AD Demotion failure

  • Thread starter Thread starter Jean
  • Start date Start date
J

Jean

I am trying to migrate my AD from an old server to a new
one, both running Windows 2000 Server.

I ran DCPROMO on the new server and created a second AD
This works fine, all records are transferred from the old
to the new (secondary) server and a DNS server is
automatically started, again with records being properly
transferred from the old to the new server.

Then I try runing DCPROMO on the old server to demote it,
but the command eventually fail saying it cannot find a
partner to transfer its data to. It complains of a
possible mutual authetication or delegation problem.

Both servers can ping (using either address or name) each
other.

repadmin /showvector executed on the new server lists
both server. However when it is executed on the old
server, it only list the old server.

dcdiag run on the old server passes every test except the
KCCEVENT test which fails.

It field like the old server does not have permission to
talk to the new one.

Does anyone have an idea what I am missing?
 
Point both DCs at the new DC for DNS. Restart Netlogon on both. On the new
DC trigger the KCC by right-clicking on the NTDS Settings object for the
server object and selecting 'Check Replication Topology'. Alternatively,
delete the existing connection objects.

It is recommended that you transfer the Operations Master roles (a.k.a. FSMO
roles) manually, and not let the dcpromo process do it. Have a look at
these articles for more info. on this:
-- http://www.msresource.net/kb/moveFSMOroles.html


That article also provides links to MS KB articles.

There's also a fudge you can do, but I recommend you try and sort this
first. Then we'll talk about forcefully removing the DC and doing a
metadata clean up if you can't get this to work...

You'll also need to make the new DC a GC:
-- http://www.msresource.net/kb/ConfigureGC.html


--

Paul Williams

http://www.msresource.net
http://forums.msresource.net
______________________________________
I am trying to migrate my AD from an old server to a new
one, both running Windows 2000 Server.

I ran DCPROMO on the new server and created a second AD
This works fine, all records are transferred from the old
to the new (secondary) server and a DNS server is
automatically started, again with records being properly
transferred from the old to the new server.

Then I try runing DCPROMO on the old server to demote it,
but the command eventually fail saying it cannot find a
partner to transfer its data to. It complains of a
possible mutual authetication or delegation problem.

Both servers can ping (using either address or name) each
other.

repadmin /showvector executed on the new server lists
both server. However when it is executed on the old
server, it only list the old server.

dcdiag run on the old server passes every test except the
KCCEVENT test which fails.

It field like the old server does not have permission to
talk to the new one.

Does anyone have an idea what I am missing?
 
Back
Top