Server 2003 demotion issues

Hi Everyone,

Having trouble demoting one of my servers.  This  domain originally had 2 Server 2003 DC's.  Last weekend I successfully demoted one with relatively no issues.  I brought up 2 new Server 2012r2 DC's across 2 sites to replace these.  I'm on this last one and when I run dcpromo I get to the last page where it actually tries to demote the server and immediately get an "The operation failed, invalid handle" error.  The first time it ran for a few minutes, but on subsequent times it immediately fails.

I inherited this domain and I know this server used to run Exchange 2003.  All mailboxes and public folders have been moved to a new Exchange 2010 Server.  All Exchange services are disabled on this machine.  It was uninstalled, albeit with some issues, and the system manager is still on there.  However, it doesn't handle any mail functions.

The error in dcpromo.log.

04/26 21:34:08 [ERROR] Failed to load NTDSETUP.DLL
04/26 21:34:08 [ERROR] Internal error trying to initialize operation handle (126).
04/26 21:34:08 [INFO] Request for demotion of domain controller
04/26 21:34:08 [INFO] DnsDomainName  (NULL)
04/26 21:34:08 [INFO] 	ServerRole  1
04/26 21:34:08 [INFO] 	Account (NULL) 	Options  128
04/26 21:34:08 [INFO] 	LastDcInDomain  FALSE
04/26 21:34:08 [INFO] 	Forced Demote  FALSE
04/26 21:34:08 [INFO] Start the worker task
04/26 21:34:08 [ERROR] Thread 2011571319 unsuccessfully started: 6
04/26 21:34:08 [INFO] Request for demotion returning 6

Open in new window


Also note that I didn't put the null in for domain name or account.  Not sure if that intended or it can't be read?

It passes all dcdiag tests when running in verbose mode.  It is replicating and performing all functions properly as far as I can tell.  Since it immediately happens it seems like an issue with the local system and not AD related.

Any help would be great.
Mike JonesIT AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Skyler KincaidNetwork/Systems EngineerCommented:
Have you transferred all the FMSO roles?

Are all the services starting correctly on the server?

What do you have the DNS of the server set to?
0
Mike JonesIT AdministratorAuthor Commented:
Yes.

Seems so, I will check. (EDIT: Yes, only Fax, .net NGEN, and Performance logging are set to auto but not running)

DNS  is set to the 2 new DC's.
0
Skyler KincaidNetwork/Systems EngineerCommented:
If you are not able to figure this out you can always use ASDI edit and AD to forcefully remove the DC. After that you can just power it down and move on. It really depends on how much time you want to spend trying to gracefully remove it.

The problem with Server 2003 is that it may have been upgraded from Server 2000 and 15 years later, could have all kinds of OS corruptions.

The part of the log that is concerning is the "Failed to load NTDSETUP.DLL" but I couldn't find much about that on Google.

Do you have any printers or files shared from the server anymore?
0
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

Mike JonesIT AdministratorAuthor Commented:
I know, just hate to force it down considering how clean everything is for the most part.

It only hosts one share, aside from sysvol and netlogon, and that's the database for our accounting software.  Not sure why the last IT guy put it on there.  If I force it down do I need to not have it running anymore?  After 2003 is EOL I planned to cut it off from the internet but keep hosting that share.

I'll check for printers and all though.
0
Zacharia KurianAdministrator- Data Center & NetworkCommented:
Mike,

1. Remove all other functions and features from the server .
2. Make sure that none of your network requires this server. To test so, shutdown the server and check it out.
3. If all is well, do a force removal.
4. Lastly, do an AD Metadata clean up i.e. manually remove all the AD entries related to this server.

Zac.
0
Will SzymkowskiSenior Solution ArchitectCommented:
From this domain controller specifically run dcpromo /forceremoval.

Force Removal of DC.
https://technet.microsoft.com/en-ca/library/cc731871%28v=ws.10%29.aspx


Will.
0
Mike JonesIT AdministratorAuthor Commented:
Are these force removal instructions an only option?  Haven't spent much time working on this, would hope to figure it out.  Unless these suggestions are because someone has ran in to this.  Would much rather demote it gracefully if I can.
0
Will SzymkowskiSenior Solution ArchitectCommented:
When you come across issues like this it is likely that there is something wrong with the server itself or possibly the NTDS.dit database. These tools are native to Active Directory and are used in situations like this. We cannot always explain every exact error message as this DC might have had several different changes migrations etc done to it.

These tools are here to help you when you run into these type of things.

You are worse off keeping the DC in your environment while it is not working properly because users will still query it for SRV lookups which will create issues. Using forceremoval is completely fine if you cannot demote this DC gracefully.

Will.
0
Mike JonesIT AdministratorAuthor Commented:
It needs to stay online after the demotion.  Is that possible?
0
Zacharia KurianAdministrator- Data Center & NetworkCommented:
Remove all the AD roles and features along with DNS, re assign another IP if possible and rejoin to the AD as a member server with another name. But you have to make sure to clean the AD metadata.

Zac.
0
Mike JonesIT AdministratorAuthor Commented:
I'll try it. I think the application calls on the computer name in the database. I'll have to reach out to the vendor. In the meantime I'll keep working on it.

Thanks for the input.
0
Mike JonesIT AdministratorAuthor Commented:
So, /forceremoval doesn't work either.  I get the same invalid handle option at the same point.

I need this thing out.  Should I just turn it off for good and then do a metadata cleanup with a forceremoval?  I'm not sure what my options are here.
0
Will SzymkowskiSenior Solution ArchitectCommented:
Delete the DC computer account and perform a metadata cleanup. Seize the roles first (if there are any on this DC). If you have to Seize the roles this server cannot come back online and needs to have Windows re-loaded.

Will.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.