Remove a domain controller when dcpromo bombs

Similar Messages

• Remove a domain controller

  I have SBS 2008 with a Windows Server 2008 SP2 server as a second domain controller.  I've added a new 2012 server and made it a domain controller.  I need to demote the 2008 box.  If I run dcpromo, it doesn't detect that it is a domain
  controller and just wants to create a new one.  I notice that the AD DS service is not running, it is disabled.  When I try to start it, it just stops.  dsquery server shows all three as domain controllers.  What is the best way to remove
  this DC?

  I have gone through the thread. Please check the following:
  1. Login to 2012 DC, and check "NTDS Settings" are not seen under 2008 DC in Active Directory Sites and Services snap-in
  2. Ensure that 2012 DC have all FSMO roles
  3. Do your clients point to 2008 DNS for resolution or 2012 DC for resolution? If they use 2008, plan to change them to 2012
  4. Ensure that 2008 DC doesn't run any other services like - WINS, DFS, DHCP, Certificate Services etc.
  5. Run repadmin /replsummary to see replication state for 2008 DC
  Once the above are answered, I would suggest that you clean-up the Active Directory metadata by using NTDSUTIL on 2012 DC.
  If there are any configuration issues with 2008 DC and it is not completely removed from the configuration then you could end up with having Lingering Objects in your environment and it might create more issues.
  I suggest to clean-up AD before Tombstone period kicks in for 2008DC.
  - Sarvesh Goel - Enterprise Messaging Administrator

• Is it possible to bypass Domain Controller Promotion (dcpromo) Hard Drive Check? My Server has an embedded drive instead of a SATA port. (emmc)

  I have a small computer with just an embedded drive instead of a sata port. It seemed perfect for a small domain controller, since it has 32G's which is more than enough space, and with a gigabit Ethernet, and 1.6Ghz dual core cpu, seemed more than enough
  for what I needed.
  Windows 2012, or Windows Server Technical Preview, both install fine on it, but when I run dcpromo to create the domain It fails on selecting the location for files. The error is that the path is not a hard drive. The machine only has USB ports so I can't
  add a SATA drive just to store these logs/configs, even if I wanted to.  
  The actual computer I was trying to use: http://www.ecs.com.tw/LIVA/
  Thanks for any help.

  On the Windows Server Technical Preview, 
  Install-ADDSForest -SkipPreChecks -DomainName DOMAIN.CONTOSO.COM -DomainMode Win2008 -ForestMode Win2008R2 –DatabasePath "C:\Windows\NTDS" –SYSVOLPath "C:\Windows\NTDS" –LogPath "C:\Windows\NTDS\Logs"
  gives me the error "No NTFS 5 drives exit." (note exit, not exist)
  I'll reinstalling windows 2012 and see if I get a different message there.
  This was just a standard install, so the drive is definitely NTFS.

• Exchange server-Removing a Domain Controller from the forest

  Hi Guys,
  I need some help on removing a faulty domain controller from the AD forest. Here is the scenario:
  1. The FSMO roles have been seized to a new domain controller already.
  2. The old one is non-functional and is down for ever.
  I know the steps would be doing a meta-data cleanup And then remove some of the DNS entries related to the old server. But the real issue is:
  > I have Exchange 2013 running in one of the machines configured in the Forest, which was migrated from the old Domain controller. I then set Exchange listening to the new domain controller.
  So, my doubt is, if I delete the old domain controller and do a metadata cleanup, would it have any effect on the exchange server? The Exchange machine acts as an additional domain controller as well. Its a production environment and any
  change that affects Exchange would cause a big loss. Looking forward for your valuable suggestions..
  Regards,
  Nash

