I suspect that a lot of my Active Directory and network
problems stem from one of my DCs. Among other things,
when I have the strangest network problems, rebooting that
particular DC will often clear them up, at least for a
little while. To test this, I want to demote it from DC
to member server, and I may wind up taking it completely
down and rebuilding it from scratch.

However, when I run dcpromo it goes through it's steps
then gives me: The operation failed because: The
Directory Service failed to replicate off changes made
locally. "The DSA operation is unable to proceed because
of a DNS lookup failute."

I'm also getting the errors referenced in KB Article
285923, "Error Messages Every 5 Minutes Report Events
1000, 1001, and 13508, Citing Replication Trouble". I've
followed the instructions listed in that article, but it
doesn't seem to be getting me anywhere.

Mostly, I'd just like to demote this DC and see if that
doesn't clear up the other problems I'm having. Should I
just disconnect that server from the network and run
dcpromo? Will that work, and what will happen when I
reconnect it (assuming it work)? One issue I have is that
this server is also my Symantec Anti-Virus server, so I
can't keep it off-line indefinately.

Thanks,

Rob Miles
http://www.miles-pc.com
--
There are only 10 types of people in the world; those who
understand binary and those who don't.

You should troubleshoot DNS first and make sure there are SRV records for
the DC in question. You always have 332199 as an option as well.

332199 Using the DCPROMO /FORCEREMOVAL Command to Force the Demotion of
Active
http://support.microsoft.com/?id=332199

--Shawn
This posting is provided "AS IS" with no warranties and confers no rights.




"Rob Miles" <(E-Mail Removed)> wrote in message
news:09bf01c368d6$6b864ec0$(E-Mail Removed)...
> I suspect that a lot of my Active Directory and network
> problems stem from one of my DCs. Among other things,
> when I have the strangest network problems, rebooting that
> particular DC will often clear them up, at least for a
> little while. To test this, I want to demote it from DC
> to member server, and I may wind up taking it completely
> down and rebuilding it from scratch.
>
> However, when I run dcpromo it goes through it's steps
> then gives me: The operation failed because: The
> Directory Service failed to replicate off changes made
> locally. "The DSA operation is unable to proceed because
> of a DNS lookup failute."
>
> I'm also getting the errors referenced in KB Article
> 285923, "Error Messages Every 5 Minutes Report Events
> 1000, 1001, and 13508, Citing Replication Trouble". I've
> followed the instructions listed in that article, but it
> doesn't seem to be getting me anywhere.
>
> Mostly, I'd just like to demote this DC and see if that
> doesn't clear up the other problems I'm having. Should I
> just disconnect that server from the network and run
> dcpromo? Will that work, and what will happen when I
> reconnect it (assuming it work)? One issue I have is that
> this server is also my Symantec Anti-Virus server, so I
> can't keep it off-line indefinately.
>
> Thanks,
>
> Rob Miles
> http://www.miles-pc.com
> --
> There are only 10 types of people in the world; those who
> understand binary and those who don't.

First, check you DNS configuration.
If you disconnect it from the network and re-install the OS you'll need to
do a lot of cleaning up in your DNS and AD servers.
Follow the instructions in the below KB articles to clean up your
environment before installing the server again.

Q216498 - How to remove data in the AD after an unsuccessful DC demotion:
http://support.microsoft.com/support.../Q216/4/98.ASP

Deleting Objects from Active Directory Using Ldp.exe:
http://support.microsoft.com/default...;en-us;Q244344

Domain Controller Server Object Not Removed After Demotion:
http://support.microsoft.com/default...;en-us;Q216364

Error Deleting a Domain Controller Account in Active Directory Users and
Computers:
http://support.microsoft.com/default...;en-us;Q247393

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Active Directory
---------- www.qadvice.com ----------


