Trouble demoting domain controller

Discussion in 'Networking & Security' started by jadams, Mar 28, 2013.

  1. jadams

    jadams 2[H]4U

    Messages:
    4,087
    Joined:
    Mar 14, 2010
    Installed a new DC, joined it to the domain. Promoted it to DC and made it a GC and transferred the FSMO roles to it.

    Trying to demote the old DC but I get a prompt that no other domain controllers can be contacted.

    The new DC is in AD under the DC OU. Its DC Type is GC. Old DC and all PC's are currently using the new DC as its primary DNS server. I've forced replication through sites and services.

    Thank goodness for snapshots ;)
     
  2. Burnout01

    Burnout01 Limp Gawd

    Messages:
    153
    Joined:
    Dec 11, 2006
    Make sure the the old dc can resolve the new dc's name. Check the old ones DNS settings.
     
  3. jadams

    jadams 2[H]4U

    Messages:
    4,087
    Joined:
    Mar 14, 2010
    Old DC can resolve new DC by name.

    Any specific DNS settings I should check? Old DC is set to use new DC as its primary DNS server, as are the rest of the PC's in the office. Nobody is reporting any DNS or login issues this morning.

    pinging the domain name still resolves to the old DC ip address though.
     
  4. gimp

    gimp [H]ardForum Junkie

    Messages:
    9,974
    Joined:
    Jul 25, 2008
    Do an nslookup on the domain. Verify the new DC's IP address is one IPs the domain will resolve to.

    Code:
    C:\>nslookup [i]domain[/i].local
    Server:  dc1.[i]domain[/i].local
    Address:  10.1.1.3
    
    Name:    [i]domain[/i].local
    Addresses:  10.1.1.3
              10.2.1.11
              10.3.1.4
    pinging the domain should resolve to either the old or new DC IP's, since the old DC is still a DC.
     
  5. Biznatch

    Biznatch 2[H]4U

    Messages:
    2,224
    Joined:
    Nov 16, 2009
    You mention snapshots, do you mean VM snapshots? You are asking for trouble using that with a DC, and even MS says not to use that as backup for a DC.

    Is the new DC and old DC on the same subnet? If not, are both subnets added to the site with the DCs?
     
  6. thrash408

    thrash408 Limp Gawd

    Messages:
    341
    Joined:
    Jan 22, 2010
    I'd metadata clean up the old server out of the domain (aka force remove it). Just be sure you clean dns manually and don't re-use that same name or IP address as a domain controller
     
  7. jadams

    jadams 2[H]4U

    Messages:
    4,087
    Joined:
    Mar 14, 2010

    Code:
    C:\>nslookup [I]domain.local[/I]
    Server:  [U]dc.domain.local[/U]
    Address:  192.168.0.3
    
    Name:    [I]domain.local[/I]
    Addresses:  192.168.0.3
              192.168.0.2
    
    
    
    192.168.0.3 is the new DC, 192.168.0.2 is the old one.
     
  8. jadams

    jadams 2[H]4U

    Messages:
    4,087
    Joined:
    Mar 14, 2010
    I'd like to shut it down for a few days for testing before I do that so that I can bring it back up if shit hits the fan, but alas this server runs Exchange too. Breaking out what runs on this server onto separate boxes was the main purpose of doing this.

    It is running in a VM. Maybe this weekend I'll shut it down and remotely test some client PC's.
     
  9. jadams

    jadams 2[H]4U

    Messages:
    4,087
    Joined:
    Mar 14, 2010
    Any other suggestions before the weekend??
     
  10. Nate7311

    Nate7311 2[H]4U

    Messages:
    3,312
    Joined:
    Jan 11, 2001
    You mentioned something about a new Exchange install in another thread didn't you? Is this part of the same project? If so, wait until Exchange is migrated off, then uninstall Exchange (manual cleaning it out of AD is messy). After that, kill the box, and manually clean the DC from AD (Much easier and possible to automate).

