Trouble demoting domain controller

jadams

2[H]4U
Joined
Mar 14, 2010
Messages
4,086
Installed a new DC, joined it to the domain. Promoted it to DC and made it a GC and transferred the FSMO roles to it.

Trying to demote the old DC but I get a prompt that no other domain controllers can be contacted.

The new DC is in AD under the DC OU. Its DC Type is GC. Old DC and all PC's are currently using the new DC as its primary DNS server. I've forced replication through sites and services.

Thank goodness for snapshots ;)
 
Make sure the the old dc can resolve the new dc's name. Check the old ones DNS settings.
 
Old DC can resolve new DC by name.

Any specific DNS settings I should check? Old DC is set to use new DC as its primary DNS server, as are the rest of the PC's in the office. Nobody is reporting any DNS or login issues this morning.

pinging the domain name still resolves to the old DC ip address though.
 
Old DC can resolve new DC by name.

Any specific DNS settings I should check? Old DC is set to use new DC as its primary DNS server, as are the rest of the PC's in the office. Nobody is reporting any DNS or login issues this morning.

pinging the domain name still resolves to the old DC ip address though.

Do an nslookup on the domain. Verify the new DC's IP address is one IPs the domain will resolve to.

Code:
C:\>nslookup [i]domain[/i].local
Server:  dc1.[i]domain[/i].local
Address:  10.1.1.3

Name:    [i]domain[/i].local
Addresses:  10.1.1.3
          10.2.1.11
          10.3.1.4

pinging the domain should resolve to either the old or new DC IP's, since the old DC is still a DC.
 
You mention snapshots, do you mean VM snapshots? You are asking for trouble using that with a DC, and even MS says not to use that as backup for a DC.

Is the new DC and old DC on the same subnet? If not, are both subnets added to the site with the DCs?
 
I'd metadata clean up the old server out of the domain (aka force remove it). Just be sure you clean dns manually and don't re-use that same name or IP address as a domain controller
 
Do an nslookup on the domain. Verify the new DC's IP address is one IPs the domain will resolve to.

Code:
C:\>nslookup [i]domain[/i].local
Server:  dc1.[i]domain[/i].local
Address:  10.1.1.3

Name:    [i]domain[/i].local
Addresses:  10.1.1.3
          10.2.1.11
          10.3.1.4

pinging the domain should resolve to either the old or new DC IP's, since the old DC is still a DC.


Code:
C:\>nslookup [I]domain.local[/I]
Server:  [U]dc.domain.local[/U]
Address:  192.168.0.3

Name:    [I]domain.local[/I]
Addresses:  192.168.0.3
          192.168.0.2

192.168.0.3 is the new DC, 192.168.0.2 is the old one.
 
I'd metadata clean up the old server out of the domain (aka force remove it). Just be sure you clean dns manually and don't re-use that same name or IP address as a domain controller

I'd like to shut it down for a few days for testing before I do that so that I can bring it back up if shit hits the fan, but alas this server runs Exchange too. Breaking out what runs on this server onto separate boxes was the main purpose of doing this.

It is running in a VM. Maybe this weekend I'll shut it down and remotely test some client PC's.
 
You mentioned something about a new Exchange install in another thread didn't you? Is this part of the same project? If so, wait until Exchange is migrated off, then uninstall Exchange (manual cleaning it out of AD is messy). After that, kill the box, and manually clean the DC from AD (Much easier and possible to automate).

If I'm thinking of another Forum member, my apologies. I'll use the "It's late and I'm tired" excuse :D
 
You mentioned something about a new Exchange install in another thread didn't you? Is this part of the same project? If so, wait until Exchange is migrated off, then uninstall Exchange (manual cleaning it out of AD is messy). After that, kill the box, and manually clean the DC from AD (Much easier and possible to automate).

If I'm thinking of another Forum member, my apologies. I'll use the "It's late and I'm tired" excuse :D

Yes I confess!! That was me. Migrating Exchange and AD off this box and onto their own separate boxes is really the main goal. I'm caught ;)

So migrate Exchange before AD. I might just do that. Thanks.
 
Absolutely, Don't mess with and existing AD when Exchange is on the box. There are a ton of migration guide out there. The migrations are relatively easy, just read the guides backwards and forwards to understand the concepts and mechanics. As you start them it gets clearer.
 
Installed exchange today on its new server. Its ready to take over the email duties as soon as I swing the port forwards over to it.

Going to go through those guides in the other thread this weekend to remove it. Then I'll tackle AD. thanks for the suggestion.
 
Exchange is gone. All working well. Time to move into Active Directory.

After I uninstalled exchange (which is also the current DC) I shut the server down to see what effects it would have. It is still processing login's. My test workstation could not log in while the server was down.
 
you have other domain controllers that are global catalogs, and listed in the workstation DNS?
 
I would double check the PDC emulator role is on this server, that is typically the cause of the login failures.
 
Yup, transfer all FSMO roles to the new DC, and update your DNS to the new DC and change DHCP to hand out the new DC as Primary DNS.
 
I would double check the PDC emulator role is on this server, that is typically the cause of the login failures.

yeah, did you transfer all 5 roles to the new one?

Yup, transfer all FSMO roles to the new DC, and update your DNS to the new DC and change DHCP to hand out the new DC as Primary DNS.

I did all these things. But I'm going to verify them again this evening. thanks guys.
 
http://imgur.com/a/ctvCC

Screenies of all the FSMO roles. I don't have a screenshot for the PDC and Infrasture role, but I assure you it is identical to RID.

However I found this interesting.

http://i.imgur.com/hF5QMdY.png

The DC version for the new DC is W2K whereas the old one is W2K8. The functional level of the domain is W2K8.

Thanks guys.

EDIT: Now randomly.... DC version on new server is W2K8 R2. Not sure how that happened. Still not processing logins though.
 
Last edited:
Taht article is from the NT Back Office Server (predecessor to SBS) days, and probably not applicable today. What was the original DC, both OS and domain functional level. When you promoted the new DC, did you see any errors, during the initial replication or now? What does the Windows logs say?
 
Yea I noticed that article was old but it prompted searches for newer stuff. I'm to understand that its the same.

Original DC is on Server 2008 SBS, functional level before addition of other DC was 2008. When promoting the new DC there were not errors. There are no replication errors in the windows logs. Only thing of concern in the logs are warnings for some SID's for users in a GP that no longer exist.

As far as I can tell its actually working as designed. I read that you can load balance DC's with an SBS domain but you cannot add a second DC for redundancy.
 
Back
Top