Solved

Can't remove Active directory from SBS 2008

Posted on 2014-01-05
12
2,378 Views
Last Modified: 2014-01-06
I upgraded a network running SBS 2008 to Server 2012 R2. All that is left is to do is dcpomo the SBS server and remove it from the domain. When I run dcpromo I get the error "You did not indicate that this Active Directory domain controller is the last domain controller for the domain domain.local. However, no other Active Directory domain controllers for that domain can be contacted."

The 2012 server has all the FSMO roles. DNS appears to be correct with one exception. On the SBS server when I run  dcdiag /test:dns I get the error " Missing AAAA record at DNS server 10.10.0.11:"  10.10.0.11 is the SBS server.

I disabled IP6 but that did not have any effect

I do not get an error on the 2012 server when running dcdiag /test:dns

I turned both firewalls off

netdom query fsmo on both servers shows that the 2012 server has all the fsmo roles

repadmin /showreps is successful

nltest shows successful on both servers from both servers
nltest /dsgetdc:domain /server:newserver and oldserver

I need to find a way to remove AD from SBS 2008 so I can remove it from the network
0
Comment
Question by:ajdratch
  • 5
  • 4
  • 3
12 Comments
 
LVL 36

Expert Comment

by:Mahesh
ID: 39757687
You could run dcpromo /forceremoval command on SBS 2008 server since all of your FSMO role already transferred to windows 2012 R2 DC, but doing so it will take server directly to workgroup and you must then clean its metadata from 2012 R2 server with ntdsutil command line utility

Mahesh
0
 

Author Comment

by:ajdratch
ID: 39757689
That is my last resort. As you said, I would then need to manually clean up AD
0
 
LVL 36

Expert Comment

by:Mahesh
ID: 39757694
One option is you could setup 2012 R2 DC IP as a primary dns on SBS in TCP/IP settings and then try demoting gracefully with dcpromo.

If that fails, then there is no other option other than dcpromo /forceremoval
After that you must do Metadata clean-up
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
http://awinish.wordpress.com/2011/05/08/metadata-cleanup-of-a-domain-controller/

Mahesh
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:ajdratch
ID: 39757704
I did try as you suggested but that did not work
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 39757713
Leave IPv6 enabled as that messes things up to disable it.

Make sure DNS 0 on each DC with DNS points to itself only. Do not have any other DNS server IPs set in DNS 1 (on each NIC).

NSLookup on SBS 08 resolves the new DC name to the correct IP?

Philip
0
 
LVL 36

Expert Comment

by:Mahesh
ID: 39757732
Try below
Setup 2012 R2 DC IP as a primary dns on SBS in TCP/IP settings and then reboot the SBS server and try gracefully demote with dcpromo.

If that fails, then I don't see any other option other than dcpromo /forceremoval

Mahesh
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 39757748
If SBS is unable to resolve the new DC there may be problems in AD with replication. DNS is AD integrated and therefore both DCs should be sharing the same zone information.

Does the _msdcs.domain.local domain have GUIDs for both servers listed?

I suggest not changing the primary DNS to anything beyond itself. DNS not being healthy will be a killer.

Philip
0
 

Author Comment

by:ajdratch
ID: 39759037
_msdcs.domain.local does show both servers.

I have SBS 2008 and Server 2012 which are both DC. 2012 has all fSMO roles. Exchange 2007 has been uninstalled. I also have a member server running Exchange 2013.

What worries my now is that when I shut down SBS server, Outlook gets disconnected on all workstations.

DNS on Exchange 2013 does point to server 2012 DC
0
 

Author Comment

by:ajdratch
ID: 39759229
I have had many problems with this migration and kept thinking there had to be one thing wrong causing all the problems. Turns out sysvol was not shared. I suspect this has been the source of many issues including Exchange migration.

I made this change
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
Changed BurFlags value to D4

Sysvol is now shared. The DCPomo wizard goes past that warning however I did not go any further yet.

Sysvol on the new server does not have all the information and the netlogon folder is not shared. I need to resolve this first.
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 39759568
NOTE: With a DCPromo /ForceRemoval run on the old SBS your AD on the new DC would probably be incomplete and things may very well have been quite dire. :(

Please run the SBS Best Practices Analyzer.

We have an SBS migration guide here: http://bit.ly/oZ5ePG

While not specific to your given setup it has lots of bits about troubleshooting and cleaning up AD, replication, and more.

Philip
0
 
LVL 36

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39759968
How is your AD replication working between both Domain Controllers ?

You may try D2 BurFlags value on 2012 DC

You may try below article for FRS Sysvol non authoritative restore on Windows 2012 DC
http://support.microsoft.com/kb/290762

If that succeed, then your netlogon and Sysvol will get shared on new DC and then check if your replication is working properly

You may use FRSDiag tool for verification of FRS
The tool has GUI and may helps you. Check below article for its usage
http://blogs.technet.com/b/askds/archive/2008/05/22/verifying-file-replication-during-the-windows-server-2008-dfsr-sysvol-migration-down-and-dirty-style.aspx

Mahesh
0
 

Author Closing Comment

by:ajdratch
ID: 39760204
I was editiing BurFlags on the 2012 DC. When I put D4 in the 2008 DC, netlogon and sysvol folders showed up.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question