Matt
asked on
Access denied when trying to delete DC after running DCpromo to demote
Hi all,
Trying to get rid of an old 2008 DC on a 2003 domain. Have built a replacement DC which setup as global catalog. Have successfully run a DCpromo to demote the server, but I cannot delete the server from sites and services. I get an access denied error. Have I missed something?
Thanks
Trying to get rid of an old 2008 DC on a 2003 domain. Have built a replacement DC which setup as global catalog. Have successfully run a DCpromo to demote the server, but I cannot delete the server from sites and services. I get an access denied error. Have I missed something?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
how many DC's do you have?
Can you help me with below output
dcdiag /q
repadmin /replsum
netdom query dc
netdom query fsmo
let me know if the demoted DC is present in any output of above commands
Can you help me with below output
dcdiag /q
repadmin /replsum
netdom query dc
netdom query fsmo
let me know if the demoted DC is present in any output of above commands
ASKER
This is taken from newly promoted DC. Its the only DC at the site. I have 10 other DC's on various sites. All FSMO roles held but DC's at HQ site.
DCDIAG /q results
C:\Windows\system32>dcdiag
Warning: DsGetDcName returned information for \\DRDC.DOMAINNAME.local,
when we were trying to reach DEDC01.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... DEDC01 failed test Advertising
An error event occurred. EventID: 0xC0000748
Time Generated: 05/01/2014 11:57:32
Event String:
This is the replication status for the following directory partition
on this directory server.
An error event occurred. EventID: 0xC0000748
Time Generated: 05/01/2014 11:57:32
Event String:
This is the replication status for the following directory partition
on this directory server.
An error event occurred. EventID: 0xC0000748
Time Generated: 05/01/2014 11:57:32
Event String:
This is the replication status for the following directory partition
on this directory server.
An error event occurred. EventID: 0xC0000748
Time Generated: 05/01/2014 11:57:32
Event String:
This is the replication status for the following directory partition
on this directory server.
An error event occurred. EventID: 0xC0000748
Time Generated: 05/01/2014 11:57:32
Event String:
This is the replication status for the following directory partition
on this directory server.
......................... DEDC01 failed test KccEvent
Unable to connect to the NETLOGON share! (\\DEDC01\netlogon)
[DEDC01] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... DEDC01 failed test NetLogons
[Replications Check,DEDC01] A recent replication attempt failed:
From MDGDC to DEDC01
Naming Context: DC=DomainDnsZones,DC=DOMAI
The replication generated an error (1256):
The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
The failure occurred at 2014-05-01 11:57:32.
The last success occurred at 2014-05-01 09:24:35.
3 failures have occurred since the last success.
[MDGDC] DsBindWithSpnEx() failed with error 1722,
The RPC server is unavailable..
[Replications Check,DEDC01] A recent replication attempt failed:
From MDGDC to DEDC01
Naming Context: DC=ForestDnsZones,DC=DOMAI
The replication generated an error (1256):
The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
The failure occurred at 2014-05-01 11:57:32.
The last success occurred at 2014-05-01 09:14:54.
3 failures have occurred since the last success.
[Replications Check,DEDC01] A recent replication attempt failed:
From MDGDC to DEDC01
Naming Context: CN=Schema,CN=Configuration
The replication generated an error (1753):
There are no more endpoints available from the endpoint mapper.
The failure occurred at 2014-05-01 11:57:32.
The last success occurred at 2014-05-01 09:14:53.
3 failures have occurred since the last success.
[Replications Check,DEDC01] A recent replication attempt failed:
From MDGDC to DEDC01
Naming Context: CN=Configuration,DC=DOMAIN
The replication generated an error (1753):
There are no more endpoints available from the endpoint mapper.
The failure occurred at 2014-05-01 11:57:32.
The last success occurred at 2014-05-01 09:21:12.
3 failures have occurred since the last success.
