Remove a domain controller

I have SBS 2008 with a Windows Server 2008 SP2 server as a second domain controller. I've added a new 2012 server and made it a domain controller. I need to demote the 2008 box. If I run dcpromo, it doesn't detect that it is a domain
controller and just wants to create a new one. I notice that the AD DS service is not running, it is disabled. When I try to start it, it just stops. dsquery server shows all three as domain controllers. What is the best way to remove
this DC?

I have gone through the thread. Please check the following:
1. Login to 2012 DC, and check "NTDS Settings" are not seen under 2008 DC in Active Directory Sites and Services snap-in
2. Ensure that 2012 DC have all FSMO roles
3. Do your clients point to 2008 DNS for resolution or 2012 DC for resolution? If they use 2008, plan to change them to 2012
4. Ensure that 2008 DC doesn't run any other services like - WINS, DFS, DHCP, Certificate Services etc.
5. Run repadmin /replsummary to see replication state for 2008 DC
Once the above are answered, I would suggest that you clean-up the Active Directory metadata by using NTDSUTIL on 2012 DC.
If there are any configuration issues with 2008 DC and it is not completely removed from the configuration then you could end up with having Lingering Objects in your environment and it might create more issues.
I suggest to clean-up AD before Tombstone period kicks in for 2008DC.
- Sarvesh Goel - Enterprise Messaging Administrator

Similar Messages

Exchange server-Removing a Domain Controller from the forest

Hi Guys,
I need some help on removing a faulty domain controller from the AD forest. Here is the scenario:
1. The FSMO roles have been seized to a new domain controller already.
2. The old one is non-functional and is down for ever.
I know the steps would be doing a meta-data cleanup And then remove some of the DNS entries related to the old server. But the real issue is:
> I have Exchange 2013 running in one of the machines configured in the Forest, which was migrated from the old Domain controller. I then set Exchange listening to the new domain controller.
So, my doubt is, if I delete the old domain controller and do a metadata cleanup, would it have any effect on the exchange server? The Exchange machine acts as an additional domain controller as well. Its a production environment and any
change that affects Exchange would cause a big loss. Looking forward for your valuable suggestions..
Regards,
Nash

Hi Ed,
I don't have issues with the AD on the Exchange server. Eventhough it is configured as an AD, Exchange is pointed to the main working domain controller, which is a different machine. I just want to remove the traces of an old domain controller from which
I transferred the FSMO roles to the new domain controller. The old domain controller is completely down and hence I can't do a conventional 'dcpromo' on it. So just planning to do a 'metadata clean up' for removing the non-working DC from the forest.
So, In essence, I just want to know that, if I do a metadata cleanup, would it affect the Exchange server in any way?
Regards,
Nash

