• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 310
  • Last Modified:

Server 2003 demotion issues

Hi Everyone,

Having trouble demoting one of my servers.  This  domain originally had 2 Server 2003 DC's.  Last weekend I successfully demoted one with relatively no issues.  I brought up 2 new Server 2012r2 DC's across 2 sites to replace these.  I'm on this last one and when I run dcpromo I get to the last page where it actually tries to demote the server and immediately get an "The operation failed, invalid handle" error.  The first time it ran for a few minutes, but on subsequent times it immediately fails.

I inherited this domain and I know this server used to run Exchange 2003.  All mailboxes and public folders have been moved to a new Exchange 2010 Server.  All Exchange services are disabled on this machine.  It was uninstalled, albeit with some issues, and the system manager is still on there.  However, it doesn't handle any mail functions.

The error in dcpromo.log.

04/26 21:34:08 [ERROR] Failed to load NTDSETUP.DLL
04/26 21:34:08 [ERROR] Internal error trying to initialize operation handle (126).
04/26 21:34:08 [INFO] Request for demotion of domain controller
04/26 21:34:08 [INFO] DnsDomainName  (NULL)
04/26 21:34:08 [INFO] 	ServerRole  1
04/26 21:34:08 [INFO] 	Account (NULL) 	Options  128
04/26 21:34:08 [INFO] 	LastDcInDomain  FALSE
04/26 21:34:08 [INFO] 	Forced Demote  FALSE
04/26 21:34:08 [INFO] Start the worker task
04/26 21:34:08 [ERROR] Thread 2011571319 unsuccessfully started: 6
04/26 21:34:08 [INFO] Request for demotion returning 6

Open in new window


Also note that I didn't put the null in for domain name or account.  Not sure if that intended or it can't be read?

It passes all dcdiag tests when running in verbose mode.  It is replicating and performing all functions properly as far as I can tell.  Since it immediately happens it seems like an issue with the local system and not AD related.

Any help would be great.
0
Mike Jones
Asked:
Mike Jones
  • 6
  • 3
  • 2
  • +1
1 Solution
 
Skyler KincaidNetwork/Systems EngineerCommented:
Have you transferred all the FMSO roles?

Are all the services starting correctly on the server?

What do you have the DNS of the server set to?
0
 
Mike JonesIT AdministratorAuthor Commented:
Yes.

Seems so, I will check. (EDIT: Yes, only Fax, .net NGEN, and Performance logging are set to auto but not running)

DNS  is set to the 2 new DC's.
0
 
Skyler KincaidNetwork/Systems EngineerCommented:
If you are not able to figure this out you can always use ASDI edit and AD to forcefully remove the DC. After that you can just power it down and move on. It really depends on how much time you want to spend trying to gracefully remove it.

The problem with Server 2003 is that it may have been upgraded from Server 2000 and 15 years later, could have all kinds of OS corruptions.

The part of the log that is concerning is the "Failed to load NTDSETUP.DLL" but I couldn't find much about that on Google.

Do you have any printers or files shared from the server anymore?
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Mike JonesIT AdministratorAuthor Commented:
I know, just hate to force it down considering how clean everything is for the most part.

It only hosts one share, aside from sysvol and netlogon, and that's the database for our accounting software.  Not sure why the last IT guy put it on there.  If I force it down do I need to not have it running anymore?  After 2003 is EOL I planned to cut it off from the internet but keep hosting that share.

I'll check for printers and all though.
0
 
Zacharia KurianAdministrator- Data Center & NetworkCommented:
Mike,

1. Remove all other functions and features from the server .
2. Make sure that none of your network requires this server. To test so, shutdown the server and check it out.
3. If all is well, do a force removal.
4. Lastly, do an AD Metadata clean up i.e. manually remove all the AD entries related to this server.

Zac.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
From this domain controller specifically run dcpromo /forceremoval.

Force Removal of DC.
https://technet.microsoft.com/en-ca/library/cc731871%28v=ws.10%29.aspx


Will.
0
 
Mike JonesIT AdministratorAuthor Commented:
Are these force removal instructions an only option?  Haven't spent much time working on this, would hope to figure it out.  Unless these suggestions are because someone has ran in to this.  Would much rather demote it gracefully if I can.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
When you come across issues like this it is likely that there is something wrong with the server itself or possibly the NTDS.dit database. These tools are native to Active Directory and are used in situations like this. We cannot always explain every exact error message as this DC might have had several different changes migrations etc done to it.

These tools are here to help you when you run into these type of things.

You are worse off keeping the DC in your environment while it is not working properly because users will still query it for SRV lookups which will create issues. Using forceremoval is completely fine if you cannot demote this DC gracefully.

Will.
0
 
Mike JonesIT AdministratorAuthor Commented:
It needs to stay online after the demotion.  Is that possible?
0
 
Zacharia KurianAdministrator- Data Center & NetworkCommented:
Remove all the AD roles and features along with DNS, re assign another IP if possible and rejoin to the AD as a member server with another name. But you have to make sure to clean the AD metadata.

Zac.
0
 
Mike JonesIT AdministratorAuthor Commented:
I'll try it. I think the application calls on the computer name in the database. I'll have to reach out to the vendor. In the meantime I'll keep working on it.

Thanks for the input.
0
 
Mike JonesIT AdministratorAuthor Commented:
So, /forceremoval doesn't work either.  I get the same invalid handle option at the same point.

I need this thing out.  Should I just turn it off for good and then do a metadata cleanup with a forceremoval?  I'm not sure what my options are here.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Delete the DC computer account and perform a metadata cleanup. Seize the roles first (if there are any on this DC). If you have to Seize the roles this server cannot come back online and needs to have Windows re-loaded.

Will.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 6
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now