Can't Demote Domain Controller. 2

[sqladmin99]

Hi All,

I work with small company and we have 20 networked computer under one domain (companyname.com). We also have two domain controllers in our network. We had hired one IT consultant 5 months ago and he set up the entire network. I found from event log that TWO DOMAIN CONTROLLERS NEVER BEEN SYNCHRONIZED WITH EACH OTHER. It has been giving all kind of synchronization errors for last 5 months.

Just to get rid of these errors (I thought one DC would be enough) I decided to demote second Domain Controller which was not configured right.

Now, I am trying to run dcpromo on second Domain Controller to demote it to member server. Every time I run this utility it gives me error saying "DSA operation is unable to proceed because of DNS lookup failure". when I click 'OK' on error screen next screen says "The Directory Service failed to replicate off changes made locally. Active Directory can not be removed".

1) Does anyone know how I can demote DC in this situation?

2) Is there any way we can manually change Active Directory status from 'not replicated' to 'replicated' so that I can run 'dcpormo'!

I also tried to run synchronization from Active Directory Site and Services but that also gives error saying "The naming context is in the process of being removed or is not replicated from specified server"

I really appreciate any kind of help regarding this matter.

Thank you,

Rajan

 

[kameleon80]

i would suggest fixing the problem of synchronization instead of demoting the DC. He put the second DC up for fault tolerant. Once you fix the sync. problem then you can demote if you like. Check these things. On both DC go to DNS and make sure that they can replicate the zone by going into the zone transfer tab and allow zone tranfer to any computer. Then go to command prompt on second DC run nslookup, then enter ls -t srv (domain.com)"enter" see if get alot of srv records if so that's good. After that fix DNS so that only specified DNS servers are allowed zone transfer from the name servers tab. Then enter the correct name servers on the name servers tab (your two DCs). Check srv records again on both DCs this time by using nslookup. That should give a start anyways.

Good luck, let me know how it goes.

 

[sqladmin99]

Thank you for replying "kameleon80"

I tried to synchronize DC but I got following error

"DSA operation is unable to proceed because of DNS lookup failure"

I went to Microsoft web-site and they recommend to check few setting in DC. When I checked these settings in second DC I found FQDN of second DC was wrong (instead of computername.domain.com it was just showing computer name). I can not change name of this computer since it is Domain Controller.

I again went to Microsoft website to find out about changing computer name for DC and they recommend to demote it to member server in order to change its name. I can not demote since it is not synchronized. so I am kind of stuck here. I removed DNS from second DC just to get rid of everything that is not synchronizing.

Do you recommend installing DNS back on Second DC and do what you explained in you reply.

Please let me know.

 

[kameleon80]

yes reinstall DNS and follow earlier recommendations also you could have changed the host name in DNS to the name of the DC, but kinda late for that now

good luck, let me know if you need any more help

 

[gwcann]

UGH, get DNS to work and try to get a sync. My company just spent 30 hours recovering a clients single domain AD failure. This was not pretty. If you can't get DNS to work there is a MS article on how to manually remove AD, but it did not work in our case. If you can not dcpromo you will have to reload the os.

DNS primer:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300202&sd=tech

 

[sqladmin99]

Hi All,

Thank you very much for your response. I finally fixed this problem. In order to solve the problem.

1) I append DNS suffixes in TCP/IP properties under advance tab for second DC.

2) I changed all SRV record, 'A' record, PTR record and any other record that was referring to second Domain Controller. I change them to servername.domainname.com

And finally, It started working and synchronized. I demoted DC to regular server. Now, just to be on safer side, I am going to promote another member server to DC.

Once again thanks for your help.

Raj

 

[Pav4o]

hai sqladmin99!
I have similar problem about sync and these srv records that u just explained.
Could you give me the way of fixing that-how did you change the records that were referring to the wrong DC,which are the tools?

 

[sqladmin99]

Pav4o,

Following are steps I took to change my records,

1) opened DNS
2) In forward looking zone, I made sure all 'A' record look consistence (computername.domainname.com), to create 'A' record, right click on domain name in left panel and select 'New Host..'
3) Then I opened subfolders _msdcs, _sites, _tcp, _udp and I again checked for consistency. Before I fixed this problem, all SRV record in _tcp folder for my second DC consisted only computer name ( not FQDN ), I double clicked on SRV record and manually change them to FQDN.

After making this changes I renew DNS setting on second DC and it started syncing.

Let me know if you have any further question.


Raj

 

[Pav4o]

Ok,I will inform you if I need some help