"Rob Miles" <(E-Mail Removed)> wrote in message
news:09bf01c368d6$6b864ec0$(E-Mail Removed)...
> I suspect that a lot of my Active Directory and network
> problems stem from one of my DCs. Among other things,
> when I have the strangest network problems, rebooting that
> particular DC will often clear them up, at least for a
> little while. To test this, I want to demote it from DC
> to member server, and I may wind up taking it completely
> down and rebuilding it from scratch.
>
> However, when I run dcpromo it goes through it's steps
> then gives me: The operation failed because: The
> Directory Service failed to replicate off changes made
> locally. "The DSA operation is unable to proceed because
> of a DNS lookup failute."
>
> I'm also getting the errors referenced in KB Article
> 285923, "Error Messages Every 5 Minutes Report Events
> 1000, 1001, and 13508, Citing Replication Trouble". I've
> followed the instructions listed in that article, but it
> doesn't seem to be getting me anywhere.
>
> Mostly, I'd just like to demote this DC and see if that
> doesn't clear up the other problems I'm having. Should I
> just disconnect that server from the network and run
> dcpromo? Will that work, and what will happen when I
> reconnect it (assuming it work)? One issue I have is that
> this server is also my Symantec Anti-Virus server, so I
> can't keep it off-line indefinately.
>
> Thanks,
>
> Rob Miles
> http://www.miles-pc.com
> --
> There are only 10 types of people in the world; those who
> understand binary and those who don't.

You need try to fix the demotion problem. Run dcdiag on that DC and another
DC and see if any errors show up. Make sure that replication is working to
begin with. You may need to troubleshoot that first before demotion. If
nothing seems to work you can dcpromo /forceremoval the DC and then do a
metabase cleanup of the AD on the other DC's. Do to the forceremoval you
must have SP4 or you can get the hotfix that includes this function. Then
do a metabase cleanup with ntdsutil.exe. He is a KB article on how to do
this.

332199 Using the DCPROMO /FORCEREMOVAL Command to Force the Demotion of
Active
http://support.microsoft.com/?id=332199

HOW TO: Remove Data in Active Directory After an Unsuccessful Domain
Controller Demotion
http://support.microsoft.com/default...b;EN-US;216498

HTH

Paul McGuire

"Rob Miles" <(E-Mail Removed)> wrote in message
news:09bf01c368d6$6b864ec0$(E-Mail Removed)...
> I suspect that a lot of my Active Directory and network
> problems stem from one of my DCs. Among other things,
> when I have the strangest network problems, rebooting that
> particular DC will often clear them up, at least for a
> little while. To test this, I want to demote it from DC
> to member server, and I may wind up taking it completely
> down and rebuilding it from scratch.
>
> However, when I run dcpromo it goes through it's steps
> then gives me: The operation failed because: The
> Directory Service failed to replicate off changes made
> locally. "The DSA operation is unable to proceed because
> of a DNS lookup failute."
>
> I'm also getting the errors referenced in KB Article
> 285923, "Error Messages Every 5 Minutes Report Events
> 1000, 1001, and 13508, Citing Replication Trouble". I've
> followed the instructions listed in that article, but it
> doesn't seem to be getting me anywhere.
>
> Mostly, I'd just like to demote this DC and see if that
> doesn't clear up the other problems I'm having. Should I
> just disconnect that server from the network and run
> dcpromo? Will that work, and what will happen when I
> reconnect it (assuming it work)? One issue I have is that
> this server is also my Symantec Anti-Virus server, so I
> can't keep it off-line indefinately.
>
> Thanks,
>
> Rob Miles
> http://www.miles-pc.com
> --
> There are only 10 types of people in the world; those who
> understand binary and those who don't.

Hi Shawn, thanks for your reply.

There is a DNS issue: I cannot ping the problem DC from
the main DC by it's FQDN. I can ping it's netbios name
(backup_domain) but not backup_domain.<domain>.com. I've
checked the DNS records on the main DC and every entry for
the problem DC was "backup_domain.<domain>.", whereas the
other DCs were listed as "<otherDC>.<domain>.com." (note
the dot at the end was listed for all of them.) I went
through and manually corrected the bad DC entries and have
since rebooted both the main and problem DCs.

Of course, it didn't fix anything, but it made me feel
better. Does the above give you anything additional to
work with? Two DCs, including the problem one, are on SP3
and I'm in the process of upgrading the problem one now.
I'll have to wait until this weekend to upgrade the other
one, but it's been doing fine so I'm not sure that will
fix anything. It can't hurt either I suppose.