    If I'm thinking of another Forum member, my apologies. I'll use the "It's late and I'm tired" excuse :D
     
  11. jadams

    jadams 2[H]4U

    Messages:
    4,087
    Joined:
    Mar 14, 2010
    Yes I confess!! That was me. Migrating Exchange and AD off this box and onto their own separate boxes is really the main goal. I'm caught ;)

    So migrate Exchange before AD. I might just do that. Thanks.
     
  12. Nate7311

    Nate7311 2[H]4U

    Messages:
    3,312
    Joined:
    Jan 11, 2001
    Absolutely, Don't mess with and existing AD when Exchange is on the box. There are a ton of migration guide out there. The migrations are relatively easy, just read the guides backwards and forwards to understand the concepts and mechanics. As you start them it gets clearer.
     
  13. jadams

    jadams 2[H]4U

    Messages:
    4,087
    Joined:
    Mar 14, 2010
    Installed exchange today on its new server. Its ready to take over the email duties as soon as I swing the port forwards over to it.

    Going to go through those guides in the other thread this weekend to remove it. Then I'll tackle AD. thanks for the suggestion.
     
  14. jadams

    jadams 2[H]4U

    Messages:
    4,087
    Joined:
    Mar 14, 2010
    Exchange is gone. All working well. Time to move into Active Directory.

    After I uninstalled exchange (which is also the current DC) I shut the server down to see what effects it would have. It is still processing login's. My test workstation could not log in while the server was down.
     
  15. dave99

    dave99 2[H]4U

    Messages:
    2,129
    Joined:
    Jan 20, 2011
    you have other domain controllers that are global catalogs, and listed in the workstation DNS?
     
  16. jadams

    jadams 2[H]4U

    Messages:
    4,087
    Joined:
    Mar 14, 2010
  17. timberdoodle

    timberdoodle Gawd

    Messages:
    878
    Joined:
    Sep 22, 2008
    I would double check the PDC emulator role is on this server, that is typically the cause of the login failures.
     
  18. dave99

    dave99 2[H]4U

    Messages:
    2,129
    Joined:
    Jan 20, 2011
    yeah, did you transfer all 5 roles to the new one?
     
  19. Nate7311

    Nate7311 2[H]4U

    Messages:
    3,312
    Joined:
    Jan 11, 2001
    Yup, transfer all FSMO roles to the new DC, and update your DNS to the new DC and change DHCP to hand out the new DC as Primary DNS.
     
  20. jadams

    jadams 2[H]4U

    Messages:
    4,087
    Joined:
    Mar 14, 2010
    I did all these things. But I'm going to verify them again this evening. thanks guys.
     
  21. jadams

    jadams 2[H]4U

    Messages:
    4,087
    Joined:
    Mar 14, 2010
    http://imgur.com/a/ctvCC

    Screenies of all the FSMO roles. I don't have a screenshot for the PDC and Infrasture role, but I assure you it is identical to RID.

    However I found this interesting.

    http://i.imgur.com/hF5QMdY.png

    The DC version for the new DC is W2K whereas the old one is W2K8. The functional level of the domain is W2K8.

    Thanks guys.

    EDIT: Now randomly.... DC version on new server is W2K8 R2. Not sure how that happened. Still not processing logins though.
     
    Last edited: Apr 8, 2013
  22. jadams

    jadams 2[H]4U

    Messages:
    4,087
    Joined:
    Mar 14, 2010
  23. Nate7311

    Nate7311 2[H]4U

    Messages:
    3,312
    Joined:
    Jan 11, 2001
    Taht article is from the NT Back Office Server (predecessor to SBS) days, and probably not applicable today. What was the original DC, both OS and domain functional level. When you promoted the new DC, did you see any errors, during the initial replication or now? What does the Windows logs say?
     
  24. jadams

    jadams 2[H]4U

    Messages:
    4,087
    Joined:
    Mar 14, 2010
    Yea I noticed that article was old but it prompted searches for newer stuff. I'm to understand that its the same.

    Original DC is on Server 2008 SBS, functional level before addition of other DC was 2008. When promoting the new DC there were not errors. There are no replication errors in the windows logs. Only thing of concern in the logs are warnings for some SID's for users in a GP that no longer exist.

    As far as I can tell its actually working as designed. I read that you can load balance DC's with an SBS domain but you cannot add a second DC for redundancy.