SBS 2011 decommissioning/demotion DCPromo error
I'm trying to migrate from SBS 2011 Essentials to Server 2019. I have installed the AD and DNS roles on the new server, promoted it to a DC, configured DNS, and moved the FSMO roles, but when I try to decommission the SBS 2011 using DCPromo (or DCPromo /ForceRemoval), I get the attached error message:
"Failed to detect if Active Directory Domain Services binaries were installed. The error was: Access is denied."
I have tried both our normal domain admin account, as well as the default domain Administrator account with the same result. Both accounts belong to the Domain Admin/Enterprise Admin groups. Our initial research also indicated the account needed to have "Enable computer and user accounts to be trusted for delegation" permission in GPO - I do believe both accounts have this permission.
Everything else I have researched points to a potential issue with DNS and/or DFS replication. DFS replication tests seem to pass successfully and indicate no errors. The DNS events do indicate potential DNS/AD replication errors, but that's kind of where things go over my head and I'm not sure what else to look for or try.
I have attached the output from DCDiag /v command.
Any advice would be appreciated!
DCPromoError.png
dcdiag_v.txt
"Failed to detect if Active Directory Domain Services binaries were installed. The error was: Access is denied."
I have tried both our normal domain admin account, as well as the default domain Administrator account with the same result. Both accounts belong to the Domain Admin/Enterprise Admin groups. Our initial research also indicated the account needed to have "Enable computer and user accounts to be trusted for delegation" permission in GPO - I do believe both accounts have this permission.
Everything else I have researched points to a potential issue with DNS and/or DFS replication. DFS replication tests seem to pass successfully and indicate no errors. The DNS events do indicate potential DNS/AD replication errors, but that's kind of where things go over my head and I'm not sure what else to look for or try.
I have attached the output from DCDiag /v command.
Any advice would be appreciated!
DCPromoError.png
dcdiag_v.txt
ASKER
That article says "Server 2008 and later use DFS," and SBS 2011 is based on Server 2008 R2, so it should already be using DFS and shouldn't need migrated.
ASKER
To clarify - Our domain was originally built on this SBS 2011 server, so we never migrated from older versions of Windows Server and SBS 2011 is already using DFS.
great... so you've checked and you are using DFSR and aren't relying on implied information, right? Every domain I've worked on has needed to be migrated whatever it started as. But great if you've confirmed yours is already using DFSR.
ASKER
I ran the dfsrmig /getglobalstate command on both servers, and the output on both is:
Current DFSR global state: 'Eliminated'
Succeeded.
Please check this link: http://www.checkyourlogs.net/?p=62753
Maybe the "protect from accidential deletion" is checked.
Maybe the "protect from accidential deletion" is checked.
ASKER
We don't even get that far in the DCPromo wizard - the error message in the original post comes up as soon as you run DCPromo (the wizard doesn't even come up to start the process).
However - The "Protect object from accidental deletion" checkbox is NOT checked for either the SBS 2011 computer account in ADUC or the Object tab of the NTDS Settings Properties of the server in ADSS.
There was nothing to change, so the issue persists.
However - The "Protect object from accidental deletion" checkbox is NOT checked for either the SBS 2011 computer account in ADUC or the Object tab of the NTDS Settings Properties of the server in ADSS.
There was nothing to change, so the issue persists.
the dcdiag says that they do not see each other or the replication is read-only...
try giving them each other as second DNS. also check the repplication entry in the directory and services.
Eventlog is also a good start.
try giving them each other as second DNS. also check the repplication entry in the directory and services.
Eventlog is also a good start.
btw. if everything fails, you could delete the old server in active directory. IT will ask you if you are sure and will tell that it removes all the AD related object as a DC.
ASKER
The primary DNS of each DC is the opposite DC's IP address.
The secondary DNS on each DC is own network IP address (not loopback).
Since we originally posted the DCDiag results, we have rebooted both DC's, and both DC's are reporting:
Event 1394 "All problems preventing updates to the Active Directory Domain Services database have been cleared. New updates to the Active Directory Domain Services database are succeeding. The Net Logon service has restarted."
I don't see anything else standing out in the Directory Service event logs on either server that would indicate further AD replication errors.
The secondary DNS on each DC is own network IP address (not loopback).
Since we originally posted the DCDiag results, we have rebooted both DC's, and both DC's are reporting:
Event 1394 "All problems preventing updates to the Active Directory Domain Services database have been cleared. New updates to the Active Directory Domain Services database are succeeding. The Net Logon service has restarted."
I don't see anything else standing out in the Directory Service event logs on either server that would indicate further AD replication errors.
ASKER
Bump - still needing help with this. Any advice would be appreciated!
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
http://www.rebeladmin.com/2015/04/step-by-step-guide-for-upgrading-sysvol-replication-to-dfsr-distributed-file-system-replication/