Demoting Last DC

Easiest way - reinstall Windows.

Bring up the DC you're having a problem with off network.  Then delete all OTHER DCs from the Domain Controllers OU in Active Directory Users and Computers.  Then use DCPROMO to demote.

If that fails, run DCPROMO /FORCEREMOVAL

NOTE: You should NOT be using a second DC if you don't understand the proper way to restore a failed DC in a multi-DC environment.  Doing what you did could have severely corrupted your Active Directory.  It likely did not because your restored copy was SO old, but had this happened a week after your last "export" you could be having serious problems now if that were restored.

Based on what you've described, joining machines to the "new" domain, I wonder of the health of your AD environment.

I agree completely with leew that managing a multi-DC environment is not an easy proposition. For example, exports and snapshots should *NEVER* be done on a DC. Period. Full stop.

Where leew and I may differ is based on your description, I believe that AD corruption may have occurred. He is a bit more optimistic than I.

The steps he outlines are basically what I'd recommend. Since you are treating the SBS server as the authoritative server, I'd not even worry about your other DC. That is contingent on if I understand that you've been joining machines back to the SBS version of the split domain. Don't bother trying to demote the server because it sees itself as the only DC so a demote does nothing, not even with a forceremoval. Simply take the machine off the network and clean up any old references to it in the SBS domain.

If, however, corruption has occurred, plan on rebuilding. In most instances, a network small enough to still be managed by SBS is more easily rebuilt than trying to clean up the AD corruption would be.

-Cliff

Hi,

We have dealt with this exact issue:
http://bit.ly/KJ8lOE

How to deal with the second DC after restoring SBS. It's all in there.

Philip

Now I am getting numerous errors in the event logs.  One of which is MSExchange ADAccess 2102.  I am also unable to connect to the Exchange Management Console and receive the error:

Initialization failed

The following error occurred while attempting to connect to the specified Exchange server 'XXX.XXX.local':

The attempt to connect to http://XXX.XXX.local/PowerShell using "Kerberos" authentication failed: Connecting to remote server failed with the following error message: The WinRM client received an HTTP server error status (500), but the remote service did not include any other information about the cause of the failure.  For more information, see the about_Remote_Troubleshooting Help topic.

I just attempted to demote the backup dc that's off the network and re-promote it as the backup GC for the "new domain."

The problem is that the trust relationship between your SBS and other DC has been broken.
Most likely the DC's are not replicating at the moment.

You can confirm that by running repadmin /showrepl or replmon on both DC's.
If replication is not OK, then you'd find that the server last replicated some time back.
If they are in sync then the replication should be done today, maximum a few hours ago.

First thing you can try is to configure the DC's for an authoritative restore.
http://blogs.technet.com/b/sbs/archive/2011/03/31/how-to-perform-an-authoritative-system-state-restore-in-sbs-2008-2011-standard.aspx

Should that task not restart the replication AND you are happy that your SBS server is working 100%, except for possible replication errors, and all your workstations are fine.

The easiest option is to run the METADATA CLEANUP process on the SBS server and removing the other DC from the topology. METADATA cleanup is the task to remove servers from AD directory when you cannot use dcpromo.
http://support.microsoft.com/kb/2647882

Then you can safely format the backup DC and re-install and promote it again.

The problem is that the trust relationship between your SBS and other DC has been broken.
Most likely the DC's are not replicating at the moment.

Which is why I'm optimistic.  If the trust relationship was broken (tombstone life was exceeded) then no replication should have occurred and the non-SBS DCs data should not be corrupt as it wouldn't accept changes (and vice versa).  If it was restored within the tombstone life, then yes, you're pretty much in deep trouble.

TombstoneLifetime = 180 Do I still continue with the authoritative restore?  It has only been two months at the most.

If your tombstone life is 180, then cliff is right.  Start rebuilding.  You've pretty much corrupted your active directory by restoring that VM.

You can try your continued recovery efforts, but I expect you've seriously corrupted things.

How do you know what to restore?