Remove a domain controller when dcpromo bombs

i'm trying to demote one server in a two server setup
i start dcpromo , it gets part way through and then bombs with an "Access is denied" error
which is b~@:!hit. Ive tied this 2 or 3 times with known good passwords(see dcpromoui.log below)
So how can i fix that or delete the controller without using dcpromo
cheers
dave
============================
dcpromoui E28.638 0466 13:58:28.218   Enter DS::DemoteDC
dcpromoui E28.638 0467 13:58:28.218     Enter State::IsLastDCInDomain false
dcpromoui E28.638 0468 13:58:28.218     Enter State::IsForcedDemotion false
dcpromoui E28.638 0469 13:58:28.218     Enter State::GetAdminPassword
dcpromoui E28.638 046A 13:58:28.218     Enter State::GetAppPartitionList
dcpromoui E28.638 046B 13:58:28.218     Enter AllocateAppPartitionList
dcpromoui E28.638 046C 13:58:28.218     Calling DsRoleDemoteDc
dcpromoui E28.638 046D 13:58:28.218     lpServer               : (null)
dcpromoui E28.638 046E 13:58:28.218     lpDnsDomainName        : (null)
dcpromoui E28.638 046F 13:58:28.218     ServerRole             : DsRoleServerMember
dcpromoui E28.638 0470 13:58:28.218     lpAccount              : (null)
dcpromoui E28.638 0471 13:58:28.218     Options                : 0x80
dcpromoui E28.638 0472 13:58:28.218     fLastDcInDomain        : false
dcpromoui E28.638 0473 13:58:28.218     cRemoteNCs             : 0
dcpromoui E28.638 0474 13:58:28.250     HRESULT = 0x00000000
dcpromoui E28.638 0475 13:58:28.250     Enter DeallocateAppPartitionList
dcpromoui E28.638 0476 13:58:28.250     Enter DoProgressLoop
dcpromoui E28.638 0477 13:58:28.250       Enter State::GetOperation DEMOTE
dcpromoui E28.638 0478 13:58:28.250       Enter ProgressDialog::UpdateButton
dcpromoui E28.638 0479 13:58:29.765       Enter ProgressDialog::UpdateText Active Directory Domain Services successfully transferred the remaining data in directory partition DC=ForestDnsZones,DC=data-action,DC=co,DC=uk to Active Directory Domain Controller \\nasbox.data-action.co.uk.
dcpromoui E28.638 047A 13:58:43.297       Enter ProgressDialog::UpdateText Stopping service NETLOGON
dcpromoui E28.638 047B 13:58:44.797       Enter ProgressDialog::UpdateText Stopping service IsmServ
dcpromoui E28.638 047C 13:58:47.797       Enter ProgressDialog::UpdateText Stopping service kdc
dcpromoui E28.638 047D 13:58:49.297       Enter ProgressDialog::UpdateText Creating a new local security account manager (SAM) database...
dcpromoui E28.638 047E 13:58:50.875       Enter ProgressDialog::UpdateText Removing Active Directory Domain Services objects that refer to the local Active Directory Domain Controller from the remote Active Directory Domain Controller nasbox.data-action.co.uk...
dcpromoui E28.638 047F 13:59:02.875       Enter ProgressDialog::UpdateText Configuring service NTDS
dcpromoui E28.638 0480 13:59:04.375       Enter ProgressDialog::UpdateText Configuring service NETLOGON
dcpromoui E28.638 0481 13:59:05.875       Enter ProgressDialog::UpdateText Configuring service DFSR
dcpromoui E28.638 0482 13:59:07.375       Enter ProgressDialog::UpdateText The attempted domain controller operation has completed
dcpromoui E28.638 0483 13:59:07.375       Enter ProgressDialog::UpdateButton
dcpromoui E28.638 0484 13:59:07.375       Progress loop complete.
dcpromoui E28.638 0485 13:59:07.375       Calling DsRoleGetDcOperationResults
dcpromoui E28.638 0486 13:59:07.375       Error 0x0 (!0 => error)
dcpromoui E28.638 0487 13:59:07.375       Operation results:
dcpromoui E28.638 0488 13:59:07.375       OperationStatus      : 0x5 !0 => error
dcpromoui E28.638 0489 13:59:07.375       DisplayString        : The attempt at remote directory server nasbox.data-action.co.uk to remove directory server CN=LPSERVER,CN=Servers,CN=Palatine,CN=Sites,CN=Configuration,DC=data-action,DC=co,DC=uk was unsuccessful.
dcpromoui E28.638 048A 13:59:07.375       ServerInstalledSite : (null)
dcpromoui E28.638 048B 13:59:07.375       OperationResultsFlags: 0x0
dcpromoui E28.638 048C 13:59:07.375       Enter ProgressDialog::UpdateText The attempt at remote directory server nasbox.data-action.co.uk to remove directory server CN=LPSERVER,CN=Servers,CN=Palatine,CN=Sites,CN=Configuration,DC=data-action,DC=co,DC=uk was unsuccessful.
dcpromoui E28.638 048D 13:59:07.375       Enter State::SetOperationResultsMessage The attempt at remote directory server nasbox.data-action.co.uk to remove directory server CN=LPSERVER,CN=Servers,CN=Palatine,CN=Sites,CN=Configuration,DC=data-action,DC=co,DC=uk was unsuccessful.
dcpromoui E28.638 048E 13:59:07.375       Enter State::SetOperationResultsFlags 0x0
dcpromoui E28.638 048F 13:59:07.375   Exception caught
dcpromoui E28.638 0490 13:59:07.375   catch completed
dcpromoui E28.638 0491 13:59:07.375   handling exception
dcpromoui E28.638 0492 13:59:07.375   Enter State::ClearHiddenWhileUnattended
dcpromoui E28.638 0493 13:59:07.375   Enter EnableConsoleLocking
dcpromoui E28.638 0494 13:59:07.375     Enter RegistryKey::Create SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
dcpromoui E28.638 0495 13:59:07.375     Enter RegistryKey::SetValue-DWORD DisableLockWorkstation
dcpromoui E28.638 0496 13:59:07.375   Enter State::SetOperationResults result FAILURE
dcpromoui E28.638 0497 13:59:07.375   Enter ProgressDialog::UpdateText
dcpromoui E28.638 0498 13:59:07.375   Enter State::IsOperationRetryAllowed
dcpromoui E28.638 0499 13:59:07.375     true
dcpromoui E28.638 049A 13:59:07.375   credentials were invalid, hr=0x80070005
dcpromoui E28.638 049B 13:59:07.375   Enter GetErrorMessage 80070005
dcpromoui E28.638 049C 13:59:07.375   Enter State::GetOperationResultsMessage The attempt at remote directory server nasbox.data-action.co.uk to remove directory server CN=LPSERVER,CN=Servers,CN=Palatine,CN=Sites,CN=Configuration,DC=data-action,DC=co,DC=uk was unsuccessful.
dcpromoui E28.638 049D 13:59:07.375   Enter State::GetOperation DEMOTE
dcpromoui E28.638 049E 13:59:07.375   Enter State::GetParentDomainDnsName
dcpromoui E28.638 049F 13:59:44.469   credential retry canceled
dcpromoui E28.638 04A0 13:59:44.469   Enter ComposeFailureMessage
dcpromoui E28.638 04A1 13:59:44.469     Enter State::GetOperationResultsMessage The attempt at remote directory server nasbox.data-action.co.uk to remove directory server CN=LPSERVER,CN=Servers,CN=Palatine,CN=Sites,CN=Configuration,DC=data-action,DC=co,DC=uk was unsuccessful.
dcpromoui E28.638 04A2 13:59:44.469     Enter State::GetOperationResultsFlags 0x0
dcpromoui E28.638 04A3 13:59:44.469     Enter State::GetOperationResultsFlags 0x0
dcpromoui E28.638 04A4 13:59:44.469     Enter State::SetFailureMessage The operation failed because:
The attempt at remote directory server nasbox.data-action.co.uk to remove directory server CN=LPSERVER,CN=Servers,CN=Palatine,CN=Sites,CN=Configuration,DC=data-action,DC=co,DC=uk was unsuccessful.
"Access is denied."
dcpromoui E28.638 04A5 13:59:44.469   posting message to progress window
dcpromoui E28.318 04A6 13:59:44.469               Enter ProgressDialog::UpdateText Operation Stopped
dcpromoui E28.318 04A7 13:59:44.485               Enter ProgressDialog::OnDestroy
dcpromoui E28.318 04A8 13:59:44.485             OPERATION FAILED
dcpromoui E28.318 04A9 13:59:44.485           Enter State::GetNeedsReboot false
dcpromoui E28.318 04AA 13:59:44.485           Enter State::IsOperationRetryAllowed
dcpromoui E28.318 04AB 13:59:44.485             true
dcpromoui E28.318 04AC 13:59:44.485           Enter Wizard::SetNextPageID id = 156
dcpromoui E28.318 04AD 13:59:44.485             push 142
dcpromoui E28.318 04AE 13:59:44.485         Enter FailurePage::OnInit
dcpromoui E28.318 04AF 13:59:44.485           Enter MultiLineEditBoxThatForwardsEnterKey::Init
dcpromoui E28.318 04B0 13:59:44.485             Enter ControlSubclasser::Init
dcpromoui E28.318 04B1 13:59:44.485         Enter FailurePage::OnSetActive
dcpromoui E28.318 04B2 13:59:44.485           Enter State::GetOperationResultsCode FAILURE
dcpromoui E28.318 04B3 13:59:44.485           Enter State::GetNeedsReboot false
dcpromoui E28.318 04B4 13:59:44.485           Enter State::GetFailureMessage The operation failed because:
The attempt at remote directory server nasbox.data-action.co.uk to remove directory server CN=LPSERVER,CN=Servers,CN=Palatine,CN=Sites,CN=Configuration,DC=data-action,DC=co,DC=uk was unsuccessful.
"Access is denied."
dcpromoui E28.318 04B5 13:59:47.876         Enter DCPromoWizardPage::OnWizNext
dcpromoui E28.318 04B6 13:59:47.876           Enter FailurePage::Validate
dcpromoui E28.318 04B7 13:59:47.876           Enter Wizard::SetNextPageID id = 154
dcpromoui E28.318 04B8 13:59:47.876             push 156
dcpromoui E28.318 04B9 13:59:47.876         Enter FinishPage::OnInit
dcpromoui E28.318 04BA 13:59:47.876           Enter MultiLineEditBoxThatForwardsEnterKey::Init
dcpromoui E28.318 04BB 13:59:47.876             Enter ControlSubclasser::Init
dcpromoui E28.318 04BC 13:59:47.876         Enter FinishPage::OnSetActive
dcpromoui E28.318 04BD 13:59:47.876           Enter State::GetNeedsReboot false
dcpromoui E28.318 04BE 13:59:47.876           Enter getCompletionMessage
dcpromoui E28.318 04BF 13:59:47.876             Enter State::GetOperation DEMOTE
dcpromoui E28.318 04C0 13:59:47.876             Enter State::GetOperationResultsCode FAILURE
dcpromoui E28.318 04C1 13:59:47.876             Enter NeedDsBinaryWarning
dcpromoui E28.318 04C2 13:59:47.876               Enter Computer::RemoveLeadingBackslashes
dcpromoui E28.318 04C3 13:59:47.876               Enter GetProductTypeFromRegistry
dcpromoui E28.318 04C4 13:59:47.876                 Enter RegistryKey::Open System\CurrentControlSet\Control\ProductOptions
dcpromoui E28.318 04C5 13:59:47.876                 Enter RegistryKey::GetValue-String ProductType
dcpromoui E28.318 04C6 13:59:47.876                 LanmanNT
dcpromoui E28.318 04C7 13:59:47.876                 prodtype : 0x2
dcpromoui E28.318 04C8 13:59:47.876             Enter State::GetFinishMessages
dcpromoui E28.318 04C9 13:59:59.751         Enter FinishPage::OnWizFinish
dcpromoui E28.318 04CA 13:59:59.766         Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04CB 13:59:59.766         Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04CC 13:59:59.766         Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04CD 13:59:59.766       Enter State::GetNeedsReboot false
dcpromoui E28.318 04CE 13:59:59.766       Enter State::GetUserCancelled false
dcpromoui E28.318 04CF 13:59:59.766       Enter State::GetOperationResultsCode FAILURE
dcpromoui E28.318 04D0 13:59:59.766       Enter State::GetHadNonCriticalFailures
dcpromoui E28.318 04D1 13:59:59.766         bHadNonCriticalFailures = false
dcpromoui E28.318 04D2 13:59:59.766       Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04D3 13:59:59.766       Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04D4 13:59:59.766       Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04D5 13:59:59.766       Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04D6 13:59:59.766       Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04D7 13:59:59.766       Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04D8 13:59:59.766       Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04D9 13:59:59.766       Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04DA 13:59:59.766       Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04DB 13:59:59.766       Enter ControlSubclasser::UnhookWindowProc
dcpromoui E28.318 04DC 13:59:59.766     exitCode = 54
dcpromoui E28.318 04DD 13:59:59.766   Enter State::UnbindFromReplicationPartnetDC
dcpromoui E28.318 04DE 13:59:59.766 closing log

