[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Can not demote Server 2008 Domain Controller due to not able to transfer the remaining data in directory partition.

Posted on 2016-07-14
13
Medium Priority
?
187 Views
Last Modified: 2016-07-21
Servers Setup::
Name                   OS         FSMO Holder
MCLS-DC01       2008
MCLS-DC02       2008
MCLS-DC03       2012              Yes
MCLS-DC04       2012

I am trying to migrate my Domain Controllers from 2008 to 2012 Standard Edition.  My goal is to demote DC01 and DC02 so I can remove them from the network. All servers point to DC03 and DC04 for DNS.  When I run dcpromo, it errors out with the message in the attached Picture called  "AD Error".  I have followed the instructions from this site to try and resolve this,

http://blog.mpecsinc.ca/2011/03/ad-ds-operation-failed-directory.html

but it does not resolve it because I can not make the change it refers to.  The first issue I have is that the website and all other sites that I have found refers to when the demotion fails and its for DC=ForestDNSZones.  My error is for DC=DomainDNS Zones.  If you follow the websites instructions it wants you to open ADSI Edit and connect to DC=DomainDNSZones......etc.  When I do this, I am on the FSMO role Master and get the following error in the attached picture called ASDIEdit and will not allow me to change the name to DC03 which is the new FSMO Master.  The highlighted section is referencing and old server called MCLS-SVR01 that has not been in service for years.  I have also attached a picture of a netdom query for FSMO.  Thank you in advance.

AD-errorfsmoasdi error
0
Comment
Question by:KineticNetworking
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
  • +1
13 Comments
 
LVL 11

Expert Comment

by:Old User
ID: 41711449
0
 
LVL 6

Expert Comment

by:Ganesamoorthy S
ID: 41711749
Check AD replication and run dcdiag to check for issue before role move

http://www.windowstricks.in/2010/03/health-check-active-directory.html
0
 
LVL 20

Expert Comment

by:compdigit44
ID: 41714859
I agree with Ganesamoorthy S, it sounds like you might have some AD replication issues going on there. Could you post the out put of: repadmin / showrepl >c:\repadmin.txt    and dcdiag / v /e >c:\dcdiag.txt
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:KineticNetworking
ID: 41717655
Please see attached files for results of repadmin and dcdiag.  Thank you
dcdiag.txt
repadmin.txt
0
 
LVL 20

Expert Comment

by:compdigit44
ID: 41718034
From the dcdiag and repadmin you servers look healthy... Can you post the results of the netdom query fsmo role command from each server.
0
 
LVL 11

Accepted Solution

by:
Old User earned 2000 total points
ID: 41718223
Note that when the infrastucture master is assigned to a deleted NTDSA on a DNS application partiton, like DomainDNSZones, it may also be missing for ForestDNSZones parttion or vice versa. Microsoft Commercial Support recommends that you verify that the for both the DomainDNSZones and ForestDNSZones partitions assigned to "live" Windows Server 2003 or later domain controllers hosting the DNS Server role and partition in question.

Use ADSIEDIT.MSC to assign the DN path for the fsMORoleOwner attribute to a live DC that was a direct replication partner of the original FSMO role owner then wait for that change to inbound replicate to the DC being demoted.

OR

Run the script in the Resolution section of MSKB 949257 for the partition in question.

OR

If the DC being demoted is not capable of inbound replicating changes for the directory partition in question, run the "DCPROMO /FORCEREMOVAL command to forcefuly demote the domain controoller.
1
 

Author Comment

by:KineticNetworking
ID: 41719529
Dave Preston,
     That  is the part i can't edit in ADSIEDIT.MSC.  No mater what server I am attached to, it say I don't have permission to change it.
0
 
LVL 11

Expert Comment

by:Old User
ID: 41719796
Have you tried either of the other 2 options?
0
 
LVL 11

Expert Comment

by:Old User
ID: 41719824
Hi,

I believe this article describes your issue, if you read it appears to agree with the previous post and kb949257.
0
 

Author Comment

by:KineticNetworking
ID: 41723608
Dave Preston,
     I have always been nervous about running scripts because I do not have much background in scripting.  I went ahead and did the script in KB article 949257.  Did ADSIEDIT and looks like it has resolved that issue.  Now the demotion process is giving me the ForestDNS Zone error.  See attached Picture.  I am running into the same issue as before,  The dc that it shows has been out of commission for several years and can not change what it points to.  Can i run the script again but change it from

cscript fixfsmo.vbs DC=DomainDnsZones,DC=contoso,DC=com

to

cscript fixfsmo.vbs DC=ForestDnsZones,DC=contoso,DC=com
ForestError.jpg
0
 
LVL 11

Expert Comment

by:Old User
ID: 41723734
Hi, the article does say that you may get either or both error. Yes run the script again using

cscript fixfsmo.vbs DC=ForestDnsZones,DC=contoso,DC=com

To update the forestDnsZones
0
 

Author Closing Comment

by:KineticNetworking
ID: 41723790
Dcpromo is now running
0
 
LVL 11

Expert Comment

by:Old User
ID: 41723812
Glad you got it sorted
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question