• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 942
  • Last Modified:

Dcpromo is failing

I'm trying to remove a DC and I'm getting the message below.  I've transferred all 5 FSMO roles to the other two DC's.  1 DC has PDC, Operation mgr, Schema and RID, the other has Infrastructure.  Both of the other DC's are Global Catalog servers.  
Before I do Dcpromo /force, I'd like some input from EE.

All servers are 2008 R2

active directory domain services could not transfer the remaining data in directory partition
0
J.R. Sitman
Asked:
J.R. Sitman
  • 14
  • 5
  • 2
  • +5
3 Solutions
 
DipakCommented:
“The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles. This error occurs if ownership of the FSMO role is set to a server which is deleted or does not exist.

You will have to  Change the ForestDnsZone fSMORoleOwner

To do so follow below mentioned link.
http://www.more2know.nl/tag/fsmoroleowner/
0
 
J.R. SitmanIT DirectorAuthor Commented:
I followed the article and changed the fsmoroleowner to the Infrastructure DC.  The DC I want to remove still gets the error.  I also noticed that DC properties are set to our old IP string.  See attached.  Our correct IP should be 1.18.172.  In the attachment it is 1.16.172.  

I'm very nervous about making any more changes and crashing my Domain.  

I need advice please.
DC-DNS.png
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
J.R. SitmanIT DirectorAuthor Commented:
I corrected the problem in the attachment.  It was an old reverse lookup zone.

I still can't Dcpromo the old DC.  I went back through the article and I did initially miss one of the settings.  However, now the FSMORoleOwner setting is correct.  Is it possible it takes a while for the changes to replicate?
0
 
J.R. SitmanIT DirectorAuthor Commented:
I just tried it again Twice.  The first time it stated it couldn't transfer the information to spcala185 (not the infrastructure DC) the 2nd time it stated it couldn't transfer it to DCLBVM (which is the infrastructure DC).

Hope someone gets back to me on this soon.
0
 
J.R. SitmanIT DirectorAuthor Commented:
What if I put the Infrastructure back on the DC I'm trying to remove.  Then fix the settings using Adsiedit.  Wait for replication and then move the Infrastructure to the other DC and try to remove the DC I've been trying to remove?
0
 
Paul SolovyovskySenior IT AdvisorCommented:
you could always use ntdsutil to get it out of the domain by cleaning up metadata.  We use this for failed domain controllers with no backups

http://wintelteams.wordpress.com/2012/06/29/metadata-cleanup-using-ntdsutil-in-windows-server-2008-r2/
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Can you run and share output

netdom query FSMO
nltest /dsgetdc:< your domain name >

Is this server a GC or holds and other roles as well ?

- Rancy
0
 
FastFngrzCommented:
I would run a round of DCDIAG's on all DC's to check their health... in general, doing DCPROMO while you do not have a health AD is risky.

Does DCDIAG report errors (other than system log errors) on any DC?  If so, resolve them before forcing the DCPROMO
0
 
J.R. SitmanIT DirectorAuthor Commented:
Attached are the results from netdom and dcdiag.  dcdiag was run from the server that won't DCpromo
dcdiag-spcala144.txt
netdom-query.png
0
 
J.R. SitmanIT DirectorAuthor Commented:
there was one failure on the other DC.  See below.


Doing primary tests

   Testing server: Default-First-Site-Name\SPCALA185
      Starting test: Advertising
         ......................... SPCALA185 passed test Advertising
      Starting test: FrsEvent
         ......................... SPCALA185 passed test FrsEvent
      Starting test: DFSREvent
         ......................... SPCALA185 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... SPCALA185 passed test SysVolCheck
      Starting test: KccEvent
         ......................... SPCALA185 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... SPCALA185 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... SPCALA185 passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=LASPCA,DC=LOCAL
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=LASPCA,DC=LOCAL
         ......................... SPCALA185 failed test NCSecDesc
      Starting test: NetLogons
         ......................... SPCALA185 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... SPCALA185 passed test ObjectsReplicated
      Starting test: Replications
         ......................... SPCALA185 passed test Replications
      Starting test: RidManager
         ......................... SPCALA185 passed test RidManager
      Starting test: Services
         ......................... SPCALA185 passed test Services
      Starting test: SystemLog
         ......................... SPCALA185 passed test SystemLog
      Starting test: VerifyReferences
         ......................... SPCALA185 passed test VerifyReferences
0
 
Craig BeckCommented:
Point the DC you're trying to demote at one of the other DCs for DNS resolution, then try again.

Obviously, run DCPROMO using 'the' domain administrator account.
0
 
J.R. SitmanIT DirectorAuthor Commented:
Please explain how  to
Point the DC you're trying to demote at one of the other DCs for DNS resolution, then try again.
0
 
FastFngrzCommented:
The "Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have    Replicating Directory Changes In Filtered Set         access rights for the naming context: "

is superfluous and can be ignored, so I expect there's an issue with time...

Start the Windows Time Service and make sure you see the time sync up in the Event Viewer.

Once time is synced, try the dcpromo again.
0
 
footechCommented:
The test for NCSecDesc will fail if you haven't run adprep /rodcprep (not needed if you don't have Read-Only DCs).

Though I haven't seen any indication of problems from the info posted so far, have you run dcdiag /v /test:dns and repadmin /showrepl on all DCs?

To follow craigbeck's advice, change the TCP/IP settings in your NIC properties to only point to another DC's IP for DNS.
0
 
J.R. SitmanIT DirectorAuthor Commented:
When I tried to start the time service on the DC I'm trying to remove, I get Access Denied.
I pointed the DC to another DC in DNS on the NIC card.
0
 
Craig BeckCommented:
Please explain how  to
Point the DC you're trying to demote at one of the other DCs for DNS resolution, then try again.

Configure the NIC on the DC you want to demote to use your other DNS servers...
Your server should have been using itself as the primary server for DNS resolution.
0
 
J.R. SitmanIT DirectorAuthor Commented:
@craigbeck, I just did it
0
 
J.R. SitmanIT DirectorAuthor Commented:
Tried DCpromo and still failing.  See attached.

What about doing dcpromo /forceremoval and then doing a metadata cleanup?
dcpromo.png
0
 
Craig BeckCommented:
That's what I'd suggest actually!

When you transferred the roles away from the server did you actually transfer them or did you seize them?
0
 
J.R. SitmanIT DirectorAuthor Commented:
They transferred with no problem
0
 
Craig BeckCommented:
Hmmm.  I'd go ahead and /forceremoval then do a metadata cleanup.
0
 
J.R. SitmanIT DirectorAuthor Commented:
The removal is done and metadata cleanup is one.  I want to use the server as a member server, do I need to rename it?
0
 
Craig BeckCommented:
To be perfectly honest you should reinstall it, or at the very least generate a new SID for it.

Once you remove an object using ntdsutil it should never reappear in the same domain.
0
 
J.R. SitmanIT DirectorAuthor Commented:
will do.
0
 
J.R. SitmanIT DirectorAuthor Commented:
thanks to all for the help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

  • 14
  • 5
  • 2
  • +5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now