Home
Join

9 Replies

  • Hello EliteHuskarl.

    1. Check if the DC server instance exists in Active Directory Sites and Services after demoting. Remove it if it exists.

    2. Make sure that there are no workstations are pointing to it, even as a second or third DNS server.

    3. Check whether the server has other roles you might still need, such as DHCP and migrate those roles to another DC.

    4. Check for replication errors before demoting the DC and after.

    All the best.

    Greetings from Nairobi.

    Pepper graySpice (2) flagReport
    1 found this helpful thumb_up thumb_down
  • EliteHuskarl wrote:

    Post Windows Server 2008, for a non-forced DC demotion, are there any additional steps I should take to clean up any metadata or stale DNS records?

    The DC I am planning to demote is NOT the PDC, and all FSMO roles have already been removed. It was the time source for the domain but that is no longer the case. The DNS role on this server is activated but it is not used by any workstations as the primary DNS server. It replicates pretty well with the PDC in our domain.

    What I am seeing from the tutorials I've read online is that, as long as there is communication between DCs, demoting one should be a fairly straightforward process. I am seeing that it is recommended to do this through Server Manager on the server being demoted. (SourceOpens a new window, sourceOpens a new window, sourceOpens a new window.) But then I have found other articlesOpens a new window indicating that more work needs to be done. DNS is not yet a topic I understand and I know that there are some things awry with the DNS settings in our domain, but tinkering with that is not something I'd feel comfortable doing just yet.

    You should check for Stale DNS and also check if there are any remains of the old DC on the Active Directory Sites and Services. Also run a dcdiag and check if you don't have any issues prior and after demotion. If you have any issues, you would want to fix those issues ahead of the demotion. 

    Pepper graySpice (1) flagReport
    1 found this helpful thumb_up thumb_down
  • Hi there,

    Have a look at this

    https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanupOpens a new window

    Was this post helpful? thumb_up thumb_down
  • IKECR262 wrote:

    Hi there,

    Have a look at this

    https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanupOpens a new window

    I don't have to do this if it's an un-forced removal though, right?

    Was this post helpful? thumb_up thumb_down
  • EliteHuskarl wrote:

    IKECR262 wrote:

    Hi there,

    Have a look at this

    https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanupOpens a new window

    I don't have to do this if it's an un-forced removal though, right?

    You shouldn't have to but sometimes things are left behind so you should check.  You also need to run DCDIAG on all your DC's before to make sure there are no errors and don't proceed until those problems are addressed.  You should run DCDIAG afterwards on your remaining DC, even if only one, to ensure there are no problems.

    Was this post helpful? thumb_up thumb_down
  • Here are the DCdiag outputs for the Domain Controllers. DC1 is the PDC and hosts the FSMO roles. DC2 is the one I am taking offline. DC3 is our mail server and yes I know that a mail server should not be a DC.

    DC1 dcdiag output

    Directory Server Diagnosis

    Performing initial setup:
      Trying to find home server...
      Home Server = DC1 (PDC)
      * Identified AD Forest.
      Done gathering initial info.

    Doing initial required tests

      Testing server: Default-First-Site-Name\DC1 (PDC)
          Starting test: Connectivity
            ......................... DC1 (PDC) passed test Connectivity