this is what i decided to do. unfortunately the metadata cleanup did not complete
Access is denied? - that sounds familiar
the server is still listed in "AD Sites and Services" (and cannot be deleted by the management snapin)
===================================================
select operation target:
select operation target:
select operation target:
select operation target: select server 1
Site - CN=Palatine,CN=Sites,CN=Configuration,DC=data-action,DC=co,DC=uk
Domain - DC=data-action,DC=co,DC=uk
Server - CN=LPSERVER,CN=Servers,CN=Palatine,CN=Sites,CN=Configuration,DC=data-ac
tion,DC=co,DC=uk
        DSA object - CN=NTDS Settings,CN=LPSERVER,CN=Servers,CN=Palatine,CN=Site
s,CN=Configuration,DC=data-action,DC=co,DC=uk
        DNS host name - lpServer.data-action.co.uk
No current Naming Context
select operation target:
select operation target: quit
metadata cleanup:
metadata cleanup:
metadata cleanup: remove selected server
Transferring / Seizing FSMO roles off the selected server.
Removing FRS metadata for the selected server.
Unable to find server reference on "CN=LPSERVER,CN=Servers,CN=Palatine,CN=Sites,
CN=Configuration,DC=data-action,DC=co,DC=uk".
LDAP error 0x5e(94 (No result present in message).
The attempt to remove the FRS settings on CN=LPSERVER,CN=Servers,CN=Palatine,CN=
Sites,CN=Configuration,DC=data-action,DC=co,DC=uk failed because "Element not fo
und.";
metadata cleanup is continuing.
DsRemoveDsServerW error 0x5(Access is denied.)
metadata cleanup:
metadata cleanup:

What note when remove an Domain controller from Existing Domain!!!

Dear everybody,
My company has 3 Domain controllers at the moment.
all of them have some functions: DHCP, DNS.
Now, we have plan to remove an DC/
So, What note we need to pay attention when remove one of them?
Thanks for your help!!!

1. Migrate DHCP first. Using below command
netsh dhcp server export C:\dhcp.txt all -old Server
netsh dhcp server import C:\dhcp.txt all -New Server.
2. Enable DNS debug log & see which client still pointing the old DC.
http://technet.microsoft.com/en-us/library/cc759581%28v=ws.10%29.aspx
3. Change the DHCP Scope accordingly.
HTH
Biswajit
Regards,
Biswajit
MCTS, MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, Enterprise Admin, ITIL F 2011
Blog:
Script Gallary:
LinkedIn:
Note: Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights..

Remove domain controller 2008 from active directory

Hi,
I have 2 DC 2008R2 & i have 2 ts one of them don't get the GPO i do everything i found that my 2 dc don't replicate good i can see the different on sysvol folder.
After that i explain my self, My question if i remove the dc (its not the fsmo dc its the second), and after removing i add this dc ?
I need to check some checks before ?
After removing i need to delete from the dns record
?After Adding the same dc to the domain i need to check something ?
Thanks
Zahi

Hi,
>i want to remove my dc and replace him with new dc.
You can add a new DC to a domain, and then remove the DC that you want to remove.
To add a DC to a domain, after add server to a domain, we can run dcpromo to install AD.
After server 2012, Adprep.exe commands run automatically as needed as part of the AD DS installation process.
For more detailed information about Adprep.exe, you can refer to the following link:
Running Adprep.exe
http://technet.microsoft.com/en-us/library/dd464018(v=WS.10).aspx
For detailed steps about how to Removing a Domain Controller from a Domain, you can refer to the following link:
Removing a Domain Controller from a Domain
http://technet.microsoft.com/en-us/library/cc771844(v=WS.10).aspx
Best Regards,
Erin

Remove Domain Controller role from Exchange 2010 Server

Hi team,
There is a client with Domain Controller (2008 R2) running together with Exchange Server 2010 SP3. However there were some huge problems with Exchange and DC therefore since the best practice is to keep those roles seperately, they are in need of doing so.
Can someone please suggest me the best approach? The server they use right now is with 16GB therefore whatever done, Exchange should be on that machine and DC on the other 6GB.
Option 01.
Both Exchange and DC are together
Install new Exchange on a temporary Server and move everything make that Exchange server the only working primary
Remove exchange from the DC server
Promote new Additional DC and promote it with FSMO and make primary
Demote the old DC from the 16GB server
Install Exchange again on the 16GB server and move everything from the temporary server
Or Option 02
Add new additionall Domain Controller server and make it primary with GC and FSMO
Run dcpromo to demote the old Domain controller role from where the Exchange Server too is installed
Once DC role is removed from the exchange server, set up DNS and perform a restart, so Exchange will identify the new GC and domain controller
Live happily ever after
Thank You,
Cheers!!