  Hi Ed,
  I don't have issues with the AD on the Exchange server. Eventhough it is configured as an AD, Exchange is pointed to the main working domain controller, which is a different machine. I just want to remove the traces of an old domain controller from which
  I transferred the FSMO roles to the new domain controller. The old  domain controller is completely down and hence I can't do a conventional 'dcpromo' on it. So just planning to do a 'metadata clean up' for removing the non-working DC from the forest. 
  So, In essence, I just want to know that, if I do a metadata cleanup, would it affect the Exchange server in any way?
  Regards,
  Nash

• Restoring a Domain Controller - When other DC's are available

  I'm trying to get some clarity and confidence on the proper way to restore domain controllers.  here are my questions:
  1. What is the proper way to restore a Domain controller into an existing Forrest where other domain controllers are present when you have a system state backup taken by Windows Server Backup?
  1a. In this scenario - will i need to enter into DSRM mode prior to booting the server?
  2. What is the proper way to restore a Virtualized Domain Controller into an existing Forrest where other domain controllers are present when you have a 3rd party image based backup solution that has HyperV VSS writers?  
  2a. In this scenario - will i need to enter into DSRM mode prior to booting the server?

  1. What is the proper way to restore a Domain controller into an existing Forrest where other domain
  controllers are present when you have a system state backup taken by Windows Server Backup?
  You can restore the DC using two possible methods:
  Method 1: Do a non-authoritative restore using a system state backup. Do not do an authoritative restore so that you do not lose recent changes here.
  Method 2: If the DC is an FSMO holder then size the FSMO roles to another DC, do a metadata cleanup and then re-install the server and promote it again as a DC. If it is not an FSMO holder then simply do a metadata cleanup and then re-install
  the server and promote it again as a DC.
  1a. In this scenario - will i need to enter into DSRM mode prior to booting the server?
  Yes. You need to get inside DSRM mode to restore the DC from a system state backup.
  2. What is the proper way to restore a Virtualized Domain Controller into an existing Forrest where
  other domain controllers are present when you have a 3rd party image based backup solution that has HyperV VSS writers? 
  You can read that: http://technet.microsoft.com/en-us/library/d2cae85b-41ac-497f-8cd1-5fbaa6740ffe(v=ws.10)#backup_and_restore_considerations_for_virtualized_domain_controllers
  Also, see that about DC cloning in Windows Server 2012 and higher: http://blogs.technet.com/b/askpfeplat/archive/2012/10/01/virtual-domain-controller-cloning-in-windows-server-2012.aspx
  2a. In this scenario - will i need to enter into DSRM mode prior to booting the server?
  You can find the details in the links I shared.
  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Get Active Directory User Last Logon
  Create an Active Directory test domain similar to the production one
  Management of test accounts in an Active Directory production domain - Part I
  Management of test accounts in an Active Directory production domain - Part II
  Management of test accounts in an Active Directory production domain - Part III
  Reset Active Directory user password

• What note when remove an Domain controller from Existing Domain!!!

  Dear everybody,
  My company has 3 Domain controllers at the moment.
  all of them have some functions: DHCP, DNS.
  Now, we have plan to remove an DC/
  So, What note we need to pay attention when remove one of them?
  Thanks for your help!!!

  1. Migrate DHCP first. Using below command
  netsh dhcp server export C:\dhcp.txt all       -old Server
  netsh dhcp server import C:\dhcp.txt all       -New Server.
  2. Enable DNS debug log & see which client still pointing the old DC.
  http://technet.microsoft.com/en-us/library/cc759581%28v=ws.10%29.aspx
  3. Change the DHCP Scope accordingly.
  HTH
  Biswajit
  Regards,
  Biswajit
  MCTS, MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, Enterprise Admin, ITIL F 2011
  Blog:
    Script Gallary:
  LinkedIn:
  Note: Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights..

• Only contact Domain Controller when on a particular network

  As per subject, I have a laptop joined to a domain and logging on is slow when outside the network. Obviously it is trying to contact the domain contoller but fails. Can we set it to immediately use the last saved password when not within the network?