    Doing primary tests

      Testing server: Default-First-Site-Name\DC1 (PDC)
          Starting test: Advertising
            ......................... DC1 (PDC) passed test Advertising
          Starting test: FrsEvent
            ......................... DC1 (PDC) passed test FrsEvent
          Starting test: DFSREvent
            There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
            replication problems may cause Group Policy problems.
            ......................... DC1 (PDC) failed test DFSREvent
          Starting test: SysVolCheck
            ......................... DC1 (PDC) passed test SysVolCheck
          Starting test: KccEvent
            A warning event occurred. EventID: 0x80000785
                Time Generated: 05/18/2022 13:41:22
                Event String:
                The attempt to establish a replication link for the following writable directory partition failed.
            A warning event occurred. EventID: 0x80000785
                Time Generated: 05/18/2022 13:41:22
                Event String:
                The attempt to establish a replication link for the following writable directory partition failed.
            A warning event occurred. EventID: 0x80000785
                Time Generated: 05/18/2022 13:41:22
                Event String:
                The attempt to establish a replication link for the following writable directory partition failed.
            A warning event occurred. EventID: 0x80000785
                Time Generated: 05/18/2022 13:41:22
                Event String:
                The attempt to establish a replication link for the following writable directory partition failed.
            A warning event occurred. EventID: 0x80000785
                Time Generated: 05/18/2022 13:41:22
                Event String:
                The attempt to establish a replication link for the following writable directory partition failed.
            ......................... DC1 (PDC) passed test KccEvent
          Starting test: KnowsOfRoleHolders
            ......................... DC1 (PDC) passed test KnowsOfRoleHolders
          Starting test: MachineAccount
            ......................... DC1 (PDC) passed test MachineAccount
          Starting test: NCSecDesc
            ......................... DC1 (PDC) passed test NCSecDesc
          Starting test: NetLogons
            ......................... DC1 (PDC) passed test NetLogons
          Starting test: ObjectsReplicated
            ......................... DC1 (PDC) passed test ObjectsReplicated
          Starting test: Replications
            REPLICATION-RECEIVED LATENCY WARNING
            DC1 (PDC): Current time is 2022-05-18 13:41:39.
                DC=DomainDnsZones,DC=mybusiness,DC=local
                  Last replication received from DC3 at
              2021-04-24 09:55:55
                  WARNING: This latency is over the Tombstone Lifetime of 180 days!
                DC=ForestDnsZones,DC=mybusiness,DC=local
                  Last replication received from DC3 at
              2021-04-24 09:52:12
                  WARNING: This latency is over the Tombstone Lifetime of 180 days!
                CN=Schema,CN=Configuration,DC=mybusiness,DC=local
                  Last replication received from DC3 at
              2021-04-24 09:52:12
                  WARNING: This latency is over the Tombstone Lifetime of 180 days!
                CN=Configuration,DC=mybusiness,DC=local
                  Last replication received from DC3 at
              2021-04-24 09:52:12
                  WARNING: This latency is over the Tombstone Lifetime of 180 days!
                DC=mybusiness,DC=local
                  Last replication received from DC3 at
              2021-04-24 10:05:58
                  WARNING: This latency is over the Tombstone Lifetime of 180 days!
            ......................... DC1 (PDC) passed test Replications
          Starting test: RidManager
            ......................... DC1 (PDC) passed test RidManager
          Starting test: Services
            ......................... DC1 (PDC) passed test Services
          Starting test: SystemLog
            An error event occurred. EventID: 0x40000004
                Time Generated: 05/18/2022 12:46:37
                Event String:
                The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC3$. The target name used was mybusiness\DC3$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (mybusiness.LOCAL) is different from the client domain (mybusiness.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
            An error event occurred. EventID: 0x40000004
                Time Generated: 05/18/2022 13:40:46
                Event String:
                The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC3$. The target name used was HTTP/DC3.mybusiness.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (mybusiness.LOCAL) is different from the client domain (mybusiness.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
            An error event occurred. EventID: 0x40000004
                Time Generated: 05/18/2022 13:41:22
                Event String:
                The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC3$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/a4eaddd1-3f5a-444d-92b6-88ea1eacdbd1/mybusiness.local@mybusiness.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (mybusiness.LOCAL) is different from the client domain (mybusiness.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
            ......................... DC1 (PDC) failed test SystemLog
          Starting test: VerifyReferences
            ......................... DC1 (PDC) passed test VerifyReferences


      Running partition tests on : DomainDnsZones
          Starting test: CheckSDRefDom
            ......................... DomainDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
            ......................... DomainDnsZones passed test CrossRefValidation

      Running partition tests on : ForestDnsZones
          Starting test: CheckSDRefDom
            ......................... ForestDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
            ......................... ForestDnsZones passed test CrossRefValidation