Adding/Removing the DC-Role while Exchange is installed, is not supported so forget about your Option 2.
Here's what I would do:
1. Install a new GC/DC (move FSMO etc)
2. Install a new temporary server for Exchange and move everthing over
3. Decomission the old Exchange Server
4. Demote the old Domain Controller
5. Install Exchange on a newly freshly installed OS and move everything over from your temp server
Martina Miskovic

Remove vmware snapshot on R2 domain controller

i have a vmware vm which is running W2012 R2 (Domain controller) and i made a snapshot in the past. can i remove the snapshot without any issues if i power the machine off. or will this cause issues because it will merge the 2 disks

This question would better be answered in VMware forum. https://communities.vmware.com/welcome
In current forum you would receive professional advice concerning Hyper-V.
Generally taking snapshots from Domain Controller is NOT recommended, namely older ones may retire.
And more, snapshots as such are better for testing and some kind of fast recovery (For example when updates fail.)
Thanks for understanding
Milos

Potential Downtime or Damage to Exchange if I remove a second domain controller??

We have a single instance of Exchange 2010 with all roles (minus lync, communications, etc..) on a Server 2008 Standard server.
We also have a primary domain controller and a second domain controller that offers DNS and would be used in case of disaster to the primary controller.
I've noticed in the past that if the secondary domain controller is down for maintenance that the Exchange server starts having problems. A major example of this would be last year the virtual instance of the second domain controller failed and when we rebooted
the exchange server, it lost its association with the domain even though the primary domain controller was readily accessible.
We are in a spot now that we no longer need the secondary domain controller and want to decommission it. I obviously want that to go as smoothly as possible. Is there anything I should do to prevent any unwanted damages to the exchange environment?
Jonathan Strader

It doesn't seem that anyone has responded to this. The short answer is turning off the secondary server will NOT have an effect on the exchange server. HOWEVER, that is the short answer.
It WILL have an effect if:
1) the secondary server is the ONLY DNS server and the exchange server is using the secondary server for DNS queries.
2) The FSMO Roles are on the secondary server
3) The Secondary server is the only global catalog.
I know this is a lot to take in.. but it really isn't that hard. FSMO Roles and global catalog are just a piece of active directory that keeps track of users, rights, settings, that sort of thing. You need to make sure that you seize the FSMO
roles on the first domain controller.
One command you can do on the first server to check fsmo roles is:
netdom query fsmo
On a side note. This is what you can do as well to see if the secondary server has any effect on exchange. Ready? Turn off the secondary server and see if anything bad happens (People don't get their emails..) if something stops working
after you turn off the second server then turn it back again. Everything should be back to normal.
Jerry Suner

Lack of Connectivty to Domain Controller - Domain Controller Access Issues Requires Repeated Reauthentication

Sorry if my attempt to be thorough in my description may result in excessive and unnecessary information.
I'm running into some problems with a single server running WS 2012 R2 as a domain controller (AD and DNS) and I’m trying to figure out what the cause is.
The network has ~10 computers on it connected through a cable business gateway (running DHCP) which feeds 2 switches and a wireless router acting as a switch. (I also turned on remote services, but the end users aren’t using that until I get certificates
setup.)
For 6+ months everyone had access to the shared files and databases on each workstation without issue.
In the last month users would occasionally have to re-enter their credentials to get access to shared server folders despite being on a domain account already.
Last week one of the computers intermittently cannot gain access to the shared folders– entering the correct credentials just results in the credentials being requested again and again: There’s an error icon at the bottom saying that “there are currently
no logon servers available to service the logon request”. While access is rejected I’m still able to ping the DC both via its name and IPV4 address.
(Pinging via its name results in an IPv6 address in the response.)
Other network connectivity appears intact (able to browse the web, perform network discovery.)
Things that ‘seem’ to allow access on this computer until the next failure:
Entering a different domain username and password into the windows credentials request has allowed access a couple of times.
Disconnecting and reconnecting the network cable allowed the original username to be used to log on (at least once.)
After removing it from and then rejoining it to the domain (a few hours ago) it experienced the problem once more. Also, logging on with domain credentials created a TEMP user folder instead of the folder with the domain username.
Looking at the event logs, I notice there are quite a few warnings and errors reported regarding DC access on many of the computers; maybe this is normal?
Most Problematic Computer:
Event ID 8016: System failed to register host A or AAAA resource records. (With an unknown Ipv6 and the server’s ipv4 address in the DNS server list.)
Event ID 131: NtpClient unable to set a domain peer to use as a time source because of DNS resolution error on ‘Server.domain.local’
‘No such host is known.”
Event ID 5719: NETLOGON. This computer was not able to setup a secure session with a domain controller in the domain due …..: there are currently no logon servers available to service the logon request.
And then pairs of: Event 1500: The Group Policy settings for the computer were processed successfully. There were no changes detected since the last successful processing of Group Policy. & Event 1054:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
Event 1030: The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation
at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.
On the server I’ve run DCDIAG and DCDIAG /test:DNS and those all appeared to pass.
Ipconfig/all from the server:
   Connection-specific DNS Suffix
   Description . . . . . . . . . . . : Intel(R) Ethernet Connection I217-LM
   Physical Address. . . . . . . . . : FC-4D-D4-F2-A1-83
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2601:8:a182:1100:b155:a0b0:892d:9ed5(Pref
erred)
   Link-local IPv6 Address . . . . . : fe80::b155:a0b0:892d:9ed5%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.1.10.42(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::abd:43ff:fe9a:ab47%13
10.1.10.1
   DHCPv6 IAID . . . . . . . . . . . : 234638804
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-3F-7D-B9-68-05-CA-24-31-C4
   DNS Servers . . . . . . . . . . . : ::1
127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
Ipconfig/all from the problematic computer:
Wireless LAN adapter Wi-Fi:
   Connection-specific DNS Suffix
. : wp.comcast.net
   Description . . . . . . . . . . . : Intel(R) Centrino(R) Wireless-N 6150
   Physical Address. . . . . . . . . : 40-25-C2-63-C2-B8
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2601:8:a182:1100:8f5:1606:d0a8:6b25(Prefe
rred)
   Temporary IPv6 Address. . . . . . : 2601:8:a182:1100:283e:f9e8:4841:6c50(Pref
erred)
   Link-local IPv6 Address . . . . . : fe80::8f5:1606:d0a8:6b25%3(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.1.10.31(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, March 10, 2015 9:19:02 AM
   Lease Expires . . . . . . . . . . : Tuesday, March 17, 2015 1:23:15 PM
   Default Gateway . . . . . . . . . : fe80::abd:43ff:fe9a:ab47%3
10.1.10.1
   DHCP Server . . . . . . . . . . . : 10.1.10.1
   DHCPv6 IAID . . . . . . . . . . . : 54535618
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-15-6B-AA-F0-DE-F1-9C-07-D4
   DNS Servers . . . . . . . . . . . : 2001:558:feed::1
2001:558:feed::2
                10.1.10.42
   NetBIOS over Tcpip. . . . . . . . : Enabled
Any thoughts? I was assuming it was a Domain Controller/DNS error, but I don't know where to check next. Could a failing piece of hardware be the culprit?
Thanks,
-JT