[Replications Check,DEDC01] A recent replication attempt failed:
From MDGDC to DEDC01
Naming Context: DC=DOMAINNAME,DC=local
The replication generated an error (1753):
There are no more endpoints available from the endpoint mapper.
The failure occurred at 2014-05-01 11:57:32.
The last success occurred at 2014-05-01 09:28:59.
3 failures have occurred since the last success.
......................... DEDC01 failed test Replications
C:\Windows\system32>
DCDIAG /q results
C:\Windows\system32>dcdiag
Warning: DsGetDcName returned information for \\DRDC.DOMAINNAME.local,
when we were trying to reach DEDC01.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... DEDC01 failed test Advertising
An error event occurred. EventID: 0xC0000748
Time Generated: 05/01/2014 11:57:32
Event String:
This is the replication status for the following directory partition
on this directory server.
An error event occurred. EventID: 0xC0000748
Time Generated: 05/01/2014 11:57:32
Event String:
This is the replication status for the following directory partition
on this directory server.
An error event occurred. EventID: 0xC0000748
Time Generated: 05/01/2014 11:57:32
Event String:
This is the replication status for the following directory partition
on this directory server.
An error event occurred. EventID: 0xC0000748
Time Generated: 05/01/2014 11:57:32
Event String:
This is the replication status for the following directory partition
on this directory server.
An error event occurred. EventID: 0xC0000748
Time Generated: 05/01/2014 11:57:32
Event String:
This is the replication status for the following directory partition
on this directory server.
......................... DEDC01 failed test KccEvent
Unable to connect to the NETLOGON share! (\\DEDC01\netlogon)
[DEDC01] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... DEDC01 failed test NetLogons
[Replications Check,DEDC01] A recent replication attempt failed:
From MDGDC to DEDC01
Naming Context: DC=DomainDnsZones,DC=DOMAI
The replication generated an error (1256):
The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
The failure occurred at 2014-05-01 11:57:32.
The last success occurred at 2014-05-01 09:24:35.
3 failures have occurred since the last success.
[MDGDC] DsBindWithSpnEx() failed with error 1722,
The RPC server is unavailable..
[Replications Check,DEDC01] A recent replication attempt failed:
From MDGDC to DEDC01
Naming Context: DC=ForestDnsZones,DC=DOMAI
The replication generated an error (1256):
The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
The failure occurred at 2014-05-01 11:57:32.
The last success occurred at 2014-05-01 09:14:54.
3 failures have occurred since the last success.
[Replications Check,DEDC01] A recent replication attempt failed:
From MDGDC to DEDC01
Naming Context: CN=Schema,CN=Configuration
The replication generated an error (1753):
There are no more endpoints available from the endpoint mapper.
The failure occurred at 2014-05-01 11:57:32.
The last success occurred at 2014-05-01 09:14:53.
3 failures have occurred since the last success.
[Replications Check,DEDC01] A recent replication attempt failed:
From MDGDC to DEDC01
Naming Context: CN=Configuration,DC=DOMAIN
The replication generated an error (1753):
There are no more endpoints available from the endpoint mapper.
The failure occurred at 2014-05-01 11:57:32.
The last success occurred at 2014-05-01 09:21:12.
3 failures have occurred since the last success.
[Replications Check,DEDC01] A recent replication attempt failed:
From MDGDC to DEDC01
Naming Context: DC=DOMAINNAME,DC=local
The replication generated an error (1753):
There are no more endpoints available from the endpoint mapper.
The failure occurred at 2014-05-01 11:57:32.
The last success occurred at 2014-05-01 09:28:59.
3 failures have occurred since the last success.
......................... DEDC01 failed test Replications
C:\Windows\system32>
ASKER
repadmin /replsum results
MDGDC is the demoted DC
C:\Windows\system32>repadm
Replication Summary Start Time: 2014-05-01 12:21:06
Beginning data collection for replication summary, this may take awhile:
...............
