Demote Windows Server 2000 Domain Controller

  • Thread starter Thread starter CHallisy
  • Start date Start date
C

CHallisy

I replaced a server with a new server. Consequently, I now have two servers
that are configured exactly the same. Now, they are both a domain controller,
with the same name, on the same domain.

By reading here: http://technet.microsoft.com/en-us/library/cc740017.aspx

I found out how to demote the old server from Domain Controller. However,
when I run through the dcpromo, I get this error message:

"The operation failed because:

A domain controller could not be contacted for the domain xxxxxxx.local that
contained an account for this computer.

Make the computer a member of a workgroup then rejoin the domain before
retrying the promotion.

"The specified domain does not exist or could not be contacted""



Unfortunately, I can not rename the computer because it is a domain
controller. Also, I can not demote it from a domain controller because the
new sever is using the same name on the domain.

Is this just a ridiculous catch 22, or is there a way around this?
 
CHallisy said:
I replaced a server with a new server. Consequently, I now have two servers
that are configured exactly the same. Now, they are both a domain controller,
with the same name, on the same domain.

By reading here: http://technet.microsoft.com/en-us/library/cc740017.aspx

I found out how to demote the old server from Domain Controller. However,
when I run through the dcpromo, I get this error message:

"The operation failed because:

A domain controller could not be contacted for the domain xxxxxxx.local that
contained an account for this computer.

Make the computer a member of a workgroup then rejoin the domain before
retrying the promotion.

"The specified domain does not exist or could not be contacted""



Unfortunately, I can not rename the computer because it is a domain
controller. Also, I can not demote it from a domain controller because the
new sever is using the same name on the domain.

Is this just a ridiculous catch 22, or is there a way around this?
Click to expand...







Looks like I may have solved it. While "dcpromo" has a problem with the name
resolution, using "dcpromo /forceremoval" bypassed that check and allowed me
to demote the domain controller.

http://support.microsoft.com/kb/332199
 
Hello CHallisy,

It is NOT possible to have to machines with the same name in one domain,
especially domain controllers. I assume that you built a NEW domain.

So please describe exactly how you built the new server and DO NOT DO ANYTHING
WITH THE OLD DC.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
 
Hello CHallisy,

If understand you correct before:

Now you have kicked out the domain, even if the other DC has the same servername
and domainname it is a NEW domain where all user accounts, security groups,
pGroup policies etc. has to be re-created. Additional you have to re-join
the workstations to the domain and all users are not able to logon anymore
with there account.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
 
CHallisy said:
I replaced a server with a new server. Consequently, I now have two servers
that are configured exactly the same. Now, they are both a domain
controller,
with the same name, on the same domain.

By reading here: http://technet.microsoft.com/en-us/library/cc740017.aspx

I found out how to demote the old server from Domain Controller. However,
when I run through the dcpromo, I get this error message:

"The operation failed because:

A domain controller could not be contacted for the domain xxxxxxx.local
that
contained an account for this computer.

Make the computer a member of a workgroup then rejoin the domain before
retrying the promotion.

"The specified domain does not exist or could not be contacted""



Unfortunately, I can not rename the computer because it is a domain
controller. Also, I can not demote it from a domain controller because the
new sever is using the same name on the domain.

Is this just a ridiculous catch 22, or is there a way around this?
Click to expand...


No, this is not a catch-22. It's the way AD and DCs work.

And creating a same name DNS and NetBIOS domain name on the same network,
you created a duplicate only in name, but not with AD. As Meinolf said, you
will need to disjoin your current machines, and rejoin them to the new
domain. This is because when a domain/forest is created, it creates a new
SID and GUID identifiying it, regardless of the domain name. Hhowever,
because of the same name, now NetBIOS services finding a duplicate NetBIOS
name, will cause the server service to stop, causing other issues.
Therefore, creating the same name will cause additional headaches.

Curious, what was the reason you had to go through this? Was there a problem
with the DC?

Also, can you post an unedited ipconfig /all from both DCs, please?

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
(e-mail address removed)

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right
things." - Peter F. Drucker
http://twitter.com/acefekay
 
Ace Fekay said:
No, this is not a catch-22. It's the way AD and DCs work.

And creating a same name DNS and NetBIOS domain name on the same network,
you created a duplicate only in name, but not with AD. As Meinolf said, you
will need to disjoin your current machines, and rejoin them to the new
domain. This is because when a domain/forest is created, it creates a new
SID and GUID identifiying it, regardless of the domain name. Hhowever,
because of the same name, now NetBIOS services finding a duplicate NetBIOS
name, will cause the server service to stop, causing other issues.
Therefore, creating the same name will cause additional headaches.

Curious, what was the reason you had to go through this? Was there a problem
with the DC?

Also, can you post an unedited ipconfig /all from both DCs, please?

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
(e-mail address removed)

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right
things." - Peter F. Drucker
http://twitter.com/acefekay
Click to expand...