Hi,
According to the error you have posted.
A Netlogon 5719 event indicates that the client component of Netlogon was unable to locate a DC for the domain it was trying to perform an operation against.
Most of the time this is caused by network issues or name resolution (DNS/WINS) issues, you could refer to:
Netlogon 5719 and the Disappearing Domain [Controller]
http://blogs.technet.com/b/instan/archive/2008/09/18/netlogon-5719-and-the-disappearing-domain.aspx
Did you refer to this KB article?
Event ID 5719 is logged when you start a Domain Member
http://support.microsoft.com/kb/938449
Regards.
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Can I move a Virtual Domain Controller from one host(Win Server 2008 R2) to another (Win Server 2012 R2) ? Are there any issues?

Can I move a Virtual Domain Controller from one host(Win Server 2008 R2) to another (Win Server 2012 R2) ? Are there any issues?

I also had this error: "Setup cannot continue. Your computer will now restart, and your previous version of Windows will be restored."
trying to do a in-place upgrade of a Domain Controller Windows 2008 R2 to Windows 2012 R2.
The problem was the separated System Reserved Partition. After I removed using this instructions:
http://jacobackerman.blogspot.com/2012/12/how-to-remove-system-reserved-partition.html
The upgrade ran ok, and now have my DC as Windows 2012 R2.
Hope that helps!.

The Best Way to Restore a DC if it is removed from Domain

Good Day,
I have 2 Windows Server 2008 R2 DC's in my network and I am trying to upgrade 1 of them to Server 2012 R2. The DC being replaced is also running Certificate Services. To do this I will need to remove AD from the DC as well as remove CA and remove it from
the domain. I plan on backing up and restoring Active Directory/Certificate Services to the new Server 2012 box with the new server using the same name as the old DC.
I am worried about this transition because if something goes wrong I will have to not only restore from backup I will have to restore the computer object in AD as well.
Would the best strategy be:
Backup AD using ntdsutil
Uninstall AD and CA from DC01
Remove DC01 from domain
** failure occurs **
Restore DC01 computer object in AD on DC02 using ntdsutil authoritative restore
Restore full OS on DC01 from tape backup
The problem I have with this is all of the setting in Sites and Services will still be gone because of the removal of AD from DC01. I am also thinking about simply taking snapshots of the 2 DC's as they are both Virtual Servers in Hyper-V
Another Strategy (Not approved of as snapshot is NOT a backup):
Snapshot both DC01 and DC02
Uninstall AD and CA from DC01
Remove DC01 from domain
** failure occurs **
Revert back to pre-removal snapshot of DC02
Revert back to pre-removal snapshot of DC01
Any help would be awesome!
Antony

Hi,
First at all,
we don’t recommend to
install CA on a DC. This is because if the DC corrupt and need to demote, we need
to uninstall the CA role first. If you want to install the CA on a DC, please follow below steps:
Clean install a new windows 2012 server and add it to domain as domain member.
Promote this new windows 2012 R2 server to DC.
Step-by-Step Guide for Setting Up A Windows Server 2012 Domain Controller
http://social.technet.microsoft.com/wiki/contents/articles/12370.step-by-step-guide-for-setting-up-a-windows-server-2012-domain-controller.aspx
Transfer or seize FSMO roles from old windows 2008 R2 DC to new windows 2012 R2 DC
How to view and transfer FSMO roles in Windows Server 2003
http://support.microsoft.com/kb/324801/en-us
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controllerhttp://support.microsoft.com/kb/255504/en-au
Back up CA from 2008 R2 server with steps below:
Backing up a CA database and private key.
Backing up CA registry settings.
Backing up CAPolicy.inf only if we install our CA by using it.
Removing the CA role service from this server.
Restoring the CA database and configuration on new server.
Verifying the migration:
Verifying certificate enrollment
Verifying CRL publishing
For more information please refer below articles:
AD CS Migration: Preparing to Migrate:
http://technet.microsoft.com/en-us/library/ee126102(WS.10).aspx
Migrating the Certification Authority: http://technet.microsoft.com/en-us/library/ee126140(WS.10).aspx
Performing Post-Upgrade or Post-Migration Tasks: http://technet.microsoft.com/en-us/library/cc742471(v=ws.10).aspx
5. After that, make the old 2008 DC offline for a while. If everything things are working fine, you can then demote the windows 2008 DC.
Thanks.