Source DSA largest delta fails/total %% error
COLODC (unknown) 0 / 35 0
CUMBERNAULDDC1 01h:32m:10s 0 / 5 0
DEDC01 (unknown) 0 / 5 0
DRDC 01h:32m:08s 0 / 5 0
FRFILE-PRINT 01h:32m:09s 0 / 5 0
MDGDC 03h:06m:13s 5 / 5 100 (1753) There are no more en
points available from the endpoint mapper.
MITDC 01h:32m:08s 0 / 5 0
ROOSENDAALDC1 01h:32m:10s 0 / 5 0
DC0 34m:10s 0 / 10 0
DC1 01h:32m:07s 0 / 35 0
DC2 34m:10s 0 / 10 0
Destination DSA largest delta fails/total %% error
COLODC (unknown) 0 / 35 0
DC1 33m:31s 0 / 10 0
DEDC01 02h:57m:02s 5 / 10 50 (1256) The remote system is
not available. For information about network troubleshooting, see Windows Help.
DRDC 01h:31m:40s 0 / 5 0
FRFILE-PRINT 01h:21m:45s 0 / 10 0
MITDC 11m:59s 0 / 10 0
ROOSENDAALDC1 01h:21m:29s 0 / 10 0
DC0 31m:01s 0 / 10 0
DC1 01h:34m:10s 0 / 15 0
DC2 30m:13s 0 / 10 0
Experienced the following operational errors trying to retrieve replication inf
rmation:
58 - paris-data
58 - MDGDC
MDGDC is the demoted DC
C:\Windows\system32>repadm
Replication Summary Start Time: 2014-05-01 12:21:06
Beginning data collection for replication summary, this may take awhile:
...............
Source DSA largest delta fails/total %% error
COLODC (unknown) 0 / 35 0
CUMBERNAULDDC1 01h:32m:10s 0 / 5 0
DEDC01 (unknown) 0 / 5 0
DRDC 01h:32m:08s 0 / 5 0
FRFILE-PRINT 01h:32m:09s 0 / 5 0
MDGDC 03h:06m:13s 5 / 5 100 (1753) There are no more en
points available from the endpoint mapper.
MITDC 01h:32m:08s 0 / 5 0
ROOSENDAALDC1 01h:32m:10s 0 / 5 0
DC0 34m:10s 0 / 10 0
DC1 01h:32m:07s 0 / 35 0
DC2 34m:10s 0 / 10 0
Destination DSA largest delta fails/total %% error
COLODC (unknown) 0 / 35 0
DC1 33m:31s 0 / 10 0
DEDC01 02h:57m:02s 5 / 10 50 (1256) The remote system is
not available. For information about network troubleshooting, see Windows Help.
DRDC 01h:31m:40s 0 / 5 0
FRFILE-PRINT 01h:21m:45s 0 / 10 0
MITDC 11m:59s 0 / 10 0
ROOSENDAALDC1 01h:21m:29s 0 / 10 0
DC0 31m:01s 0 / 10 0
DC1 01h:34m:10s 0 / 15 0
DC2 30m:13s 0 / 10 0
Experienced the following operational errors trying to retrieve replication inf
rmation:
58 - paris-data
58 - MDGDC
ASKER
Netdom/ query DC
C:\Windows\system32>netdom
List of domain controllers with accounts in the domain:
DC1
DC2
CUMBERNAULDDC1
COLODC
DC0
FRFILE-PRINT
ROOSENDAALDC1
DRDC
MDGDC
MITDC
DEDC01
The command completed successfully.
C:\Windows\system32>netdom
List of domain controllers with accounts in the domain:
DC1
DC2
CUMBERNAULDDC1
COLODC
DC0
FRFILE-PRINT
ROOSENDAALDC1
DRDC
MDGDC
MITDC
DEDC01
The command completed successfully.
