Solved

Can not demote Server 2008 Domain Controller due to not able to transfer the remaining data in directory partition.

Posted on 2016-07-14
13
122 Views
Last Modified: 2016-07-21
Servers Setup::
Name                   OS         FSMO Holder
MCLS-DC01       2008
MCLS-DC02       2008
MCLS-DC03       2012              Yes
MCLS-DC04       2012

I am trying to migrate my Domain Controllers from 2008 to 2012 Standard Edition.  My goal is to demote DC01 and DC02 so I can remove them from the network. All servers point to DC03 and DC04 for DNS.  When I run dcpromo, it errors out with the message in the attached Picture called  "AD Error".  I have followed the instructions from this site to try and resolve this,

http://blog.mpecsinc.ca/2011/03/ad-ds-operation-failed-directory.html

but it does not resolve it because I can not make the change it refers to.  The first issue I have is that the website and all other sites that I have found refers to when the demotion fails and its for DC=ForestDNSZones.  My error is for DC=DomainDNS Zones.  If you follow the websites instructions it wants you to open ADSI Edit and connect to DC=DomainDNSZones......etc.  When I do this, I am on the FSMO role Master and get the following error in the attached picture called ASDIEdit and will not allow me to change the name to DC03 which is the new FSMO Master.  The highlighted section is referencing and old server called MCLS-SVR01 that has not been in service for years.  I have also attached a picture of a netdom query for FSMO.  Thank you in advance.

AD-errorfsmoasdi error
0
Comment
Question by:KineticNetworking
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
  • +1
13 Comments
 
LVL 11

Expert Comment

by:Old User
ID: 41711449
0
 
LVL 6

Expert Comment

by:Ganesamoorthy S
ID: 41711749
Check AD replication and run dcdiag to check for issue before role move

http://www.windowstricks.in/2010/03/health-check-active-directory.html
0
 
LVL 20

Expert Comment

by:compdigit44
ID: 41714859
I agree with Ganesamoorthy S, it sounds like you might have some AD replication issues going on there. Could you post the out put of: repadmin / showrepl >c:\repadmin.txt    and dcdiag / v /e >c:\dcdiag.txt
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:KineticNetworking
ID: 41717655
Please see attached files for results of repadmin and dcdiag.  Thank you
dcdiag.txt
repadmin.txt
0
 
LVL 20

Expert Comment

by:compdigit44
ID: 41718034
From the dcdiag and repadmin you servers look healthy... Can you post the results of the netdom query fsmo role command from each server.
0
 
LVL 11

Accepted Solution

by:
Old User earned 500 total points
ID: 41718223
Note that when the infrastucture master is assigned to a deleted NTDSA on a DNS application partiton, like DomainDNSZones, it may also be missing for ForestDNSZones parttion or vice versa. Microsoft Commercial Support recommends that you verify that the for both the DomainDNSZones and ForestDNSZones partitions assigned to "live" Windows Server 2003 or later domain controllers hosting the DNS Server role and partition in question.

Use ADSIEDIT.MSC to assign the DN path for the fsMORoleOwner attribute to a live DC that was a direct replication partner of the original FSMO role owner then wait for that change to inbound replicate to the DC being demoted.

OR

Run the script in the Resolution section of MSKB 949257 for the partition in question.

OR

If the DC being demoted is not capable of inbound replicating changes for the directory partition in question, run the "DCPROMO /FORCEREMOVAL command to forcefuly demote the domain controoller.
1
 

Author Comment

by:KineticNetworking
ID: 41719529
Dave Preston,
     That  is the part i can't edit in ADSIEDIT.MSC.  No mater what server I am attached to, it say I don't have permission to change it.
0
 
LVL 11

Expert Comment

by:Old User
ID: 41719796
Have you tried either of the other 2 options?
0
 
LVL 11

Expert Comment

by:Old User
ID: 41719824
Hi,

I believe this article describes your issue, if you read it appears to agree with the previous post and kb949257.
0
 

Author Comment

by:KineticNetworking
ID: 41723608
Dave Preston,
     I have always been nervous about running scripts because I do not have much background in scripting.  I went ahead and did the script in KB article 949257.  Did ADSIEDIT and looks like it has resolved that issue.  Now the demotion process is giving me the ForestDNS Zone error.  See attached Picture.  I am running into the same issue as before,  The dc that it shows has been out of commission for several years and can not change what it points to.  Can i run the script again but change it from

cscript fixfsmo.vbs DC=DomainDnsZones,DC=contoso,DC=com

to

cscript fixfsmo.vbs DC=ForestDnsZones,DC=contoso,DC=com
ForestError.jpg
0
 
LVL 11

Expert Comment

by:Old User
ID: 41723734
Hi, the article does say that you may get either or both error. Yes run the script again using

cscript fixfsmo.vbs DC=ForestDnsZones,DC=contoso,DC=com

To update the forestDnsZones
0
 

Author Closing Comment

by:KineticNetworking
ID: 41723790
Dcpromo is now running
0
 
LVL 11

Expert Comment

by:Old User
ID: 41723812
Glad you got it sorted
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question