¿Is it possible to upgrade from SCCM 2012 a domain controller in Windows Server 2008 R2 TO 2012 R2?

Hi all.
I want to know if is it possible to upgrade a domain controller from Windows Server 2008 r2 to 2012 r2 installing from SCCM 2012.
Thanks.
Regards.

Hi all.
I want to know if is it possible to upgrade a domain controller from Windows Server 2008 r2 to 2012 r2 installing from SCCM 2012.
Thanks.
Regards.
Anything is possible if you can script it. You could create a task sequence to do the following (with scripts):
1. Demote 2008R2 DC to member server
2. Remove 2008R2 member server from domain
3. Build new 2012R2 member server and join to domain
4. Promote 2012R2 member server to DC
You can do this. However, why would you? Just because you can doesn't mean you should. In my opinion it's more trouble and testing than it's worth. How many times would you need to do this?
Gerry Hampson | Blog:
www.gerryhampsoncm.blogspot.ie | LinkedIn:
Gerry Hampson | Twitter:
@gerryhampson

The KDC encountered duplicate names while processing a Kerberos authentication request in a Domain controller server

HI
we have a sharepoint farm and in domain controller server, this error is in event viewer
Log Name:      System
Source:        Microsoft-Windows-Kerberos-Key-Distribution-Center
Date:          9/15/2014 10:44:15 PM
Event ID:      11
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      XXXAPP01.xxxportal.com
Description:
The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is HTTP/XXXWFE01.xxxportal.com (of type DS_SERVICE_PRINCIPAL_NAME). This may result in authentication failures or downgrades to NTLM. In order to prevent
this from occuring remove the duplicate entries for HTTP/XXXWFE01.xxxportal.com in Active Directory.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-Kerberos-Key-Distribution-Center" Guid="{3FD9DA1A-5A54-46C5-9A26-9BD7C0685056}" EventSourceName="KDC" />
    <EventID Qualifiers="49152">11</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-09-15T19:44:15.000000000Z" />
    <EventRecordID>131824</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>XXXAPP01.xxxportal.com</Computer>
    <Security />
</System>
<EventData>
    <Data Name="Name">HTTP/XXXWFE01.xxxportal.com</Data>
    <Data Name="Type">DS_SERVICE_PRINCIPAL_NAME</Data>
    <Binary>
    </Binary>
</EventData>
</Event>
adil

Hi adil,
Service principal names (SPNs) are stored as a property of the associated account object in Active Directory
Domain Services (AD DS). I noticed that you have used setpn –X to identify the duplicate SPN. Please refer to following articles and check if help you to solve this issue.
Event ID 11 — Service Principal
Name Configuration
Event ID 11 in the System log of domain controllers
Please also refer to following article and check if can help you.
The problem with duplicate SPNs
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft
does not guarantee the accuracy of this information.
If any update, please feel free to let me know.
Hope this helps.
Best regards,
Justin Gu

The processing of Group Policy failed because of lack of network connectivity to a domain controller

We are setting up a new AD environment with one AD/DC running DNS services, and a secondary DNS server configured with secondary zone. The problem is that none of the machines in the the domain are getting GPO.
When I run a gpupdate /force from a machine, I get the following output:
"Updating Policy...
User Policy update has completed successfully.
Computer policy could not be updated successfully. The following errors were enc
ountered:
The processing of Group Policy failed because of lack of network connectivity to
a domain controller. This may be a transient condition. A success message would
be generated once the machine gets connected to the domain controller and Group
Policy has succesfully processed. If you do not see a success message for sever
al hours, then contact your administrator.
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
rom the command line to access information about Group Policy results."
While the system event log outputs the following:
"The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy
has succesfully processed. If you do not see a success message for several hours, then contact your administrator."
All the machines that were joined to the domain are able to resolve in forward and reverse lookups, ping the DC and ping each other so I dont understand how the error can be resolved.
Here are few things I have tried:
1. I came across this KB which checked ok for me: http://support.microsoft.com/kb/241515
2. Made a copy of the default GPO, applied to a OU with one machine, and made sure to remove any GPO links from above
3. Enabled the following two local Group policies on a test member:
GP slow link detection
Startup policy processing wait time
4. Modified firewall to allow everything on both member and DC
5. Verified DSN logs, SRV records, access to sysvol ( added authenticated users to sysvol)
I have yet to figure out the reason for this issue. Has anyone seen anything like this before?

