Solved

Can't remove Active directory from SBS 2008

Posted on 2014-01-05
12
2,346 Views
Last Modified: 2014-01-06
I upgraded a network running SBS 2008 to Server 2012 R2. All that is left is to do is dcpomo the SBS server and remove it from the domain. When I run dcpromo I get the error "You did not indicate that this Active Directory domain controller is the last domain controller for the domain domain.local. However, no other Active Directory domain controllers for that domain can be contacted."

The 2012 server has all the FSMO roles. DNS appears to be correct with one exception. On the SBS server when I run  dcdiag /test:dns I get the error " Missing AAAA record at DNS server 10.10.0.11:"  10.10.0.11 is the SBS server.

I disabled IP6 but that did not have any effect

I do not get an error on the 2012 server when running dcdiag /test:dns

I turned both firewalls off

netdom query fsmo on both servers shows that the 2012 server has all the fsmo roles

repadmin /showreps is successful

nltest shows successful on both servers from both servers
nltest /dsgetdc:domain /server:newserver and oldserver

I need to find a way to remove AD from SBS 2008 so I can remove it from the network
0
Comment
Question by:ajdratch
  • 5
  • 4
  • 3
12 Comments
 
LVL 36

Expert Comment

by:Mahesh
ID: 39757687
You could run dcpromo /forceremoval command on SBS 2008 server since all of your FSMO role already transferred to windows 2012 R2 DC, but doing so it will take server directly to workgroup and you must then clean its metadata from 2012 R2 server with ntdsutil command line utility

Mahesh
0
 

Author Comment

by:ajdratch
ID: 39757689
That is my last resort. As you said, I would then need to manually clean up AD
0
 
LVL 36

Expert Comment

by:Mahesh
ID: 39757694
One option is you could setup 2012 R2 DC IP as a primary dns on SBS in TCP/IP settings and then try demoting gracefully with dcpromo.

If that fails, then there is no other option other than dcpromo /forceremoval
After that you must do Metadata clean-up
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
http://awinish.wordpress.com/2011/05/08/metadata-cleanup-of-a-domain-controller/

Mahesh
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:ajdratch
ID: 39757704
I did try as you suggested but that did not work
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 39757713
Leave IPv6 enabled as that messes things up to disable it.

Make sure DNS 0 on each DC with DNS points to itself only. Do not have any other DNS server IPs set in DNS 1 (on each NIC).

NSLookup on SBS 08 resolves the new DC name to the correct IP?

Philip
0
 
LVL 36

Expert Comment

by:Mahesh
ID: 39757732
Try below
Setup 2012 R2 DC IP as a primary dns on SBS in TCP/IP settings and then reboot the SBS server and try gracefully demote with dcpromo.

If that fails, then I don't see any other option other than dcpromo /forceremoval

Mahesh
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 39757748
If SBS is unable to resolve the new DC there may be problems in AD with replication. DNS is AD integrated and therefore both DCs should be sharing the same zone information.

Does the _msdcs.domain.local domain have GUIDs for both servers listed?

I suggest not changing the primary DNS to anything beyond itself. DNS not being healthy will be a killer.

Philip
0
 

Author Comment

by:ajdratch
ID: 39759037
_msdcs.domain.local does show both servers.

I have SBS 2008 and Server 2012 which are both DC. 2012 has all fSMO roles. Exchange 2007 has been uninstalled. I also have a member server running Exchange 2013.

What worries my now is that when I shut down SBS server, Outlook gets disconnected on all workstations.

DNS on Exchange 2013 does point to server 2012 DC
0
 

Author Comment

by:ajdratch
ID: 39759229
I have had many problems with this migration and kept thinking there had to be one thing wrong causing all the problems. Turns out sysvol was not shared. I suspect this has been the source of many issues including Exchange migration.

I made this change
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
Changed BurFlags value to D4

Sysvol is now shared. The DCPomo wizard goes past that warning however I did not go any further yet.

Sysvol on the new server does not have all the information and the netlogon folder is not shared. I need to resolve this first.
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 39759568
NOTE: With a DCPromo /ForceRemoval run on the old SBS your AD on the new DC would probably be incomplete and things may very well have been quite dire. :(

Please run the SBS Best Practices Analyzer.

We have an SBS migration guide here: http://bit.ly/oZ5ePG

While not specific to your given setup it has lots of bits about troubleshooting and cleaning up AD, replication, and more.

Philip
0
 
LVL 36

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39759968
How is your AD replication working between both Domain Controllers ?

You may try D2 BurFlags value on 2012 DC

You may try below article for FRS Sysvol non authoritative restore on Windows 2012 DC
http://support.microsoft.com/kb/290762

If that succeed, then your netlogon and Sysvol will get shared on new DC and then check if your replication is working properly

You may use FRSDiag tool for verification of FRS
The tool has GUI and may helps you. Check below article for its usage
http://blogs.technet.com/b/askds/archive/2008/05/22/verifying-file-replication-during-the-windows-server-2008-dfsr-sysvol-migration-down-and-dirty-style.aspx

Mahesh
0
 

Author Closing Comment

by:ajdratch
ID: 39760204
I was editiing BurFlags on the 2012 DC. When I put D4 in the 2008 DC, netlogon and sysvol folders showed up.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
WriteBack Attribute permission on domain level 13 57
Inactive computer in domain 7 57
Unable to add new user to AD 2 21
Problem to setup GUI 11 26
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now