  That might be the reason.
  but as you could logon it, the cached info is worked here. the logon is slow might caused by the mapped drives. and disable the always wait ..policy should fit this, which is not recommended when mapped drive is in use.
  Run Xperf to take a check with the slow logon process.
  http://blogs.technet.com/b/yongrhee/archive/2013/10/15/tool-windows-performance-toolkit-xperf-wprui-and-wpr-updated-version-as-of-aug-2013.aspx
  Rgds

• Remove domain controller 2008 from active directory

  Hi,
  I have 2 DC 2008R2 & i have 2 ts one of them don't get the GPO i do everything i found that my 2 dc don't replicate good i can see the different on sysvol folder.
  After that i explain my self, My question if i remove the dc (its not the fsmo dc its the second), and after removing i add this dc ?
  I need to check some checks before ?
  After removing i need to delete from the dns record
  ?After Adding the same dc to the domain i need to check something ?
  Thanks
  Zahi

  Hi,   
  >i want to remove my dc and replace him with new dc.
  You can add a new DC to a domain, and then remove the DC that you want to remove.
  To add a DC to a domain, after add server to a domain, we can run dcpromo to install AD.
  After server 2012, Adprep.exe commands run automatically as needed as part of the AD DS installation process.
  For more detailed information about Adprep.exe, you can refer to the following link:
  Running Adprep.exe
  http://technet.microsoft.com/en-us/library/dd464018(v=WS.10).aspx
  For detailed steps about how to Removing a Domain Controller from a Domain, you can refer to the following link:
  Removing a Domain Controller from a Domain
  http://technet.microsoft.com/en-us/library/cc771844(v=WS.10).aspx
  Best Regards,
  Erin

• Group Policy Management Console Failes to open when one Domain Controller is powered down

  Hi All,
  This was an accidental discovery, but here's my dilemma. I have a site with 2 domain controllers(Windows 2008 R2), and if I shut down my second domain controller, when I try to open the Group Policy Management  Console on the 1st domain controller,
  it fails to open and I get the following error, "The specified domain either does not exist or could not be contacted" with 3 options to "retry", "choose another domain controller", or remove.   If I go to chose another domain
  controller and select the 1st domain controller it still fails.  Unless the 2nd DC is turned on, I have no issues opening the GP management console. Not sure, why this is happening, I've done it in the pass without issue.
  Any help would be appreciated.
  Thanks

  Well it seems that some how the PDC emulator is set to be the 2nd DC instead of the 1st DC on the 1st DC which explains why the failure after the 2nd DC went down. Why or should I say how could the PDC get switched from the primary DC without human intervention.
  Does the PDC automatically switch for any reason?

• Provision Search in SharePoint Foundation 2013 without Domain Controller / Active Directory - Domain accounts

  Hi,
  I have successfully setup SharePoint Foundation 2013 as single server farm with SQL Server Standard database in a DMZ environment using local accounts since DMZ doesn't have an Active Directory and hence Domain accounts using powershell as described
  in https://theblobfarm.wordpress.com/2012/12/03/installing-sharepoint-2013-without-a-domain-controller 
  When I run Farm configuration wizard to provision search service application, I get an error:
  ERROR: "The service application(s) for the service "Search Service Application" could not be provisioned because of the following error: I/O error occurred."
  The log file logged the details of this error as:
  ERROR: "Failed to create file share Analytics_e441aa1c-1a8d-4f0a-a079-58b499eb4c50 at D:\SharePoint Search\Office Server\Analytics_e441aa1c-1a8d-4f0a-a079-58b499eb4c50 (System.ArgumentException: The SDDL string contains an invalid sid or a sid
  that cannot be translated."
  After investigation, I found that potentially the error could be because the timer service is trying to setup a network share for analytics component (as part of provisioning search). It is trying to setup that share with a domain account that happens to
  be a local user instead in this case and fails with error “System.ArgumentException: The SDDL string contains an invalid sid or a sid that cannot be translated”.
  I got some pointer from the below thread
  https://social.technet.microsoft.com/Forums/en-US/c8e93984-f4e5-46da-8e8a-c5c79ea1ff62/error-creating-search-service-application-on-sharepoint-foundation-with-local-account?forum=sharepointadmin
  However, the above thread doesn't state that the solution worked.
  I have tried creating share manually for Analytics_<Guid> folder but it doesn't work since every time farm configuration wizards is run it creates a new Analytics_<Guid> folder.
  Since, I have setup SharePoint Foundation 2013 on a production environment I cannot test and trial various solutions.
  Can some please guide me on how to successfully provision search for SharePoint Foundation 2013 setup as a single server farm with SQL Server Standard database in a DMZ environment using local accounts (without Active Directory - domain accounts).
  Thanks in advance.
  Himanshu