1. I checked the NIC, it only has one IP. and I followed your article. I set the primary DNS to its own IP and the secondary DNS to the loopback ip
2. This is a new DC and DNS server. I dont have old records yet. I also check the DNS event logs. No errors
3. I made sure the member server is pointing only to the only DC/DNS server
4. Here is the output from the dcdiag.... everything passed except, the Netlogons part. I'm not sure what means or how to fix it yet:
Starting test: NetLogons
* Warning BUILTIN\Administrators did not have the "Access this
computer
"* from network" right.
[hostname] An net use or LsaPolicy operation failed with error
1, Incorrect function..
......................... hostname failed test NetLogons
Complete output:
> hostname
Server: hostname.domain.local
Address: X.X.X.95
> ^C
C:\Windows\system32>
C:\Windows\system32>nslookup
> set type=all
>
>
>
> _ldap._tcp.dc._msdcs.domainname
_ldap._tcp.dc._msdcs.domain.local SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = hostname.domain.local
hostname.domain.local internet address = X.X.X.95
> ^C
C:\Windows\system32>cd ..
C:\Windows>cd SYSVOL
C:\Windows\SYSVOL>cd sysvol
C:\Windows\SYSVOL\sysvol>dir
Volume in drive C has no label.
Volume Serial Number is F624-CDB2
Directory of C:\Windows\SYSVOL\sysvol
10/29/2014 08:25 PM <DIR> .
10/29/2014 08:25 PM <DIR> ..
10/29/2014 08:25 PM <JUNCTION> domain.local [C:\Windows\SYSVOL\domain]
0 File(s) 0 bytes
3 Dir(s) 63,971,037,184 bytes free
C:\Windows\SYSVOL\sysvol>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = hostname
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\hostname
Starting test: Connectivity
......................... hostname passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\hostname
Starting test: Advertising
......................... hostname passed test Advertising
Starting test: FrsEvent
......................... hostname passed test FrsEvent
Starting test: DFSREvent
......................... hostname passed test DFSREvent
Starting test: SysVolCheck
......................... hostname passed test SysVolCheck
Starting test: KccEvent
......................... hostname passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... hostname passed test
KnowsOfRoleHolders
Starting test: MachineAccount
......................... hostname passed test MachineAccount
Starting test: NCSecDesc
......................... hostname passed test NCSecDesc
Starting test: NetLogons
* Warning BUILTIN\Administrators did not have the "Access this
computer
"* from network" right.
[hostname] An net use or LsaPolicy operation failed with error
1, Incorrect function..
......................... hostname failed test NetLogons
Starting test: ObjectsReplicated
......................... hostname passed test
ObjectsReplicated
Starting test: Replications
......................... hostname passed test Replications
Starting test: RidManager
......................... hostname passed test RidManager
Starting test: Services
......................... hostname passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/04/2015 18:23:06
Event String:
Name resolution for the name ctldl.windowsupdate.com timed out after
none of the configured DNS servers responded.
......................... hostname passed test SystemLog
Starting test: VerifyReferences
......................... hostname passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : emcdsm
Starting test: CheckSDRefDom
......................... emcdsm passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... emcdsm passed test CrossRefValidation
Running enterprise tests on : domain.local
Starting test: LocatorCheck
......................... domain.local passed test LocatorCheck
Starting test: Intersite
......................... domain.local passed test Intersite
C:\Windows\SYSVOL\sysvol>

Domain controller 2008 Server with SP2

Here is a real issue which i cannot track down what is causing it.
It appears that in windows 2008 Server running DHCP, DNS and AD i am getting some weird errors on the clients.
The client machines are all Windows 7 Professional x64.
The Issue is that the Domain controller seems to disappear as the logon server from the client after a few days. On some it indicates that there was no logon server available, but still logs in.. Which should be impossible since i have group policy configured
to block the ability of logon without a logon server.
The issue with this, is that over time, the desktops seem to go rogue, they no longer populate the information as to password expiration, and at times don't allow the clients to access the network shares.
The security log, shows hit and miss as to if it sees them log into the domain.
the weird issue is that if you log out, switch user, and change the users password, then log back into the desktop with domain\username and a new password the issue goes away for about 10 days.. then re-appears and causes all sorts of fun issues on the domain.
I took another step and decided that i would give a shot to building a clone test network, using a cloned image of the Domain controller, and it doesn't seem to happen on that side..The test network just has less PC's but they are all the same hardware..
Here is what i have troubleshot so far:
DNS looks fine.. no errors or issues..
DHCP looks fine, no duplicates etc..
AD has all the information correctly, and the security log looks fine, most of the time..
Windows updates are all up to date
All desktops have logon scripts, but i have removed the cached data from the management console (Cred manager)
Modified Group policy and forced it across the network.. Can see the GPResult from the clients and they have the updated settings, but the clients don't seem to care..
Group policy is set to wait till network comes up and require a domain controller to log into the client desktop.. This sometimes works, sometimes does not, it was done to see if the problem was happening on other machines, there are about 15 total out of
47 currently having the issue.
All the desktops are fresh installs, not ghosted images, not clones, or something you would need to sysprep.
Thoughts?
Rob

Hello,
please post an unedited ipconfig /all from the DC/DNS servers and a client with the problems.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://blogs.msmvps.com/MWeber
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Twitter:

Remove a domain controller

Similar Messages

Maybe you are looking for