Problems with DC demotion

Problems with DC demotion: Posted by Alerrandro on January 2nd, 2004; Hi All!!!

Few days ago, I lost the DCs objects in the AD. I recovery them from system
state backup and got access to AD again.

But later I notice that all GPOs werent being applied to computers and
users. I´ve made some tests and discovered that the //mydomain/sysvol share
wasnt accessible by anyone of the computers, but one of the DCs (lets call
it DC1). The share //DC1/sysvol is accessible.

So I notice too that the DC1 object is listed as "Server / Workstation",
instead of "Domain Controler". It was very strange, because DC1 had all FSMO
on it and GC. It autenticated users, and replicated all data to DC2 (I got 2
DCs). Any change that I make on AD (no matter in which DC) is replicated and
FRS doesnt log any warn or error.

I tried to demote DC1 and promote it again, and after fixing some errors, I
got this message:

The operation failed because:

The Directory Service failed to find a server to replicate off changes.

"The security context could not be established due to a failure in the
requested quality of service (e.g. mutual authentication or delegation). "

Even using /forceremove

I have checked DNS, RPC and lots of others possibilities. The only test that
it fails is in Sysvol.

DC1 isnt member of Sysvol replica and DC2 is. If I use AD Sites and
Services, I can start replication from DC2 to DC1, but if I try DC1 to DC2 I
receive this message:

"The following error occurred during the attempt to synchronize the domain
controllers. The naming context is in the process of being removed or is not
replicated from the specified server."

The connection that works, I created and the connection that doest work was
"automatically genrerate".

If I check the topology, its is sucessful in any case.

Well, I want to know if there is a way to put DC1 as replica. Or if I can
unplug DC1 from the net and run dcpromo as "last dc in the domain", but I am
afraid about eh consequences of this last one.

Does anybody have ideas ? ))

Thanks!

--
Alerrandro Luís
Network Administrator / Support Analyst
MCSE / MCSA / Solaris and Linux Specialist
hardaway(at)brturbo.com
alerrandro.correa(at)inep.gov.br
ICQ: 2002617; Posted by Brian Desmond [MVP] on January 2nd, 2004; Alejandro,

What you probably will have the most success doing is a dcpromo
/forceremoval with the DC unplugged from the network. Before you do this,
make sure DC2 has all the FSMOs on it:

234790
HOW TO: Find Servers That Hold Flexible Single Master Operations Roles

and if necessary:

255504
Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain
Controller

Finally, on DC2, you'll have to manually remove DC1:

216498
HOW TO: Remove Data in Active Directory After an Unsuccessful Domain
Controller Demotion

--
--
Brian Desmond
Windows Server MVP
desmondb@payton.cps.k12.il.us

Http://www.briandesmond.com

"Alerrandro" <hardaway@brturbo.com> wrote in message
news:%23iodwnW0DHA.3496@TK2MSFTNGP11.phx.gbl...; Posted by Alerrandro on January 5th, 2004; Hi Brian,

I tried to use forceremoval with the DC unplugged from the network and it
complained that couldnt contact another DC. If I say that it is the last DC
in the network, it says that it isnt.

When I try to use forceremoval with the DC plugged, it complains that cant
change the FSMO to another DC. I put another DC in the network. DC2 and DC3
show that DC2 has all FSMO, but DC1 show that it has the FSMO :/ If I
connect to DC2 and use transfer or seize some rule, it runs nice. But if I
do it connect to DC1, it gives this message:

Win32 error returned is 0x20f1(This directory server is shutting down, and
canno
t take ownership of new floating single-master operation roles.)

I am trying to avoid format the DC .. but I am seeing that it will be the
solution...

--
Alerrandro Luís
Network Administrator / Support Analyst
MCSE / MCSA / Solaris and Linux Specialist
hardaway(at)brturbo.com
alerrandro.correa(at)inep.gov.br
ICQ: 2002617

"Brian Desmond [MVP]" <desmondb@payton.cps.k12.il.us> wrote in message
news:uhmB4KY0DHA.1184@TK2MSFTNGP10.phx.gbl...; Posted by Brian Desmond [MVP] on January 7th, 2004; Hrmm. I think you're SOL if it won't demote disconnected. Is the machine Sp4
(that switch is SP4 only).

--
--
Brian Desmond
Windows Server MVP
desmondb@payton.cps.k12.il.us

Http://www.briandesmond.com

"Alerrandro" <hardaway@brturbo.com> wrote in message
news:uX0m2760DHA.1188@TK2MSFTNGP11.phx.gbl...

Similar Posts

Windows XP problems (Im not talking about the free problems Microsoft gives you) (Microsoft Windows) by Justingraziano@gmail.com
Network DSL Problems and related XP problems (Networking) by FLCOMM
Problems getting to some web sites, problems with firewall & antiv (Microsoft Windows) by L M
two problems: can't delete a folder and problems sync'g favorites (Mobile Devices) by Harold Topper
HP 5650 problems - error messages, problems printing (Printers) by VBM