  Microsoft documentation doesn't always specifically call out all products (Project Server isn't there, either). But it does apply. You'll need to stand up at least one Domain Controller, or allow port access back to a DC.
  Preferably, set up SharePoint on the internal network and use a reverse proxy (which will terminate client connections at the reverse proxy) present in the DMZ.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Error finding a domain controller

  Hi,
  I have an error in finding a windows domain controller when a PC bootup and does a network access via a Cisco wireless PCMCIA card (AIR PCM-352) managed by Cisco ACU.
  This is the situation:
  - the operating system of the PC is Windows XP sp2
  - the wireless card is an AIR PCM352 with firmware V.5.60.21
  - the version of ACU is 6.6.00
  - the Access point is a Cisco 1120 (802.11b) with IOS version 12.3(8)JA
  - wireless communication is completely open (ssid in guest mode, authentication open ,no wep)
  - the ip address of the PC is obtained via DHCP (DHCP server is a Microsoft Server)
  I notice a difference between a Cisco PCMCIA card 352 managed by Cisco ACU and by Windows XP.
  In fact this error doesn't happen when the WLAN card is controlled by Windows wireless utility.
  Is it possible that the startup timing of the Cisco ACU is later than the Window's one?
  Does anyone resolved this error?
  Thanks in advance
  Antonio

  Hi Antonio,
  Obviously you get the error of the domain not found because your wireless card is not even associated (the wireless card utility hasn’t started)
  Can you clarify the line "Is it possible that the startup timing of the Cisco ACU is later than the Window's one? " . You mean start the Cisco ACU before the windows one right?
  The best way to get around issues like that is to use for example the Odyssey client from Funk and turn on GINA and it should work fine.
  Rgds,
  Pablo

• Directory service console not able to open in a Domain Controller

  Hai,
  I have a 2008 domain controller. when i open the users and computer console i get the below error
  data from "domain name" is not available from domain controller because: the search filter cannot be recognized. try again later, or choose another DC by selecting connect to Domain controller on the domain context menu.
  what could be the issue????Pls help
  thanks in advance
  Thanks Chandru CT. MCITP

  When you open ADUC on windows 2008, it is trying to connect DC which is not available due to connectivity issue or DNS issue, try to connect different DC using ADUC console and see if it works.
  By default, DC should connect its own ADUC when type DSA.MSC in run, if it is connecting other DC, then there is issue with the existing DC.
  Verify DNS resolution is working and also might rebooting resolves your issues.
  Regards
  Awinish Vishwakarma
  MY BLOG:
   awinish.wordpress.com
  This posting is provided AS-IS with no warranties/guarantees and confers no rights.

• Does Oracle 10G R2 support installation on Windows 2003 Domain Controller?

  Does Oracle 10g R2 support installation on Windows 2003 Domain Controller? I remember that 10g R1 had issues with the DC? Is it still the case. Does it work now?
  Any help is appreciated.
  Regards,
  Raghav

  We have Oracle 10g R2 running on a Windows 2003 domain controller. It was not a domain controller when Oracle was installed. The domain was created after installation. (I don't recommend that procedure. I spent a long day fixing the installation after they configured the domain.) If Oracle is unhappy with being on a domain controller, it has not shown it yet.

