Solved

Dcpromo is failing

Posted on 2013-05-16
28
836 Views
Last Modified: 2013-05-18
I'm trying to remove a DC and I'm getting the message below.  I've transferred all 5 FSMO roles to the other two DC's.  1 DC has PDC, Operation mgr, Schema and RID, the other has Infrastructure.  Both of the other DC's are Global Catalog servers.  
Before I do Dcpromo /force, I'd like some input from EE.

All servers are 2008 R2

active directory domain services could not transfer the remaining data in directory partition
0
Comment
Question by:jrsitman
  • 14
  • 5
  • 2
  • +5
28 Comments
 
LVL 7

Expert Comment

by:tolinrome
ID: 39171820
0
 
LVL 8

Assisted Solution

by:Dipak
Dipak earned 200 total points
ID: 39171996
“The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles. This error occurs if ownership of the FSMO role is set to a server which is deleted or does not exist.

You will have to  Change the ForestDnsZone fSMORoleOwner

To do so follow below mentioned link.
http://www.more2know.nl/tag/fsmoroleowner/
0
 

Author Comment

by:jrsitman
ID: 39172243
I followed the article and changed the fsmoroleowner to the Infrastructure DC.  The DC I want to remove still gets the error.  I also noticed that DC properties are set to our old IP string.  See attached.  Our correct IP should be 1.18.172.  In the attachment it is 1.16.172.  

I'm very nervous about making any more changes and crashing my Domain.  

I need advice please.
DC-DNS.png
0
 

Author Comment

by:jrsitman
ID: 39172382
I corrected the problem in the attachment.  It was an old reverse lookup zone.

I still can't Dcpromo the old DC.  I went back through the article and I did initially miss one of the settings.  However, now the FSMORoleOwner setting is correct.  Is it possible it takes a while for the changes to replicate?
0
 

Author Comment

by:jrsitman
ID: 39172410
I just tried it again Twice.  The first time it stated it couldn't transfer the information to spcala185 (not the infrastructure DC) the 2nd time it stated it couldn't transfer it to DCLBVM (which is the infrastructure DC).

Hope someone gets back to me on this soon.
0
 

Author Comment

by:jrsitman
ID: 39172613
What if I put the Infrastructure back on the DC I'm trying to remove.  Then fix the settings using Adsiedit.  Wait for replication and then move the Infrastructure to the other DC and try to remove the DC I've been trying to remove?
0
 
LVL 42

Expert Comment

by:paulsolov
ID: 39177255
you could always use ntdsutil to get it out of the domain by cleaning up metadata.  We use this for failed domain controllers with no backups

http://wintelteams.wordpress.com/2012/06/29/metadata-cleanup-using-ntdsutil-in-windows-server-2008-r2/
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 39177290
Can you run and share output

netdom query FSMO
nltest /dsgetdc:< your domain name >

Is this server a GC or holds and other roles as well ?

- Rancy
0
 
LVL 11

Expert Comment

by:FastFngrz
ID: 39177330
I would run a round of DCDIAG's on all DC's to check their health... in general, doing DCPROMO while you do not have a health AD is risky.

Does DCDIAG report errors (other than system log errors) on any DC?  If so, resolve them before forcing the DCPROMO
0
 

Author Comment

by:jrsitman
ID: 39177457
Attached are the results from netdom and dcdiag.  dcdiag was run from the server that won't DCpromo
dcdiag-spcala144.txt
netdom-query.png
0
 

Author Comment

by:jrsitman
ID: 39177482
there was one failure on the other DC.  See below.


Doing primary tests

   Testing server: Default-First-Site-Name\SPCALA185
      Starting test: Advertising
         ......................... SPCALA185 passed test Advertising
      Starting test: FrsEvent
         ......................... SPCALA185 passed test FrsEvent
      Starting test: DFSREvent
         ......................... SPCALA185 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... SPCALA185 passed test SysVolCheck
      Starting test: KccEvent
         ......................... SPCALA185 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... SPCALA185 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... SPCALA185 passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=LASPCA,DC=LOCAL
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=LASPCA,DC=LOCAL
         ......................... SPCALA185 failed test NCSecDesc
      Starting test: NetLogons
         ......................... SPCALA185 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... SPCALA185 passed test ObjectsReplicated
      Starting test: Replications
         ......................... SPCALA185 passed test Replications
      Starting test: RidManager
         ......................... SPCALA185 passed test RidManager
      Starting test: Services
         ......................... SPCALA185 passed test Services
      Starting test: SystemLog
         ......................... SPCALA185 passed test SystemLog
      Starting test: VerifyReferences
         ......................... SPCALA185 passed test VerifyReferences
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39177567
Point the DC you're trying to demote at one of the other DCs for DNS resolution, then try again.

Obviously, run DCPROMO using 'the' domain administrator account.
0
 

Author Comment

by:jrsitman
ID: 39177585
Please explain how  to
Point the DC you're trying to demote at one of the other DCs for DNS resolution, then try again.
0
 
LVL 11

Expert Comment

by:FastFngrz
ID: 39177599
The "Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have    Replicating Directory Changes In Filtered Set         access rights for the naming context: "

is superfluous and can be ignored, so I expect there's an issue with time...

Start the Windows Time Service and make sure you see the time sync up in the Event Viewer.

Once time is synced, try the dcpromo again.
0
 
LVL 39

Expert Comment

by:footech
ID: 39177601
The test for NCSecDesc will fail if you haven't run adprep /rodcprep (not needed if you don't have Read-Only DCs).

Though I haven't seen any indication of problems from the info posted so far, have you run dcdiag /v /test:dns and repadmin /showrepl on all DCs?

To follow craigbeck's advice, change the TCP/IP settings in your NIC properties to only point to another DC's IP for DNS.
0
 

Author Comment

by:jrsitman
ID: 39177622
When I tried to start the time service on the DC I'm trying to remove, I get Access Denied.
I pointed the DC to another DC in DNS on the NIC card.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39177626
Please explain how  to
Point the DC you're trying to demote at one of the other DCs for DNS resolution, then try again.

Configure the NIC on the DC you want to demote to use your other DNS servers...
Your server should have been using itself as the primary server for DNS resolution.
0
 

Author Comment

by:jrsitman
ID: 39177638
@craigbeck, I just did it
0
 

Author Comment

by:jrsitman
ID: 39177649
Tried DCpromo and still failing.  See attached.

What about doing dcpromo /forceremoval and then doing a metadata cleanup?
dcpromo.png
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39177654
That's what I'd suggest actually!

When you transferred the roles away from the server did you actually transfer them or did you seize them?
0
 

Author Comment

by:jrsitman
ID: 39177697
They transferred with no problem
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 300 total points
ID: 39177725
Hmmm.  I'd go ahead and /forceremoval then do a metadata cleanup.
0
 

Author Comment

by:jrsitman
ID: 39177749
The removal is done and metadata cleanup is one.  I want to use the server as a member server, do I need to rename it?
0
 
LVL 45

Assisted Solution

by:Craig Beck
Craig Beck earned 300 total points
ID: 39177795
To be perfectly honest you should reinstall it, or at the very least generate a new SID for it.

Once you remove an object using ntdsutil it should never reappear in the same domain.
0
 

Author Comment

by:jrsitman
ID: 39177798
will do.
0
 

Author Closing Comment

by:jrsitman
ID: 39177867
thanks to all for the help.
0

Join & Write a Comment

Suggested Solutions

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now