• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2771
  • Last Modified:

Can't remove Active directory from SBS 2008

I upgraded a network running SBS 2008 to Server 2012 R2. All that is left is to do is dcpomo the SBS server and remove it from the domain. When I run dcpromo I get the error "You did not indicate that this Active Directory domain controller is the last domain controller for the domain domain.local. However, no other Active Directory domain controllers for that domain can be contacted."

The 2012 server has all the FSMO roles. DNS appears to be correct with one exception. On the SBS server when I run  dcdiag /test:dns I get the error " Missing AAAA record at DNS server 10.10.0.11:"  10.10.0.11 is the SBS server.

I disabled IP6 but that did not have any effect

I do not get an error on the 2012 server when running dcdiag /test:dns

I turned both firewalls off

netdom query fsmo on both servers shows that the 2012 server has all the fsmo roles

repadmin /showreps is successful

nltest shows successful on both servers from both servers
nltest /dsgetdc:domain /server:newserver and oldserver

I need to find a way to remove AD from SBS 2008 so I can remove it from the network
0
ajdratch
Asked:
ajdratch
  • 5
  • 4
  • 3
1 Solution
 
MaheshArchitectCommented:
You could run dcpromo /forceremoval command on SBS 2008 server since all of your FSMO role already transferred to windows 2012 R2 DC, but doing so it will take server directly to workgroup and you must then clean its metadata from 2012 R2 server with ntdsutil command line utility

Mahesh
0
 
ajdratchAuthor Commented:
That is my last resort. As you said, I would then need to manually clean up AD
0
 
MaheshArchitectCommented:
One option is you could setup 2012 R2 DC IP as a primary dns on SBS in TCP/IP settings and then try demoting gracefully with dcpromo.

If that fails, then there is no other option other than dcpromo /forceremoval
After that you must do Metadata clean-up
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
http://awinish.wordpress.com/2011/05/08/metadata-cleanup-of-a-domain-controller/

Mahesh
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
ajdratchAuthor Commented:
I did try as you suggested but that did not work
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Leave IPv6 enabled as that messes things up to disable it.

Make sure DNS 0 on each DC with DNS points to itself only. Do not have any other DNS server IPs set in DNS 1 (on each NIC).

NSLookup on SBS 08 resolves the new DC name to the correct IP?

Philip
0
 
MaheshArchitectCommented:
Try below
Setup 2012 R2 DC IP as a primary dns on SBS in TCP/IP settings and then reboot the SBS server and try gracefully demote with dcpromo.

If that fails, then I don't see any other option other than dcpromo /forceremoval

Mahesh
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
If SBS is unable to resolve the new DC there may be problems in AD with replication. DNS is AD integrated and therefore both DCs should be sharing the same zone information.

Does the _msdcs.domain.local domain have GUIDs for both servers listed?

I suggest not changing the primary DNS to anything beyond itself. DNS not being healthy will be a killer.

Philip
0
 
ajdratchAuthor Commented:
_msdcs.domain.local does show both servers.

I have SBS 2008 and Server 2012 which are both DC. 2012 has all fSMO roles. Exchange 2007 has been uninstalled. I also have a member server running Exchange 2013.

What worries my now is that when I shut down SBS server, Outlook gets disconnected on all workstations.

DNS on Exchange 2013 does point to server 2012 DC
0
 
ajdratchAuthor Commented:
I have had many problems with this migration and kept thinking there had to be one thing wrong causing all the problems. Turns out sysvol was not shared. I suspect this has been the source of many issues including Exchange migration.

I made this change
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
Changed BurFlags value to D4

Sysvol is now shared. The DCPomo wizard goes past that warning however I did not go any further yet.

Sysvol on the new server does not have all the information and the netlogon folder is not shared. I need to resolve this first.
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
NOTE: With a DCPromo /ForceRemoval run on the old SBS your AD on the new DC would probably be incomplete and things may very well have been quite dire. :(

Please run the SBS Best Practices Analyzer.

We have an SBS migration guide here: http://bit.ly/oZ5ePG

While not specific to your given setup it has lots of bits about troubleshooting and cleaning up AD, replication, and more.

Philip
0
 
MaheshArchitectCommented:
How is your AD replication working between both Domain Controllers ?

You may try D2 BurFlags value on 2012 DC

You may try below article for FRS Sysvol non authoritative restore on Windows 2012 DC
http://support.microsoft.com/kb/290762

If that succeed, then your netlogon and Sysvol will get shared on new DC and then check if your replication is working properly

You may use FRSDiag tool for verification of FRS
The tool has GUI and may helps you. Check below article for its usage
http://blogs.technet.com/b/askds/archive/2008/05/22/verifying-file-replication-during-the-windows-server-2008-dfsr-sysvol-migration-down-and-dirty-style.aspx

Mahesh
0
 
ajdratchAuthor Commented:
I was editiing BurFlags on the 2012 DC. When I put D4 in the 2008 DC, netlogon and sysvol folders showed up.
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

  • 5
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now