• Rebuilding Domain controller & Transport Routes after system refresh

  I have refreshed Dev from Prdn, now my domain controller only shows single system
  I have documentation but, it is confusing to me how to have QAS and Prdn join the domain controller again and show the domain as a three tier system
  When I log into QAS and Prdn I still see the old 3 tier system including the domain and the other systems.
  Please advise
  maria
  Edited by: Maria Graziano on Mar 27, 2008 3:53 PM

  You don't perform backup of domain controller.
  You only designate in STMS one of servers as "Backup Domain Controller"
  when Primary  controller fails than "Backup domain Controller" takes his role and becomes a primary.
  So action to refresh domain controller is:
  1. Designate one of servers as backup domain controller
  2. Backup transport directory if it is on refreshed server (just in case)
  3. Switch backup controller to become primary
  4. Refresh primary system
  5. Join refreshed system to domain
  6. Switch back primary function to refreshed server
  Regards,
  Wojtek

• Group MSA account fail when Domain Controller in Test Domain Fails to start KdsSvc. Event ID 7023

  Yesterday, in my test domain, I created the KDS root key using the Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))
  command on a DC that is not the PDC Emulator because it was the server I was on at the time.  Today, when I tried to create gMSA accounts on the PDC emulator, I get:
  Event ID 7023 The Microsoft Key Distribution Service terminated with the following error: An Exception occurred in the service when handling the control request
  I turned on logging on to the KdsSvc and get 2 other errors:
  KdsSvc Event ID 4001: Group Key Distribution Service failed to start. Status 0x80070020
  KdsSvc Event ID 4007: Group Key Distribution Service cannot connect to the domain controller on local host.  Status 0x80070020.  Group Key Distribution Service cannot be started because of the error.  Please contact the administrator to resolve
  the issue.
  I took the opportunity to clean up AD, the Schema, and DNS, but the kds errors continues.  I am replicating successfully, DNS changes are reflected immediately, and when I run the get-KDSRootKey on the failing server, the key is returned.  The
  Get-KdsConfiguration matches the KDS config on the DC that originally ran to create the key.
  I have a pretty strict GPO pushed to my DCs but I am still able to create gMSAs on the other server.  I checked ADS&S and found the msKds-ProvRootKey so I know it is at the domain level, but there is so little documentation on the KdsSvc that I
  am not sure if it is working as planned.  I have tried unassigning several GPO configuration items but I am throwing darts at this point.  I have also uninstalled McAfee AV; IDS/IPS; Firewall.
  With that said, I have questions:
  Will gMSAs still work even though the domain pdc emulator cannot start the service?
  Is the KdsSvc supposed to start only on the server Add-KDSRootKey was originally created?
  What happens if the server the KdsSvc key was created fails and has to be removed from the domain?
  Is there any books or configuration items I can review to learn the KdsSvc better?
  Env:
  Windows Standard Server 2012 R2 x64
  Active Directory 2012 R2 Schema Updated from Windows 2008 R2
  All FSMO roles are on the PDC Emulator which is a Windows 2012 R2 DC
  DCDiag returns no errors or test failures
  Repadmin returns clean results (/showreps & /replsum)
  Windows 2008 R2 Root CA hierarchy (not DCs)
  W32tm services are running with less than 6/10's of a ms difference among the domain.

  Hi,
  For Windows Server 2012, the Windows PowerShell cmdlets default to managing the group Managed Service Accounts instead of the original standalone Managed
  Service Accounts.
  New-ADServiceAccount -name <ServiceAccountName> -DNSHostName <fqdn> -PrincipalsAllowedToRetrieveManagedPassword <group>
  -ServicePrincipalNames <SPN1,SPN2,…>
  Did you use the command abouve?
  Here is a good bolg:
  Windows Server 2012: Group Managed Service Accounts
  http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx
  Hope this helps.