cloughs
asked on
DC Promo Error target principal name incorrect
I am trying to demote a 2008 domain controller to a member server. When I try I get the error attached. Any ideas?
Thanks
dcpromo-error-2.gif
Thanks
dcpromo-error-2.gif
ASKER
The first command gave this result:
C:\Users\administrator> dcdiag /test:checksecurityerror
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = Goole
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Goole\GOOLE
Starting test: Connectivity
......................... GOOLE passed test Connectivity
Doing primary tests
Testing server: Goole\GOOLE
Starting test: CheckSecurityError
No KDC found for domain client.local in site Goole (1355, NULL)
[GOOLE] Unable to contact a KDC for the destination domain in it's own
site. This means either there are no available KDC's for this domain
in the site, *including* the destination DC itself, or we're having
network or packet fragmentation issues connecting to it. We'll check
packet fragmentation connection to the destination DC, make
recommendations, and continue.
The KDC on GOOLE isn't responsive, please verify that it's running
and advertising.
[GOOLE] No security related replication errors were found on this DC!
To target the connection to a specific source DC use /ReplSource:<DC>.
......................... GOOLE passed test CheckSecurityError
Running partition tests on : DomainDnsZones
Running partition tests on : ForestDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : client
Running enterprise tests on : client.local
C:\Users\administrator>
C:\Users\administrator> dcdiag /test:checksecurityerror
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = Goole
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Goole\GOOLE
Starting test: Connectivity
......................... GOOLE passed test Connectivity
Doing primary tests
Testing server: Goole\GOOLE
Starting test: CheckSecurityError
No KDC found for domain client.local in site Goole (1355, NULL)
[GOOLE] Unable to contact a KDC for the destination domain in it's own
site. This means either there are no available KDC's for this domain
in the site, *including* the destination DC itself, or we're having
network or packet fragmentation issues connecting to it. We'll check
packet fragmentation connection to the destination DC, make
recommendations, and continue.
The KDC on GOOLE isn't responsive, please verify that it's running
and advertising.
[GOOLE] No security related replication errors were found on this DC!
To target the connection to a specific source DC use /ReplSource:<DC>.
......................... GOOLE passed test CheckSecurityError
Running partition tests on : DomainDnsZones
Running partition tests on : ForestDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : client
Running enterprise tests on : client.local
C:\Users\administrator>
ASKER
The other DC gives this response
C:\Users\administrator> dcdiag /test:checksecurityerror
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC1
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Halifax\DC1
Starting test: Connectivity
......................... DC1 passed test Connectivity
Doing primary tests
Testing server: Halifax\DC1
Starting test: CheckSecurityError
[DC1] No security related replication errors were found on this DC!
To target the connection to a specific source DC use /ReplSource:<DC>.
......................... DC1 passed test CheckSecurityError
Running partition tests on : DomainDnsZones
Running partition tests on : ForestDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : client
Running enterprise tests on : client.local
C:\Users\administrator>
C:\Users\administrator> dcdiag /test:checksecurityerror
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC1
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Halifax\DC1
Starting test: Connectivity
......................... DC1 passed test Connectivity
Doing primary tests
Testing server: Halifax\DC1
Starting test: CheckSecurityError
[DC1] No security related replication errors were found on this DC!
To target the connection to a specific source DC use /ReplSource:<DC>.
......................... DC1 passed test CheckSecurityError
Running partition tests on : DomainDnsZones
Running partition tests on : ForestDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : client
Running enterprise tests on : client.local
C:\Users\administrator>
It looks like the 1st server hiccuped but passed the test. You could force removal
http://technet.microsoft.com/en-us/library/cc731871(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc731871(v=ws.10).aspx
To force the removal of a domain controller by using the Windows interface
At a command prompt, type the following command, and then press ENTER:
dcpromo /forceremoval
If the domain controller hosts any operations master (also known as flexible single master operations or FSMO) roles, or if it is a Domain Name System (DNS) server or a global catalog server, warnings appear that explain how the forced removal will affect the rest of the environment. After you read each warning, click Yes. If you want to suppress the warnings in advance of the removal operation, you must force the removal of Active Directory Domain Services (AD DS) by using an answer file. In the answer file, specify the parameter demotefsmo=yes.
On the Welcome to the Active Directory Domain Services Installation Wizard page, click Next.
On the Force the Removal of Active Directory Domain Services page, review the information about forcing the removal of AD DS and metadata cleanup requirements, and then click Next.
On the Administrator Password page, type and confirm a secure password for the local Administrator account, and then click Next.
On the Summary page, review your selections. Click Back to change any selections, if necessary.
To save the settings that you selected to an answer file that you can use to automate subsequent AD DS operations, click Export settings. Type a name for your answer file, and then click Save.
When you are sure that your selections are accurate, click Next to remove AD DS.
You can either select the Reboot on completion check box to have the server restart automatically or you can restart the server to complete the removal of AD DS when you are prompted to do so.
Open Server Manager. Click Start, point to Administrative Tools, and then click Server Manager.
In Roles Summary, click Remove Roles.
If necessary, review the information on the Before You Begin page, and then click Next.
On the Remove Server Roles page, clear the Active Directory Domain Services check box, and then click Next.
On the Confirm Removal Selections page, click Remove.
On the Removal Results page, click Close, and then click Yes to restart the server.
ASKER
If you force removal via dcpromo to demote it. Can I re-promote it with the same name at a later date?
The dc which wont demote right now holds no fsmo roles so should be safe to do it.
The dc which wont demote right now holds no fsmo roles so should be safe to do it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://technet.microsoft.com/en-us/library/replication-error-2146893022-the-target-principal-name-is-incorrect(v=ws.10).aspx#BKMK_Causes