Solved

Can't remove Active directory from SBS 2008

Posted on 2014-01-05
12
2,254 Views
Last Modified: 2014-01-06
I upgraded a network running SBS 2008 to Server 2012 R2. All that is left is to do is dcpomo the SBS server and remove it from the domain. When I run dcpromo I get the error "You did not indicate that this Active Directory domain controller is the last domain controller for the domain domain.local. However, no other Active Directory domain controllers for that domain can be contacted."

The 2012 server has all the FSMO roles. DNS appears to be correct with one exception. On the SBS server when I run  dcdiag /test:dns I get the error " Missing AAAA record at DNS server 10.10.0.11:"  10.10.0.11 is the SBS server.

I disabled IP6 but that did not have any effect

I do not get an error on the 2012 server when running dcdiag /test:dns

I turned both firewalls off

netdom query fsmo on both servers shows that the 2012 server has all the fsmo roles

repadmin /showreps is successful

nltest shows successful on both servers from both servers
nltest /dsgetdc:domain /server:newserver and oldserver

I need to find a way to remove AD from SBS 2008 so I can remove it from the network
0
Comment
Question by:ajdratch
  • 5
  • 4
  • 3
12 Comments
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
You could run dcpromo /forceremoval command on SBS 2008 server since all of your FSMO role already transferred to windows 2012 R2 DC, but doing so it will take server directly to workgroup and you must then clean its metadata from 2012 R2 server with ntdsutil command line utility

Mahesh
0
 

Author Comment

by:ajdratch
Comment Utility
That is my last resort. As you said, I would then need to manually clean up AD
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
One option is you could setup 2012 R2 DC IP as a primary dns on SBS in TCP/IP settings and then try demoting gracefully with dcpromo.

If that fails, then there is no other option other than dcpromo /forceremoval
After that you must do Metadata clean-up
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
http://awinish.wordpress.com/2011/05/08/metadata-cleanup-of-a-domain-controller/

Mahesh
0
 

Author Comment

by:ajdratch
Comment Utility
I did try as you suggested but that did not work
0
 
LVL 38

Expert Comment

by:Philip Elder
Comment Utility
Leave IPv6 enabled as that messes things up to disable it.

Make sure DNS 0 on each DC with DNS points to itself only. Do not have any other DNS server IPs set in DNS 1 (on each NIC).

NSLookup on SBS 08 resolves the new DC name to the correct IP?

Philip
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Try below
Setup 2012 R2 DC IP as a primary dns on SBS in TCP/IP settings and then reboot the SBS server and try gracefully demote with dcpromo.

If that fails, then I don't see any other option other than dcpromo /forceremoval

Mahesh
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 38

Expert Comment

by:Philip Elder
Comment Utility
If SBS is unable to resolve the new DC there may be problems in AD with replication. DNS is AD integrated and therefore both DCs should be sharing the same zone information.

Does the _msdcs.domain.local domain have GUIDs for both servers listed?

I suggest not changing the primary DNS to anything beyond itself. DNS not being healthy will be a killer.

Philip
0
 

Author Comment

by:ajdratch
Comment Utility
_msdcs.domain.local does show both servers.

I have SBS 2008 and Server 2012 which are both DC. 2012 has all fSMO roles. Exchange 2007 has been uninstalled. I also have a member server running Exchange 2013.

What worries my now is that when I shut down SBS server, Outlook gets disconnected on all workstations.

DNS on Exchange 2013 does point to server 2012 DC
0
 

Author Comment

by:ajdratch
Comment Utility
I have had many problems with this migration and kept thinking there had to be one thing wrong causing all the problems. Turns out sysvol was not shared. I suspect this has been the source of many issues including Exchange migration.

I made this change
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
Changed BurFlags value to D4

Sysvol is now shared. The DCPomo wizard goes past that warning however I did not go any further yet.

Sysvol on the new server does not have all the information and the netlogon folder is not shared. I need to resolve this first.
0
 
LVL 38

Expert Comment

by:Philip Elder
Comment Utility
NOTE: With a DCPromo /ForceRemoval run on the old SBS your AD on the new DC would probably be incomplete and things may very well have been quite dire. :(

Please run the SBS Best Practices Analyzer.

We have an SBS migration guide here: http://bit.ly/oZ5ePG

While not specific to your given setup it has lots of bits about troubleshooting and cleaning up AD, replication, and more.

Philip
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
Comment Utility
How is your AD replication working between both Domain Controllers ?

You may try D2 BurFlags value on 2012 DC

You may try below article for FRS Sysvol non authoritative restore on Windows 2012 DC
http://support.microsoft.com/kb/290762

If that succeed, then your netlogon and Sysvol will get shared on new DC and then check if your replication is working properly

You may use FRSDiag tool for verification of FRS
The tool has GUI and may helps you. Check below article for its usage
http://blogs.technet.com/b/askds/archive/2008/05/22/verifying-file-replication-during-the-windows-server-2008-dfsr-sysvol-migration-down-and-dirty-style.aspx

Mahesh
0
 

Author Closing Comment

by:ajdratch
Comment Utility
I was editiing BurFlags on the 2012 DC. When I put D4 in the 2008 DC, netlogon and sysvol folders showed up.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Using the Exchange Script Agent for non-Exchange scripts 3 29
GPO warning 15 24
lync 2013 7 30
What is this Task? 4 34
Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now