      Running partition tests on : Schema
          Starting test: CheckSDRefDom
            ......................... Schema passed test CheckSDRefDom
          Starting test: CrossRefValidation
            ......................... Schema passed test CrossRefValidation

      Running partition tests on : Configuration
          Starting test: CheckSDRefDom
            ......................... Configuration passed test CheckSDRefDom
          Starting test: CrossRefValidation
            ......................... Configuration passed test CrossRefValidation

      Running partition tests on : mybusiness
          Starting test: CheckSDRefDom
            ......................... mybusiness passed test CheckSDRefDom
          Starting test: CrossRefValidation
            ......................... mybusiness passed test CrossRefValidation

      Running enterprise tests on : mybusiness.local
          Starting test: LocatorCheck
            ......................... mybusiness.local passed test LocatorCheck
          Starting test: Intersite
            ......................... mybusiness.local passed test Intersite

    DC2 Dcdiag output

    Microsoft Windows [Version 10.0.17763.379]
    (c) 2018 Microsoft Corporation. All rights reserved.

    C:\Users\Administrator>dcdiag

    Directory Server Diagnosis

    Performing initial setup:
      Trying to find home server...
      Home Server = dc2
      * Identified AD Forest.
      Done gathering initial info.

    Doing initial required tests

      Testing server: Default-First-Site-Name\dc2
          Starting test: Connectivity
            ......................... dc2 passed test Connectivity

    Doing primary tests

      Testing server: Default-First-Site-Name\dc2
          Starting test: Advertising
            ......................... dc2 passed test Advertising
          Starting test: FrsEvent
            ......................... dc2 passed test FrsEvent
          Starting test: DFSREvent
            There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
            replication problems may cause Group Policy problems.
            ......................... dc2 failed test DFSREvent
          Starting test: SysVolCheck
            ......................... dc2 passed test SysVolCheck
          Starting test: KccEvent
            ......................... dc2 passed test KccEvent
          Starting test: KnowsOfRoleHolders
            ......................... dc2 passed test KnowsOfRoleHolders
          Starting test: MachineAccount
            ......................... dc2 passed test MachineAccount
          Starting test: NCSecDesc
            ......................... dc2 passed test NCSecDesc
          Starting test: NetLogons
            ......................... dc2 passed test NetLogons
          Starting test: ObjectsReplicated
            ......................... dc2 passed test ObjectsReplicated
          Starting test: Replications
            [Replications Check,dc2] A recent replication attempt failed:
                From dc3 to dc2
                Naming Context: DC=ForestDnsZones,DC=mybusiness,DC=local
                The replication generated an error (1256):
                The remote system is not available. For information about network troubleshooting, see Windows Help.
                The failure occurred at 2022-05-18 12:49:35.
                The last success occurred at 2021-04-24 09:52:12.
                9285 failures have occurred since the last success.
            [dc3] DsBindWithSpnEx() failed with error 1722,
            The RPC server is unavailable..
            [Replications Check,dc2] A recent replication attempt failed:
                From dc3 to dc2
                Naming Context: DC=DomainDnsZones,DC=mybusiness,DC=local
                The replication generated an error (1256):
                The remote system is not available. For information about network troubleshooting, see Windows Help.
                The failure occurred at 2022-05-18 12:49:35.
                The last success occurred at 2021-04-24 09:55:55.
                9286 failures have occurred since the last success.
            [Replications Check,dc2] A recent replication attempt failed:
                From dc3 to dc2
                Naming Context: CN=Schema,CN=Configuration,DC=mybusiness,DC=local
                The replication generated an error (-2146893022):
                The target principal name is incorrect.
                The failure occurred at 2022-05-18 12:49:35.
                The last success occurred at 2021-04-24 09:52:12.
                9285 failures have occurred since the last success.
            [Replications Check,dc2] A recent replication attempt failed:
                From dc3 to dc2
                Naming Context: CN=Configuration,DC=mybusiness,DC=local
                The replication generated an error (-2146893022):
                The target principal name is incorrect.
                The failure occurred at 2022-05-18 12:49:35.
                The last success occurred at 2021-04-24 09:52:12.
                9285 failures have occurred since the last success.
            [Replications Check,dc2] A recent replication attempt failed:
                From dc3 to dc2
                Naming Context: DC=mybusiness,DC=local
                The replication generated an error (-2146893022):
                The target principal name is incorrect.
                The failure occurred at 2022-05-18 12:49:35.
                The last success occurred at 2021-04-24 10:05:58.
                9286 failures have occurred since the last success.
            ......................... dc2 failed test Replications
          Starting test: RidManager
            ......................... dc2 passed test RidManager
          Starting test: Services
            ......................... dc2 passed test Services
          Starting test: SystemLog
            An error event occurred. EventID: 0x40000004
                Time Generated: 05/18/2022 12:49:35
                Event String:
                The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server dc3$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/a4eaddd1-3f5a-444d-92b6-88ea1eacdbd1/mybusiness.local@mybusiness.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (mybusiness.LOCAL) is different from the client domain (mybusiness.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
            An error event occurred. EventID: 0x40000004
                Time Generated: 05/18/2022 13:09:17
                Event String:
                The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server dc3$. The target name used was mybusiness\dc3$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (mybusiness.LOCAL) is different from the client domain (mybusiness.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
            ......................... dc2 failed test SystemLog
          Starting test: VerifyReferences
            ......................... dc2 passed test VerifyReferences