Would you please read my blog post?

If the AD on the restored SBS is reasonably accurate, then _keep_ it! DCPromo the existing DC OUT of the domain.

Clean up DNS of references to the second DC (_msdcs stub and _msdcs.domain.local) and DSSite.

Once you have cleaned up the AD/DNS situation DCPromo that second DC BACK into the domain.

As the blog post mentions, that is what we had to do when restoring an SBS server back (even a recent one) because of the way SBS, AD, and DNS are set up.

Philip

In general or in light of this information?

If you still have a copy of the virtual hard disk that was the SBS server or if you made backups of everything before you started your recovery efforts, then you might not have to rebuild from scratch.  At this point, if you had the SBS backup, I'd force-demote the other DC and THEN restore the SBS server like you did.  With the other DC force-demoted, it won't even be in the domain.  You then remove it from the SBS server's Active Directory and rejoin it.  YOU WILL LOSE ALL AD CHANGES SINCE THE SBS BACKUP.

MPECSInc I did read your article and thank you for the information.  It seems that active directory is working properly on my SBS except for exchange.  When I turn on the backup dc and have it connected to the network exchange works properly.  Would it make sense to try and restore the Microsoft Exchange Security Groups to the SBS server?


In addition

Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\Server1
DSA Options: IS_GC DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL
Site Options: (none)
DSA object GUID: 622acd30-c9f4-4506-b95d-c7553f84af00
DSA invocationID: 622acd30-c9f4-4506-b95d-c7553f84af00

==== INBOUND NEIGHBORS ======================================

DC=domain,DC=local
    Default-First-Site-Name\DCBACKUP via RPC
        DSA object GUID: d7602463-9d4e-4051-902a-b5a56d2cf2e6
        Last attempt @ 2013-05-23 12:54:28 failed, result 8457 (0x2109):
            The destination server is currently rejecting replication requests.
        201 consecutive failure(s).
        Last success @ 2013-04-14 10:06:23.

Please post an IPConfig /ALL from the restored SBS

Philip

Could this be because I don't have 10.0.10.22 set as another DNS server?


C:\Windows\system32>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Server1
   Primary Dns Suffix  . . . . . . . : domain.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : domain.local

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Ada
pter
   Physical Address. . . . . . . . . : 00-15-5D-01-6C-04
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.0.10.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.10.254
   DNS Servers . . . . . . . . . . . : 10.0.10.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{43EA2928-0256-481F-84C4-B172B58369F5}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Where is IPv6?

DNS0 should point to self on a DC and that's it.

Philip

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Server1
   Primary Dns Suffix  . . . . . . . : domain.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : domain.local

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Ada
pter
   Physical Address. . . . . . . . . : 00-15-5D-01-6C-04
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::d821:2574:93f3:fdde%10(Preferred)
   Link-local IPv6 Address . . . . . : fe80::f255:7011:7b1b:23c0%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.0.10.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.10.254
   DHCPv6 IAID . . . . . . . . . . . : 234886493
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-26-00-B2-00-15-5D-01-6C-04

   DNS Servers . . . . . . . . . . . : fe80::f255:7011:7b1b:23c0%10
                                       10.0.10.2
                                       10.0.10.22
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{43EA2928-0256-481F-84C4-B172B58369F5}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

What is 10.0.10.22 list5ed in DNS servers?

That should not be there. DNS on the NIC should only point to itself.

What service pack level is Exchange at?

Philip

SP2

Save and clear the App and SYS logs (Event Logs).

Reboot SBS (with DC offline).

Once SBS comes up, does Exchange come back online?

If not, run the Connect to the Internet, Internet Address, and then the Fix My Network Wizards.

If you had a GoDaddy or other third party certificate then run the Third Party Trusted Certificates wizard and choose the option to install a certificate located on the server.

Does this help straighten out the errors?

Philip

Exchange is functionally running fine.  The only problems I am still seeing are errors in the event logs in relation to not being able to contact the second dc.  Time for METADATA CLEANUP?

