Can't demote DC with dcpromo

  • Thread starter Thread starter Rob Miles
  • Start date Start date
R

Rob Miles

I suspect that a lot of my Active Directory and network
problems stem from one of my DCs. Among other things,
when I have the strangest network problems, rebooting that
particular DC will often clear them up, at least for a
little while. To test this, I want to demote it from DC
to member server, and I may wind up taking it completely
down and rebuilding it from scratch.

However, when I run dcpromo it goes through it's steps
then gives me: The operation failed because: The
Directory Service failed to replicate off changes made
locally. "The DSA operation is unable to proceed because
of a DNS lookup failute."

I'm also getting the errors referenced in KB Article
285923, "Error Messages Every 5 Minutes Report Events
1000, 1001, and 13508, Citing Replication Trouble". I've
followed the instructions listed in that article, but it
doesn't seem to be getting me anywhere.

Mostly, I'd just like to demote this DC and see if that
doesn't clear up the other problems I'm having. Should I
just disconnect that server from the network and run
dcpromo? Will that work, and what will happen when I
reconnect it (assuming it work)? One issue I have is that
this server is also my Symantec Anti-Virus server, so I
can't keep it off-line indefinately.

Thanks,

Rob Miles
http://www.miles-pc.com
 
You should troubleshoot DNS first and make sure there are SRV records for
the DC in question. You always have 332199 as an option as well.

332199 Using the DCPROMO /FORCEREMOVAL Command to Force the Demotion of
Active
http://support.microsoft.com/?id=332199

--Shawn
This posting is provided "AS IS" with no warranties and confers no rights.
 
First, check you DNS configuration.
If you disconnect it from the network and re-install the OS you'll need to
do a lot of cleaning up in your DNS and AD servers.
Follow the instructions in the below KB articles to clean up your
environment before installing the server again.

Q216498 - How to remove data in the AD after an unsuccessful DC demotion:
http://support.microsoft.com/support/kb/articles/Q216/4/98.ASP

Deleting Objects from Active Directory Using Ldp.exe:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q244344

Domain Controller Server Object Not Removed After Demotion:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q216364

Error Deleting a Domain Controller Account in Active Directory Users and
Computers:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q247393

Regards,
/Jimmy
 
You need try to fix the demotion problem. Run dcdiag on that DC and another
DC and see if any errors show up. Make sure that replication is working to
begin with. You may need to troubleshoot that first before demotion. If
nothing seems to work you can dcpromo /forceremoval the DC and then do a
metabase cleanup of the AD on the other DC's. Do to the forceremoval you
must have SP4 or you can get the hotfix that includes this function. Then
do a metabase cleanup with ntdsutil.exe. He is a KB article on how to do
this.

332199 Using the DCPROMO /FORCEREMOVAL Command to Force the Demotion of
Active
http://support.microsoft.com/?id=332199

HOW TO: Remove Data in Active Directory After an Unsuccessful Domain
Controller Demotion
http://support.microsoft.com/default.aspx?scid=kb;EN-US;216498

HTH

Paul McGuire
 
Hi Shawn, thanks for your reply.

There is a DNS issue: I cannot ping the problem DC from
the main DC by it's FQDN. I can ping it's netbios name
(backup_domain) but not backup_domain.<domain>.com. I've
checked the DNS records on the main DC and every entry for
the problem DC was "backup_domain.<domain>.", whereas the
other DCs were listed as "<otherDC>.<domain>.com." (note
the dot at the end was listed for all of them.) I went
through and manually corrected the bad DC entries and have
since rebooted both the main and problem DCs.

Of course, it didn't fix anything, but it made me feel
better. Does the above give you anything additional to
work with? Two DCs, including the problem one, are on SP3
and I'm in the process of upgrading the problem one now.
I'll have to wait until this weekend to upgrade the other
one, but it's been doing fine so I'm not sure that will
fix anything. It can't hurt either I suppose.

Rob
 
Thanks for the reply, Paul.

I've been working on this issue off and on for about...
well, ever since I upgraded the problem machine from a
WinNT 4 BDC to Win2K and made it a DC. In fact, it was
causing problems on my mixed-mode W2K Domain as a BDC,
which is why I upgraded it.

Anyway, if I can't resolve the issue any other way, I'll
definately follow the documents you listed. Thanks,

Rob
 
Back
Top