      Running partition tests on : ForestDnsZones
          Starting test: CheckSDRefDom
            ......................... ForestDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
            ......................... ForestDnsZones passed test CrossRefValidation

      Running partition tests on : DomainDnsZones
          Starting test: CheckSDRefDom
            ......................... DomainDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
            ......................... DomainDnsZones passed test CrossRefValidation

      Running partition tests on : Schema
          Starting test: CheckSDRefDom
            ......................... Schema passed test CheckSDRefDom
          Starting test: CrossRefValidation
            ......................... Schema passed test CrossRefValidation

      Running partition tests on : Configuration
          Starting test: CheckSDRefDom
            ......................... Configuration passed test CheckSDRefDom
          Starting test: CrossRefValidation
            ......................... Configuration passed test CrossRefValidation

      Running partition tests on : mybusiness
          Starting test: CheckSDRefDom
            ......................... mybusiness passed test CheckSDRefDom
          Starting test: CrossRefValidation
            ......................... mybusiness passed test CrossRefValidation

      Running enterprise tests on : mybusiness.local
          Starting test: LocatorCheck
            ......................... mybusiness.local passed test LocatorCheck
          Starting test: Intersite
            ......................... mybusiness.local passed test Intersite

    C:\Users\Administrator>

    DC3 Dcdiag output

    Microsoft Windows [Version 10.0.17763.379](c) 2018 Microsoft Corporation. All rights reserved.

    C:\Users\Administrator.mybusiness>dcdiag

    Directory Server Diagnosis

    Performing initial setup:  Trying to find home server...  Home Server = dc3  * Identified AD Forest.  Done gathering initial info.

    Doing initial required tests

      Testing server: Default-First-Site-Name\dc3      Starting test: Connectivity        The host a4eaddd1-3f5a-444d-92b6-88ea1eacdbd1._msdcs.mybusiness.local could not be resolved to an IP address. Check        the DNS server, DHCP, server name, etc.        Got error while checking LDAP and RPC connectivity. Please check your firewall settings.        ......................... dc3 failed test Connectivity

    Doing primary tests

      Testing server: Default-First-Site-Name\dc3      Skipping all tests, because server dc3 is not responding to directory service requests.