Rob

>-----Original Message-----
>You should troubleshoot DNS first and make sure there are
SRV records for
>the DC in question. You always have 332199 as an option
as well.
>
>332199 Using the DCPROMO /FORCEREMOVAL Command to Force
the Demotion of
>Active
>http://support.microsoft.com/?id=332199
>
>--Shawn
>This posting is provided "AS IS" with no warranties and
confers no rights.
>
>
>
>
>"Rob Miles" <(E-Mail Removed)> wrote in
message
>news:09bf01c368d6$6b864ec0$(E-Mail Removed)...
>> I suspect that a lot of my Active Directory and network
>> problems stem from one of my DCs. Among other things,
>> when I have the strangest network problems, rebooting
that
>> particular DC will often clear them up, at least for a
>> little while. To test this, I want to demote it from DC
>> to member server, and I may wind up taking it completely
>> down and rebuilding it from scratch.
>>
>> However, when I run dcpromo it goes through it's steps
>> then gives me: The operation failed because: The
>> Directory Service failed to replicate off changes made
>> locally. "The DSA operation is unable to proceed
because
>> of a DNS lookup failute."
>>
>> I'm also getting the errors referenced in KB Article
>> 285923, "Error Messages Every 5 Minutes Report Events
>> 1000, 1001, and 13508, Citing Replication Trouble".
I've
>> followed the instructions listed in that article, but it
>> doesn't seem to be getting me anywhere.
>>
>> Mostly, I'd just like to demote this DC and see if that
>> doesn't clear up the other problems I'm having. Should
I
>> just disconnect that server from the network and run
>> dcpromo? Will that work, and what will happen when I
>> reconnect it (assuming it work)? One issue I have is
that
>> this server is also my Symantec Anti-Virus server, so I
>> can't keep it off-line indefinately.
>>
>> Thanks,
>>
>> Rob Miles
>> http://www.miles-pc.com
>> --
>> There are only 10 types of people in the world; those
who
>> understand binary and those who don't.
>
>
>.
>

Thanks for the reply, Paul.

I've been working on this issue off and on for about...
well, ever since I upgraded the problem machine from a
WinNT 4 BDC to Win2K and made it a DC. In fact, it was
causing problems on my mixed-mode W2K Domain as a BDC,
which is why I upgraded it.

Anyway, if I can't resolve the issue any other way, I'll
definately follow the documents you listed. Thanks,

Rob

>-----Original Message-----
>You need try to fix the demotion problem. Run dcdiag on
that DC and another
>DC and see if any errors show up. Make sure that
replication is working to
>begin with. You may need to troubleshoot that first
before demotion. If
>nothing seems to work you can dcpromo /forceremoval the
DC and then do a
>metabase cleanup of the AD on the other DC's. Do to the
forceremoval you
>must have SP4 or you can get the hotfix that includes
this function. Then
>do a metabase cleanup with ntdsutil.exe. He is a KB
article on how to do
>this.
>
>332199 Using the DCPROMO /FORCEREMOVAL Command to Force
the Demotion of
>Active
>http://support.microsoft.com/?id=332199
>
>HOW TO: Remove Data in Active Directory After an
Unsuccessful Domain
>Controller Demotion
>http://support.microsoft.com/default.aspx?scid=kb;EN-
US;216498
>
>HTH
>
>Paul McGuire
>
>"Rob Miles" <(E-Mail Removed)> wrote in
message
>news:09bf01c368d6$6b864ec0$(E-Mail Removed)...
>> I suspect that a lot of my Active Directory and network
>> problems stem from one of my DCs. Among other things,
>> when I have the strangest network problems, rebooting
that
>> particular DC will often clear them up, at least for a
>> little while. To test this, I want to demote it from DC
>> to member server, and I may wind up taking it completely
>> down and rebuilding it from scratch.
>>
>> However, when I run dcpromo it goes through it's steps
>> then gives me: The operation failed because: The
>> Directory Service failed to replicate off changes made
>> locally. "The DSA operation is unable to proceed
because
>> of a DNS lookup failute."
>>
>> I'm also getting the errors referenced in KB Article
>> 285923, "Error Messages Every 5 Minutes Report Events
>> 1000, 1001, and 13508, Citing Replication Trouble".
I've
>> followed the instructions listed in that article, but it
>> doesn't seem to be getting me anywhere.
>>
>> Mostly, I'd just like to demote this DC and see if that
>> doesn't clear up the other problems I'm having. Should
I
>> just disconnect that server from the network and run
>> dcpromo? Will that work, and what will happen when I
>> reconnect it (assuming it work)? One issue I have is
that
>> this server is also my Symantec Anti-Virus server, so I
>> can't keep it off-line indefinately.
>>
>> Thanks,
>>
>> Rob Miles
>> http://www.miles-pc.com
>> --
>> There are only 10 types of people in the world; those
who
>> understand binary and those who don't.
>
>
>.
>