Originally, there were 2 servers, let's call them S1 and S2. S1 was the DC.
The two servers were moved onto a third physical server, using VMWare, both
are running on the same machine now.

So, S1 and S2 exist, in their original form, on a new machine. The original
S1 and S2 laid unplugged and dormant.

I brought the original S1 online. Consequently, I now had 2 servers (both
S1) on the network.


Did that make sense?
 
Originally, there were 2 servers, let's call them S1 and S2. S1 was the DC.
The two servers were moved onto a third physical server, using VMWare, both
are running on the same machine now.

So, S1 and S2 exist, in their original form, on a new machine. The original
S1 and S2 laid unplugged and dormant.

I brought the original S1 online. Consequently, I now had 2 servers (both
S1) on the network.


Did that make sense?
Click to expand...


By the way, when I dcpromo /forceremoval the old S1 was not on the network,
but rather stand alone.
 
Hello CHallisy,

This doesn't make sense and is not supported!!!

This will result in USN rollback. NEVER have 2 same DCs, like VM and physical,
running together.

USN rollback:
http://support.microsoft.com/kb/875495

Remove immediately the physical machine from the network, because the VMs
are more uptodate. Then check with the above article if you have the USN
rollback.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
 
Hello CHallisy,

This is then not longer a DC, just a member server. So the above mentioned
part with USN rollback hopefully doesn't occur. But as stated before, in
my opinion you have a new domain.

So please describe in detail what you have done.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
 
CHallisy said:
By the way, when I dcpromo /forceremoval the old S1 was not on the
network,
but rather stand alone.
Click to expand...


No, not really. The explanation is kind of jumbled, technology-wise.

Let me see if my interpretations are correct:

So you had S1 and S2 configured both as a DC with the same domain name?

Then you fired up S2, which has the same name?

Then you did a forceremoval on S2? If they are the same name, but different
domains, there was no reason to run a forceremoval. Nothing to remove it
from other than itself. But you did create a dupe name issue on the network.
If this was the case, a simple demotion would have sufficed. However, you
should have did it off the main network, and not plugged into the network
with the other DC.

Am I right so far?

Ace
 
Ace Fekay said:
No, not really. The explanation is kind of jumbled, technology-wise.

Let me see if my interpretations are correct:

So you had S1 and S2 configured both as a DC with the same domain name?

Then you fired up S2, which has the same name?

Then you did a forceremoval on S2? If they are the same name, but different
domains, there was no reason to run a forceremoval. Nothing to remove it
from other than itself. But you did create a dupe name issue on the network.
If this was the case, a simple demotion would have sufficed. However, you
should have did it off the main network, and not plugged into the network
with the other DC.

Am I right so far?

Ace
Click to expand...

S1 was the only DC. It was cloned, basically, onto a new machine.

The original S1 was shutdown and taken off line.

So, there were two servers that were exactly the same. Both identical. But
only one was in use.

The original, I wanted to use, so I turned it back on, off the main network.

I eventually wanted to bring it into the domain, now being hosted by a new
DC, with the same name. In order to do that, I was trying to change the name.
But, I could not change the name because it was still a DC. Not wanting
conflict, as Meinolf pointed out, I wanted the old server to no longer
function as a DC on the network. However, I could not demote it because the
domain could not be contacted. Obviously, since it was outside of the LAN, it
could not contact the domain. In order to demote it, I had to forceremoval.

I hope that makes more sense.
 
CHallisy said:
S1 was the only DC. It was cloned, basically, onto a new machine.

The original S1 was shutdown and taken off line.

So, there were two servers that were exactly the same. Both identical. But
only one was in use.

The original, I wanted to use, so I turned it back on, off the main
network.

I eventually wanted to bring it into the domain, now being hosted by a new
DC, with the same name. In order to do that, I was trying to change the
name.
But, I could not change the name because it was still a DC. Not wanting
conflict, as Meinolf pointed out, I wanted the old server to no longer
function as a DC on the network. However, I could not demote it because
the
domain could not be contacted. Obviously, since it was outside of the LAN,
it
could not contact the domain. In order to demote it, I had to
forceremoval.

I hope that makes more sense.
Click to expand...

Ok, no wonder I didn't understand it. You cloned it, then tried to bring ig
back in as a server, not a DC because you were done testing it off the
network. And it could not contact the domain because it's DNS settings were
pointed to something else, the other DC, your ISP or something else and not
to itself, which is what should have been done. Note: never use your ISP's
DNS as a DNS server for a DC or any other machine in your network, or expect
additonal problems.

If you had pointed the DNS server to itself, it would have demoted properly.
Not knowing your ipconfig /all settings on the machine prior to the demotion
attempt, I won't be able to comment, but that's what seems to have happened.

Yes, the forceremoval should work fine. I would really have opted to rebuild
it from scratch, then join it to the domain. I would also promote it as an
additonal replica DC into the domain.

Ace
 
Back
Top