      Running partition tests on : ForestDnsZones      Starting test: CheckSDRefDom        ......................... ForestDnsZones passed test CheckSDRefDom      Starting test: CrossRefValidation        ......................... ForestDnsZones passed test CrossRefValidation

      Running partition tests on : DomainDnsZones      Starting test: CheckSDRefDom        ......................... DomainDnsZones passed test CheckSDRefDom      Starting test: CrossRefValidation        ......................... DomainDnsZones passed test CrossRefValidation

      Running partition tests on : Schema      Starting test: CheckSDRefDom        ......................... Schema passed test CheckSDRefDom      Starting test: CrossRefValidation        ......................... Schema passed test CrossRefValidation

      Running partition tests on : Configuration      Starting test: CheckSDRefDom        ......................... Configuration passed test CheckSDRefDom      Starting test: CrossRefValidation        ......................... Configuration passed test CrossRefValidation

      Running partition tests on : mybusiness      Starting test: CheckSDRefDom        ......................... mybusiness passed test CheckSDRefDom      Starting test: CrossRefValidation        ......................... mybusiness passed test CrossRefValidation

      Running enterprise tests on : mybusiness.local      Starting test: LocatorCheck        Error: The server returned by DsGetDcName() did not match DsListRoles() for the PDC        ......................... mybusiness.local passed test LocatorCheck      Starting test: Intersite        ......................... mybusiness.local passed test Intersite

    C:\Users\Administrator.mybusiness>

    Obviously DC3 has a lot of issues but as far as I can tell there are no issues between DC1 and DC2!

    Was this post helpful? thumb_up thumb_down
  • EliteHuskarl wrote:

    Obviously DC3 has a lot of issues but as far as I can tell there are no issues between DC1 and DC2!

    Do not overcomplicate. Looking at your DCDiag output, I would recommend you simply demote both DC2 and DC3 entirely, manually clean up the metadata if any are left following the guide provided above, and spin a freshly built DC2 reusing the DNS name and IP address to have two domain controllers in total. Preferably virtual ones. Preferably Windows Server Core edition https://www.hyper-v.io/creating-domain-windows-serverOpens a new window for a smaller footprint and better security.

    Was this post helpful? thumb_up thumb_down
  • Based on your other DCs OSes (except 2008 as I suppose use FRS) first, you would need to migrate FRS to DFSR in server 2008 and the others if you haven't done (as you go with non-forced demotion) so you should do that attentively.

    Was this post helpful? thumb_up thumb_down
  • Likewise, There is no PDC/BDC since Windows NT 4.0 as all DCs are the same now.

    Was this post helpful? thumb_up thumb_down

Read these next...

  • Simple command to monitor Windows 10 temperature?

    Simple command to monitor Windows 10 temperature?

    Hardware

    I feel like this has probably been address before, although I was wondering if someone is aware of a simple command I can run to report the internal temperature of a Windows 10 PC?I think all computers monitor the temperature, although I've only found thi...

  • Remote access to DVR?

    Remote access to DVR?

    Security

    Hi!I have an older Hikvision DVR that I need to provide remote access to. The users would be mainly accessing it from their smartphones. I tested their software, iVMS, by assigning one of my public IP's to the DVR and it worked fine. However the issue is ...

  • Snap! -- Survival Kits, Forest Bubble on Mars, AI Movie Plots, Leprosy & Livers

    Snap! -- Survival Kits, Forest Bubble on Mars, AI Movie Plots, Leprosy & Livers

    Spiceworks Originals

    Your daily dose of tech news, in brief. Welcome to the Snap! Flashback: Back on December 6, 1907, Mathematical Logician J. Barkley Rosser Born (Read more HERE.) Bonus Flashback: Back on December 6, 1998, International Space Station assemb...

  • Spark! Pro Series - 6 December 2022

    Spark! Pro Series - 6 December 2022

    Spiceworks Originals

    Today in History: 6 December 1240 – Mongols led by Batu Khan occupy and destroy Kyiv after an 8 day siege; out of 50,000 people in the city only 2,000 survive 1849 – Harriet Tubman escapes from slavery in Maryl...

  • The most boring but interesting Phishing Attempt I've seen

    The most boring but interesting Phishing Attempt I've seen

    Security

    Hello There,We've recently had a phishy email come through to one of our employees with an attachment to something work related. But here's the interesting part: The email was spoofed. When checked, the address was that of our own domain, however the emai...