Problem Demoting Domain Controller (2003)

[Guillaume Ross]

Good morning everyone..

I have a problematic situation with a domain controller on my domain
(that I will call domain.local in this)

After an IP re-addressing weekend, replication didn't work in one of our
sites that has one DC, that I will call "problemdc.domain.local".

This site doesn't have many users, and it took a while before we noticed
any sync problems. When I fixed what was preventing the sync to occur,
the event log displayed an error saying it had been too long since the
last sync, and that the best thing to do would be to demote the
problemdc and re-promote it.

I demoted it, everything looked fine.
Then, maybe that was a bad mistake, I re-promoted it right after
rebooting. I should've waited longer I suppose...

The promote appeared to be fine, the server rebooted properly...I
thought everything was good.

Next morning, people started having weird logon problems on that
server.. so I look at the sites and services.. that server is not under
the site anymore, and I cannot add it !

So I look in Users and Computers, and the computer account for that
server is still under "Computers" instead of "Domain Controllers".. So I
moved it manually under Domain Controllers to see if I could then add it
under the site. Nope.

So I figured I would demote it, wait until everything has replicated
properly, then promote it half an hour later..
But when I try to demote it now I get this:

The operation afiled because:

Active directory could not transfer the remaining data in directory
partition
CN=Schema,CN=Configuration,DC=Domain,DC=local to domain controller
anotherdc.domain.local.

"The DSA Object could not be found".

Now the questions:

1.Now, I found a great article on the KB explaining how to remove a
server after an unsuccesful demotion, through ntdsutil. I guess I would
have to do this on my "anotherdc" Domain controller, right?

2. After I do this on my "anotherdc" domain controller, how will the
"problemdc" know it is no longer a DC? Will I need to reinstall my OS to
be able to promote it again to DC status?

Thanks in advance for your time.

 

[Guillaume Ross]

Guillaume Ross a écrit :

Good morning everyone..

I have a problematic situation with a domain controller on my domain
(that I will call domain.local in this)

After an IP re-addressing weekend, replication didn't work in one of our
sites that has one DC, that I will call "problemdc.domain.local".

This site doesn't have many users, and it took a while before we noticed
any sync problems. When I fixed what was preventing the sync to occur,
the event log displayed an error saying it had been too long since the
last sync, and that the best thing to do would be to demote the
problemdc and re-promote it.

I demoted it, everything looked fine.
Then, maybe that was a bad mistake, I re-promoted it right after
rebooting. I should've waited longer I suppose...

The promote appeared to be fine, the server rebooted properly...I
thought everything was good.

Next morning, people started having weird logon problems on that
server.. so I look at the sites and services.. that server is not under
the site anymore, and I cannot add it !

So I look in Users and Computers, and the computer account for that
server is still under "Computers" instead of "Domain Controllers".. So I
moved it manually under Domain Controllers to see if I could then add it
under the site. Nope.

So I figured I would demote it, wait until everything has replicated
properly, then promote it half an hour later..
But when I try to demote it now I get this:

The operation afiled because:

Active directory could not transfer the remaining data in directory
partition
CN=Schema,CN=Configuration,DC=Domain,DC=local to domain controller
anotherdc.domain.local.

"The DSA Object could not be found".

Now the questions:

1.Now, I found a great article on the KB explaining how to remove a
server after an unsuccesful demotion, through ntdsutil. I guess I would
have to do this on my "anotherdc" Domain controller, right?

2. After I do this on my "anotherdc" domain controller, how will the
"problemdc" know it is no longer a DC? Will I need to reinstall my OS to
be able to promote it again to DC status?

Thanks in advance for your time.

Replying to myself there..
That procedure through ntdsutil doesn't work/isn't required as on my
other DCs, "problemdc" is not listed as a server.

SO I guess problemdc just isn't a DC at all on my domain anymore, I
would just need to tell it "hi, you're not a DC" so I can re-promote it
after ?

 

[autogyro]

Did the problematic domain controller perform any FISMO roles? If
there is some sort of replication error and the roles have not been
properly seized/transferred, it might cause some weird behavior when
the DC is brought back online and attempts to assume these roles. I
would make sure all roles have been transferred/seized as necessary w/
the DC offline, do a metadata cleanup, reinstall the OS, and even
choose a different name for the DC if possible when you bring it back
online.

 

[Guillaume Ross]

autogyro a écrit :

Did the problematic domain controller perform any FISMO roles? If
there is some sort of replication error and the roles have not been
properly seized/transferred, it might cause some weird behavior when
the DC is brought back online and attempts to assume these roles. I
would make sure all roles have been transferred/seized as necessary w/
the DC offline, do a metadata cleanup, reinstall the OS, and even
choose a different name for the DC if possible when you bring it back
online.

It did not have any special roles. The metadata seems clean...

I guess I will reinstall the server with a new name.

 

[autogyro]

Good luck.