185 (not the infrastructure DC) the 2nd time it stated it couldn't transfer it to DCLBVM (which is the infrastructure DC).

Hope someone gets back to me on this soon.
0
 

Author Comment

by:J.R. Sitman
ID: 39172613
What if I put the Infrastructure back on the DC I'm trying to remove.  Then fix the settings using Adsiedit.  Wait for replication and then move the Infrastructure to the other DC and try to remove the DC I've been trying to remove?
0
 
LVL 42

Expert Comment

by:Paul Solovyovsky
ID: 39177255
you could always use ntdsutil to get it out of the domain by cleaning up metadata.  We use this for failed domain controllers with no backups

http://wintelteams.wordpress.com/2012/06/29/metadata-cleanup-using-ntdsutil-in-windows-server-2008-r2/
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 39177290
Can you run and share output

netdom query FSMO
nltest /dsgetdc:< your domain name >

Is this server a GC or holds and other roles as well ?

- Rancy
0
 
LVL 11

Expert Comment

by:FastFngrz
ID: 39177330
I would run a round of DCDIAG's on all DC's to check their health... in general, doing DCPROMO while you do not have a health AD is risky.

Does DCDIAG report errors (other than system log errors) on any DC?  If so, resolve them before forcing the DCPROMO
0
 

Author Comment

by:J.R. Sitman
ID: 39177457
Attached are the results from netdom and dcdiag.  dcdiag was run from the server that won't DCpromo
dcdiag-spcala144.txt
netdom-query.png
0
 

Author Comment

by:J.R. Sitman
ID: 39177482
there was one failure on the other DC.  See below.


Doing primary tests

   Testing server: Default-First-Site-Name\SPCALA185
      Starting test: Advertising
         ......................... SPCALA185 passed test Advertising
      Starting test: FrsEvent
         ......................... SPCALA185 passed test FrsEvent
      Starting test: DFSREvent
         ......................... SPCALA185 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... SPCALA185 passed test SysVolCheck
      Starting test: KccEvent
         ......................... SPCALA185 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... SPCALA185 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... SPCALA185 passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=LASPCA,DC=LOCAL
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=LASPCA,DC=LOCAL
         ......................... SPCALA185 failed test NCSecDesc
      Starting test: NetLogons
         ......................... SPCALA185 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... SPCALA185 passed test ObjectsReplicated
      Starting test: Replications
         ......................... SPCALA185 passed test Replications
      Starting test: RidManager
         ......................... SPCALA185 passed test RidManager
      Starting test: Services
         ......................... SPCALA185 passed test Services
      Starting test: SystemLog
         ......................... SPCALA185 passed test SystemLog
      Starting test: VerifyReferences
         ......................... SPCALA185 passed test VerifyReferences
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39177567
Point the DC you're trying to demote at one of the other DCs for DNS resolution, then try again.

Obviously, run DCPROMO using 'the' domain administrator account.
0
 

Author Comment

by:J.R. Sitman
ID: 39177585
Please explain how  to
Point the DC you're trying to demote at one of the other DCs for DNS resolution, then try again.
0
 
LVL 11

Expert Comment

by:FastFngrz
ID: 39177599
The "Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have    Replicating Directory Changes In Filtered Set         access rights for the naming context: "

is superfluous and can be ignored, so I expect there's an issue with time...

Start the Windows Time Service and make sure you see the time sync up in the Event Viewer.

Once time is synced, try the dcpromo again.
0
 
LVL 41

Expert Comment

by:footech
ID: 39177601
The test for NCSecDesc will fail if you haven't run adprep /rodcprep (not needed if you don't have Read-Only DCs).

Though I haven't seen any indication of problems from the info posted so far, have you run dcdiag /v /test:dns and repadmin /showrepl on all DCs?

To follow craigbeck's advice, change the TCP/IP settings in your NIC properties to only point to another DC's IP for DNS.
0
 

Author Comment

by:J.R. Sitman
ID: 39177622
When I tried to start the time service on the DC I'm trying to remove, I get Access Denied.
I pointed the DC to another DC in DNS on the NIC card.
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39177626
Please explain how  to
Point the DC you're trying to demote at one of the other DCs for DNS resolution, then try again.

Configure the NIC on the DC you want to demote to use your other DNS servers...
Your server should have been using itself as the primary server for DNS resolution.
0
 

Author Comment

by:J.R. Sitman
ID: 39177638
@craigbeck, I just did it
0
 

Author Comment

by:J.R. Sitman
ID: 39177649
Tried DCpromo and still failing.  See attached.

What about doing dcpromo /forceremoval and then doing a metadata cleanup?
dcpromo.png
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39177654
That's what I'd suggest actually!

When you transferred the roles away from the server did you actually transfer them or did you seize them?
0
 

Author Comment

by:J.R. Sitman
ID: 39177697
They transferred with no problem
0
 
LVL 47

Accepted Solution

by:
Craig Beck earned 1200 total points
ID: 39177725
Hmmm.  I'd go ahead and /forceremoval then do a metadata cleanup.
0
 

Author Comment

by:J.R. Sitman
ID: 39177749
The removal is done and metadata cleanup is one.  I want to use the server as a member server, do I need to rename it?
0
 
LVL 47

Assisted Solution

by:Craig Beck
Craig Beck earned 1200 total points
ID: 39177795
To be perfectly honest you should reinstall it, or at the very least generate a new SID for it.

Once you remove an object using ntdsutil it should never reappear in the same domain.
0
 

Author Comment

by:J.R. Sitman
ID: 39177798
will do.
0
 

Author Closing Comment

by:J.R. Sitman
ID: 39177867
thanks to all for the help.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question