Unable to demote a Windows 2008 DC, why?

This is using MS Windows server 2008 based AD domain. There are 2 DC, and the first one is the primary DNS server for all the member servers and client PCs. However, found the the 2nd DC (DC02) wasn't replicate with the 1st one, so I decided to demote it to be a member server.

I ran the DCPROMO, and when the process about to start, an error message occurred - Operation failed because: Managing the network session with DC01 failed. "Logon failure: the target account name is incorrect". In DNS manager, the DC01 DNS is working, but attempt to open DC02 DNS shows "no access".

An application event was logged as follows:

Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
Date:          24/06/2015 4:35:17 PM
Event ID:      4
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      DC02.abc.com
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server cdifs2$. The target name used was ldap/CDI-cdifs.abc.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (ABC.COM) is different from the client domain (ABC.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Appreciate for any suggestion and resolution.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
In a situation like this where DC2 is not a FSMO role holder try using

dcpromo /forceremoval

Open in new window



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MichaelBalackAuthor Commented:
Hi Will,

Thanks for your prompt suggestion. Should I conduct a "metadata cleanup" using ntdsutil after the forceremoval?
Will SzymkowskiSenior Solution ArchitectCommented:
Yes you should at least check to make sure that there are no other remnants for metadata and also checking your DNS SRV records in the _msdcs.domain.com folder in the DNS console.

MichaelBalackAuthor Commented:
Hi Will,

Okay, I will do it tomorrow and update you about the results.
MichaelBalackAuthor Commented:
Thanks for Will in pointing out using "dcpromo /forceremoval", and DC was eventually demoted successfully. Of course, after that I need to make sure that the demoted DC object/metadata, needs to be removed by using ntdsutil > metadata cleanup; I also used adsitutil to connect to configuration NC to make sure the no related object existed.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.