The demoted server MDGDC has not been removed from active directory its still there it seems the demotion done by you had something wrong or it was forceremoval anyways ...Follow my article given above and perform the Metadata cleanup from healthy DC
ASKER
Thanks
Have done this, the ntds data has gone but I still get access denied when trying to finally delete the server from sites and services.
Have done this, the ntds data has gone but I still get access denied when trying to finally delete the server from sites and services.
ASKER
OK I have now managed to remove. I need to now get the new DC up and running servicing logons and replicating properly.
It now has no replication topology. Will this be generated automatically?
Also, the errors I posted earlier, how should I address these?
Thanks
It now has no replication topology. Will this be generated automatically?
Also, the errors I posted earlier, how should I address these?
Thanks
It will b generated automatically by KCC subject to network connectivity with other DC's
As per your dcdiag /q result the netlogon and sysvol shares are not created please check now if its there ..
Let me know if you are using NTFRS or DFS for sysvol replication so I can suggest accordingly
As per your dcdiag /q result the netlogon and sysvol shares are not created please check now if its there ..
Let me know if you are using NTFRS or DFS for sysvol replication so I can suggest accordingly
ASKER
Same problem. I beleive the netlogon is using NTFRS but im not 100%. How should I proceed?
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\adminbarnes>dcdia
Warning: DsGetDcName returned information for
\\winnershdc2.DOMAINNAME.l
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... DEDC01 failed test Advertising
Unable to connect to the NETLOGON share! (\\DEDC01\netlogon)
[DEDC01] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... DEDC01 failed test NetLogons
[Replications Check,DEDC01] A recent replication attempt failed:
From MDGDC to DEDC01
Naming Context: DC=DomainDnsZones,DC=DOMAI
The replication generated an error (1256):
The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
The failure occurred at 2014-05-01 12:57:32.
The last success occurred at 2014-05-01 09:24:35.
4 failures have occurred since the last success.
[MDGDC] DsBindWithSpnEx() failed with error 1722,
The RPC server is unavailable..
[Replications Check,DEDC01] A recent replication attempt failed:
From MDGDC to DEDC01
Naming Context: DC=ForestDnsZones,DC=DOMAI
The replication generated an error (1256):
The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
The failure occurred at 2014-05-01 12:57:32.
The last success occurred at 2014-05-01 09:14:54.
4 failures have occurred since the last success.
[Replications Check,DEDC01] A recent replication attempt failed:
From MDGDC to DEDC01
Naming Context: CN=Schema,CN=Configuration
The replication generated an error (1753):
There are no more endpoints available from the endpoint mapper.
The failure occurred at 2014-05-01 12:57:32.
The last success occurred at 2014-05-01 09:14:53.
4 failures have occurred since the last success.
[Replications Check,DEDC01] A recent replication attempt failed:
From MDGDC to DEDC01
Naming Context: CN=Configuration,DC=DOMAIN
The replication generated an error (1753):
There are no more endpoints available from the endpoint mapper.
The failure occurred at 2014-05-01 12:57:32.
The last success occurred at 2014-05-01 09:21:12.
4 failures have occurred since the last success.
[Replications Check,DEDC01] A recent replication attempt failed:
From MDGDC to DEDC01
Naming Context: DC=DOMAINNAME,DC=local
The replication generated an error (1753):
There are no more endpoints available from the endpoint mapper.
The failure occurred at 2014-05-01 12:57:32.
The last success occurred at 2014-05-01 09:28:59.
4 failures have occurred since the last success.
......................... DEDC01 failed test Replications
Could not open NTDS Service on DEDC01, error 0x5
"Access is denied."
......................... DEDC01 failed test Services
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\adminbarnes>dcdia
Warning: DsGetDcName returned information for
\\winnershdc2.DOMAINNAME.l
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... DEDC01 failed test Advertising
Unable to connect to the NETLOGON share! (\\DEDC01\netlogon)
[DEDC01] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... DEDC01 failed test NetLogons
[Replications Check,DEDC01] A recent replication attempt failed:
From MDGDC to DEDC01
Naming Context: DC=DomainDnsZones,DC=DOMAI
The replication generated an error (1256):
The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
The failure occurred at 2014-05-01 12:57:32.