@Ollybuba

You're in a really difficult situation here and I'm afraid this is a tough one to resolve due to the complexity of what has happened.
I agree with some of the details mentioned by the guys above and I also suspect you may end up having to start again from scratch.

I'm happy to help you fix it in the meantime though as it may be possible to fix, but it is a complicated procedure and I do not know what level you are at and if the tasks are within your comfort zone.

Have a look at the below and consider if you feel it's worth trying. There will be downtime involved and you need to be sure you are happy using utils like ADSIedit & NTDSutil. If this isn't your kind of thing you may be looking at wiping your domain and starting again.


In my opinion, this is worth considering:

Initially, you need to give up on fixing both servers and just fix your AD on one. this is critical.
Normally I'd recommend assessing which server to fix based on several criteria, but you don't really have a choice due to having an SBS box.

you therefore have to concentrate on getting the SBS box working WITHOUT the 2nd DC.

This means turning off the 2nd DC and giving up on it. You can wipe that and create a new DC with it once everything is working.
*Note: when I say 'turn off' I really mean 'off'. DO NOT TURN  THE 2nd DC BACK ON WHILE CONNECTED TO YOUR NETWORK or you will be right back to where you started.

With the 2nd DC out of the frame, you need to clean up your AD on the SBS. This involves manually removing the 2nd DC from AD so your network is based entirely on the SBS as a DC.

You also need to make sure your SBS is functioning OK. ensure it is not referring to the other DC for DNS queries and make sure other applications like exchange are not configured to use the other DC/DNS server.


These guides take you through the removal of a failed DC.
http://www.petri.co.il/delete_failed_dcs_from_ad.htm#

https://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/A_677-How-to-Remove-a-Failed-Domain-Controller.html

http://technet.microsoft.com/en-us/library/cc781245(v=WS.10).aspx

Checking which DC exchange is using:
http://exchangeserverpro.com/how-to-use-a-specific-domain-controller-in-exchange-2010-management-shell/

C:\Windows\system32>cd..

C:\Windows>ntdsutil
ntdsutil: metadata cleanup
metadata cleanup: connections
server connections: connect to server <server1>
Binding to <domain> ...
DsBindWithSpnExW error 0x6ba(The RPC server is unavailable.)
server connections: connect to server <server1>
Binding to <server1> ...
DsBindWithSpnExW error 0x6ba(The RPC server is unavailable.)
server connections: connect to server server1
Binding to server1 ...
Connected to server1 using credentials of locally logged on user.
server connections: quit
metadata cleanup: select operation target
select operation target: list domains
Found 1 domain(s)
0 - DC=domain,DC=local
select operation target: list sites
Found 1 site(s)
0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
select operation target: select site 0
Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
No current domain
No current server
No current Naming Context
select operation target: list sites
Found 1 site(s)
0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
select operation target: list servers in site
No current site
No current site
No current domain
No current server
No current Naming Context
select operation target:

I believe you are running the commands on the wrong server.
You need to perform the METADATA cleanup on the server that has the valid copy of your AD database. i.e. should be run on the server that you want to keep.
Reason: You want to remove the 'failed' DC from the most up to date version of the AD database.

Alternatively, if this is a valid DC then it could require a Windows firewall change.
http://blogs.dirteam.com/blogs/paulbergson/archive/2010/11/01/windows-dcdiag-generating-error-0x6ba-quot-the-rpc-server-is-unavailable-quot.aspx

If it is the case of the firewall being blocked then I'd suggest a review of your firewall settings as DC's should be able to find other DC's. Should you not change the windows firewall configuration then your DC's won't be able to replicate/communicate properly.

Explanation of what the DsBindWithSpnEx function is trying to perform.
http://msdn.microsoft.com/en-us/library/windows/desktop/ms675963(v=vs.85).aspx

When running metadata cleanup and I select the site, domain, server to remove will this also delete the site/domain?

I'm know I'm suppose to get a warning message but I attached the one I received.
Server-Remove-Confirmation.jpg