We help IT Professionals succeed at work.

Need help removing/decommissing 2008 R2 DC from site with 2012 R2 DCs.

I have 4 domain controllers, 1 - 2008 R2, and 3 - 2012 R2, the 2008 R2 domain controller is the original DC. I added the other 3 in order to then demote and send to pasture the 2008 DC. My problem is, when I go to dcpromo the 2008 DC, it's saying that there are no other AD DCs in the domain, and if I remove this one, the domain would no longer exist (paraphrasing). All DCs are replicating to each other. All are global catalog except the 2008 DC. Another funny thing is, when I do Get-ADDomainController | ft Name,isGlobalcatalog on any server, they ALL ONLY show the 2008 DC. If I make the 2008 DC to NOT be a GC server, and i run the command on any of the other DCs, they still bring the 2008 DC up, just saying 'False' as a GC. If I query the site, all DCs will show up as GCs 'TRUE' except the 2008 as False.

Any help would be much appreciated. I really want to decommission the 2008 R2 DC.
Comment
Watch Question

AlexA lack of information provides a lack of a decent solution.
CERTIFIED EXPERT

Commented:
Run DCDiag and check it in there to ensure they are promoted correctly.
CERTIFIED EXPERT

Commented:
Have you, or someone else every attempted to migrate this prior to this incident? Can you check where the FSMO roles are residing by running "netdom query fsmo" in powershell? Did you successfull run the DCPromo promotion of the AD on Server 2012 DCs, and is replication successfully taking place?
Zakee AbdurrasheedSystems Administrator

Author

Commented:
the FSMO were successfully transferred to one of the 2012 DCs. I was able to successfully promote all the 2012 DCs, and replication IS taking place. I'm about to run dcdiag on the 2008 DC now.
Zakee AbdurrasheedSystems Administrator

Author

Commented:
here's the dcdiag from one of the 2012 DCs
2012-dcdiag.txt
Zakee AbdurrasheedSystems Administrator

Author

Commented:
here's the dcdiag from the 2008 DC
2008-dcdiag.txt
AlexA lack of information provides a lack of a decent solution.
CERTIFIED EXPERT

Commented:
Well

Evidently, you have a number of issues pertaining to FRS and DNS.

      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\GEC-DC1\netlogon)
         [GEC-DC1] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
         ......................... GEC-DC1 failed test NetLogons

Resolve those first and then you'll be able to do the rest. Do you have stagnant domain controllers in there?
AlexA lack of information provides a lack of a decent solution.
CERTIFIED EXPERT

Commented:
Running enterprise tests on : gecusvi.com
      Starting test: LocatorCheck
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
         A Good Time Server could not be located.

Another pretty critical issue there.

Clean your house before you do ANYTHING else with your domain
Zakee AbdurrasheedSystems Administrator

Author

Commented:
The GEC-DC1 is the PDC rold DC. when I run netdom query fsmo on any of the DCs, they all show gec-dc1 as the one hosting those roles.

No there are no stagnant domain controllers.

I'll try to work on the netlogon issue now.
AlexA lack of information provides a lack of a decent solution.
CERTIFIED EXPERT

Commented:
Right and is that server actually up or?
AlexA lack of information provides a lack of a decent solution.
CERTIFIED EXPERT

Commented:
If it's up, move the roles off that box onto your 2012 boxes first.
Zakee AbdurrasheedSystems Administrator

Author

Commented:
the roles are all currently on the 2012 DC box now.
AlexA lack of information provides a lack of a decent solution.
CERTIFIED EXPERT

Commented:
How comes your PDC Emulator is down?
Zakee AbdurrasheedSystems Administrator

Author

Commented:
I checked again, and gec-dc1 has the PDC role, and in the dcdiag under enterprise tests: "the server holding the PDC role is down." is there. I don't know how this could be.
AlexA lack of information provides a lack of a decent solution.
CERTIFIED EXPERT

Commented:
COuld be a firewall, network or DNS issue.

Check DNS and make sure your records are correct
Zakee AbdurrasheedSystems Administrator

Author

Commented:
gec-dc1 (2012 dc) is one of the DNS servers. it is also the holder of all the fsmo roles.
Shaun VermaakSenior Consultant
CERTIFIED EXPERT
Awarded 2017
Distinguished Expert 2019

Commented:
Before doing anything, do you see event id 29223 on new DC?
CERTIFIED EXPERT

Commented:
Dear Zakee,

I believe your solution is in the link below:

https://www.absoluteuc.org/server_is_not_responding_or_is_not_considered_suitable

Let me know if you have any further issue.

Thank you
Zakee AbdurrasheedSystems Administrator

Author

Commented:
Gurvinder, Could you walk me through where to make those changes using adsiedit?? I'm unable to follow the steps due to not recognizing where to go for step 1 once I've opened adsiedit:

In the ADSIEDIT.MSC tool, modify the following DN and two attributes on the domain controller you want to make authoritative (preferrably the PDC Emulator, which is usually the most up to date for SYSVOL contents):

CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>

msDFSR-Enabled=FALSE
msDFSR-options=1
CERTIFIED EXPERT

Commented:
This is fairly simple. You open ADSI Edit and then right click on the "ADSI Edit" and click on connect. After that, you shall select "Default Naming Context" ensuring the second radio button is selected under "Connection Point" and "Default" under "Computer".

After that, you shall browse to the entry in reverse order as indicated above and make changes as required. In your case, you shall look for:

DC=<Domain>, OU=Domain Controllers, CN=<the server name> if you understand what I mean ...
Zakee AbdurrasheedSystems Administrator

Author

Commented:
I tried to follow the ADSI Edit, but I don't see the same path that it's saying to follow. I get to DC=<Domain>, OU=Domain Controllers, CN=<the server name>, CN=NTFRS Subscriptions, CN=Domain System Volume (SYSVOL share)

So I'm kinda stuck in trying your solution Gurvinder.

Question, is there a way I can bypass the 2008 from everything and then take it offline? I would like to remove it totally, but it seems that the 2012 DCs are dependent on the 2008 DC.
CERTIFIED EXPERT

Commented:
No there isnt. If you would like to move the "SYSVOL" and "NETLOGON" to server 2012, you shall have to follow the steps indicated in the link provided above.

Let me share another link below which provides similar instructions but in more detail:

http://msexchangeguru.com/2017/07/03/dfsrdiag-is-new-gold/

Waiting to hear from you soon,
Zakee AbdurrasheedSystems Administrator

Author

Commented:
I tried this on the 2008 DC, and it doesn't have this path either. It stops at CN=server name. When I click on it for expansion, there's nothing there but CN=RID Set.
Systems Administrator
Commented:
I got everything working. I copied the Sysvol folder from the 2008 DC to the 2012 DC. then I check replication and it was good. I then check the dcdiag on the 2012 DC and it ran without any errors. I then tried dcpromo on the 2008 DC and was successful in demoting it. Everything is good!

Thanks for your help guys!

Explore More ContentExplore courses, solutions, and other research materials related to this topic.