DC Promo Error target principal name incorrect

I am trying to demote a 2008 domain controller to a member server.  When I try I get the error attached.  Any ideas?

Thanks
dcpromo-error-2.gif
LVL 1
cloughsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Randy DownsOWNERCommented:
Try this
http://technet.microsoft.com/en-us/library/replication-error-2146893022-the-target-principal-name-is-incorrect(v=ws.10).aspx#BKMK_Causes

Resolutions
Run dcdiag /test:checksecurityerror on the source DC

SPNs may be missing, invalid or duplicated due to simple replication latency, especially following promotion, or replication failures.

Duplicate SPNs may cause bad SPN to name mappings.

DCDIAG /TEST:CheckSecurityErrorr can check for missing or duplicate SPNs and other errors.

Run this command on the console of all source DCs that fail "outbound" replication with the SEC_E_WRONG_PRINCIPAL error.

You can check SPN registration against a specific location using the syntax:

dcdiag /test:checksecurityerror replsource:<remote dc>
Verify that Kerberos encrypted network traffic reached the intended Kerberos target (name-to-IP mapping).

When inbound replicating Active Directory, destination DCs search their local copy of Active Directory for the objectGUID of the source DCs NTDS Settings objects, then query the active DNS Server for a matching DC GUIDed CNAME record which is then mapped to a host "A" / "AAAA" record containing the source DCs IP address. Active Directory performs name resolution fallback that includes queries for fully qualified computer names in DNS or single-label hostnames in WINS (note: DNS servers can also perform WINS lookups in fallback scenarios).

Stale NTDS Settings objects, bad name-to-IP mappings in DNS and WINS host records, stale entries in HOST files can all cause a destination DC to submit Kerberos-encrypted traffic to the wrong Kerberos target.

There are two methods to check for this condition:

Take a network trace.

Or

Manually verify that name DNS / NetBIOS name queries resolve to the intended target computer.
0
cloughsAuthor Commented:
The first command gave this result:

C:\Users\administrator> dcdiag /test:checksecurityerror

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = Goole
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Goole\GOOLE
      Starting test: Connectivity
         ......................... GOOLE passed test Connectivity

Doing primary tests

   Testing server: Goole\GOOLE
      Starting test: CheckSecurityError
         No KDC found for domain client.local in site Goole (1355, NULL)
         [GOOLE] Unable to contact a KDC for the destination domain in it's own
         site.  This means either there are no available KDC's for this domain
         in the site, *including* the destination DC itself, or we're having
         network or packet fragmentation issues connecting to it.  We'll check
         packet fragmentation connection to the destination DC, make
         recommendations, and continue.
          The KDC on GOOLE isn't responsive, please verify that it's running
         and advertising.
         [GOOLE] No security related replication errors were found on this DC!
         To target the connection to a specific source DC use /ReplSource:<DC>.
         ......................... GOOLE passed test CheckSecurityError


   Running partition tests on : DomainDnsZones

   Running partition tests on : ForestDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : client

   Running enterprise tests on : client.local

C:\Users\administrator>
0
cloughsAuthor Commented:
The other DC gives this response

C:\Users\administrator> dcdiag /test:checksecurityerror

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = DC1
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Halifax\DC1
      Starting test: Connectivity
         ......................... DC1 passed test Connectivity

Doing primary tests

   Testing server: Halifax\DC1
      Starting test: CheckSecurityError
         [DC1] No security related replication errors were found on this DC!
         To target the connection to a specific source DC use /ReplSource:<DC>.
         ......................... DC1 passed test CheckSecurityError


   Running partition tests on : DomainDnsZones

   Running partition tests on : ForestDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : client

   Running enterprise tests on : client.local

C:\Users\administrator>
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Randy DownsOWNERCommented:
It looks like the 1st server hiccuped but passed the test. You could force removal

http://technet.microsoft.com/en-us/library/cc731871(v=ws.10).aspx


To force the removal of a domain controller by using the Windows interface
At a command prompt, type the following command, and then press ENTER:
dcpromo /forceremoval

If the domain controller hosts any operations master (also known as flexible single master operations or FSMO) roles, or if it is a Domain Name System (DNS) server or a global catalog server, warnings appear that explain how the forced removal will affect the rest of the environment. After you read each warning, click Yes. If you want to suppress the warnings in advance of the removal operation, you must force the removal of Active Directory Domain Services (AD DS) by using an answer file. In the answer file, specify the parameter demotefsmo=yes.

On the Welcome to the Active Directory Domain Services Installation Wizard page, click Next.

On the Force the Removal of Active Directory Domain Services page, review the information about forcing the removal of AD DS and metadata cleanup requirements, and then click Next.

On the Administrator Password page, type and confirm a secure password for the local Administrator account, and then click Next.

On the Summary page, review your selections. Click Back to change any selections, if necessary.

To save the settings that you selected to an answer file that you can use to automate subsequent AD DS operations, click Export settings. Type a name for your answer file, and then click Save.

When you are sure that your selections are accurate, click Next to remove AD DS.
You can either select the Reboot on completion check box to have the server restart automatically or you can restart the server to complete the removal of AD DS when you are prompted to do so.

Open Server Manager. Click Start, point to Administrative Tools, and then click Server Manager.

In Roles Summary, click Remove Roles.

If necessary, review the information on the Before You Begin page, and then click Next.

On the Remove Server Roles page, clear the Active Directory Domain Services check box, and then click Next.

On the Confirm Removal Selections page, click Remove.

On the Removal Results page, click Close, and then click Yes to restart the server.
0
cloughsAuthor Commented:
If you force removal via dcpromo to demote it.  Can I re-promote it with the same name at a later date?

The dc which wont demote right now holds no fsmo roles so should be safe to do it.
0
Randy DownsOWNERCommented:
Yes it should work

http://social.technet.microsoft.com/Forums/windowsserver/en-US/ff531e4f-4034-4770-bf0a-46c854884724/repromote-dc-with-same-name-after-dcpromo-forceremoval?forum=winserverDS

Yes - you should be able to promote a computer with the same name as the original DC...
Before you to though, make sure to go through each step of http://support.microsoft.com/kb/555846

.............


If you are re-promoting the DC you previously demoted, I'd suggest reinstalling the OS - although ultimately this depends on the reason for demoting it...

Yeah that is fine, when you did the /forceremoval and metadata it got rid of the old references for that old DC (DC-GUID).   There shouldn't be any lingering info.
 
http://blogs.technet.com/askds/archive/2009/06/05/dc-s-and-vm-s-avoiding-the-do-over.aspx
 
DS team also outlined the /forceremoval, metadata cleanup, repromote process in that article (towards the end)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.