The last success occurred at 2014-05-01 09:24:35.
4 failures have occurred since the last success.
[MDGDC] DsBindWithSpnEx() failed with error 1722,
The RPC server is unavailable..
[Replications Check,DEDC01] A recent replication attempt failed:
From MDGDC to DEDC01
Naming Context: DC=ForestDnsZones,DC=DOMAI
The replication generated an error (1256):
The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
The failure occurred at 2014-05-01 12:57:32.
The last success occurred at 2014-05-01 09:14:54.
4 failures have occurred since the last success.
[Replications Check,DEDC01] A recent replication attempt failed:
From MDGDC to DEDC01
Naming Context: CN=Schema,CN=Configuration
The replication generated an error (1753):
There are no more endpoints available from the endpoint mapper.
The failure occurred at 2014-05-01 12:57:32.
The last success occurred at 2014-05-01 09:14:53.
4 failures have occurred since the last success.
[Replications Check,DEDC01] A recent replication attempt failed:
From MDGDC to DEDC01
Naming Context: CN=Configuration,DC=DOMAIN
The replication generated an error (1753):
There are no more endpoints available from the endpoint mapper.
The failure occurred at 2014-05-01 12:57:32.
The last success occurred at 2014-05-01 09:21:12.
4 failures have occurred since the last success.
[Replications Check,DEDC01] A recent replication attempt failed:
From MDGDC to DEDC01
Naming Context: DC=DOMAINNAME,DC=local
The replication generated an error (1753):
There are no more endpoints available from the endpoint mapper.
The failure occurred at 2014-05-01 12:57:32.
The last success occurred at 2014-05-01 09:28:59.
4 failures have occurred since the last success.
......................... DEDC01 failed test Replications
Could not open NTDS Service on DEDC01, error 0x5
"Access is denied."
......................... DEDC01 failed test Services
ASKER
It has now created a site replication automatically. Just issue with netlogon I think ,
ASKER
Updated ...
Warning: DsGetDcName returned information for
\\winnershdc1.DOMAINNAME.l
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... DEDC01 failed test Advertising
Unable to connect to the NETLOGON share! (\\DEDC01\netlogon)
[DEDC01] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... DEDC01 failed test NetLogons
[Replications Check,DEDC01] DsReplicaGetInfo(PENDING_O
failed, error 0x2105 "Replication access was denied."
......................... DEDC01 failed test Replications
Could not open NTDS Service on DEDC01, error 0x5
"Access is denied."
......................... DEDC01 failed test Services
C:\Users\adminbarnes>
Warning: DsGetDcName returned information for
\\winnershdc1.DOMAINNAME.l
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... DEDC01 failed test Advertising
Unable to connect to the NETLOGON share! (\\DEDC01\netlogon)
[DEDC01] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... DEDC01 failed test NetLogons
[Replications Check,DEDC01] DsReplicaGetInfo(PENDING_O
failed, error 0x2105 "Replication access was denied."
......................... DEDC01 failed test Replications
Could not open NTDS Service on DEDC01, error 0x5
"Access is denied."
......................... DEDC01 failed test Services
C:\Users\adminbarnes>
Could not open NTDS Service on DEDC01, error 0x5
"Access is denied."
......................... DEDC01 failed test Services
This also is a issue can you check the status of "Active Directory domain services" service if its running ..it should be ..but try restarting it ...
You can confirm if sysvol is being used by reviewing event logs of FRS
"Access is denied."
......................... DEDC01 failed test Services
This also is a issue can you check the status of "Active Directory domain services" service if its running ..it should be ..but try restarting it ...
You can confirm if sysvol is being used by reviewing event logs of FRS
ASKER
If i try and delete NTDS object it tells me I should do this via dcpromo, which I have done?