Re: Unable to decommission a Windows 2008 DC via dcpromo


Hello Haji,

Can you open and compare sysvol and netlogon share on both DCs?

Please ping between both DCs with ipaddress, computername and FQDN.

Any firewall running between them?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


dcdiag from server2, which is the new one:

Directory Server Diagnosis

Performing initial setup:

Trying to find home server...

* Verifying that the local machine server2, is a Directory Server.
Home Server = server2
* Connecting to directory service on server server2.

* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling
ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=dns,L
DAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site
Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domai
n,DC=dns
Getting ISTG and options for the site
* Identifying all servers.
Calling
ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=dns,L
DAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS
Settings,CN=server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
Configuration,DC=domain,DC=dns
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
Configuration,DC=domain,DC=dns
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.

Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\server2

Starting test: Connectivity

* Active Directory LDAP Services Check
Determining IP4 connectivity
Determining IP6 connectivity
* Active Directory RPC Services Check
......................... server2 passed test Connectivity
Doing primary tests

Testing server: Default-First-Site-Name\server2

Starting test: Advertising

Warning: DsGetDcName returned information for

\\server1.domain.dns, when we were trying to reach server2.

SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.

......................... server2 failed test Advertising

Test omitted by user request: CheckSecurityError

Test omitted by user request: CutoffServers

Starting test: FrsEvent

* The File Replication Service Event log test
There are warning or error events within the last 24 hours
after the
SYSVOL has been shared. Failing SYSVOL replication problems
may cause

Group Policy problems.
An Warning Event occurred. EventID: 0x800034C4
Time Generated: 07/04/2009 19:53:44

Event String:

The File Replication Service is having trouble enabling
replication from server1.domain.dns to server2 for
c:\windows\sysvol\domain using the DNS name server1.domain.dns. FRS
will keep retrying.

Following are some of the reasons you would see this
warning.

[1] FRS can not correctly resolve the DNS name
server1.domain.dns from this computer.

[2] FRS is not running on server1.domain.dns.

[3] The topology information in the Active Directory
Domain Services for this replica has not yet replicated to all the
Domain Controllers.

This event log message will appear once per connection,
After the problem is fixed you will see another event log message
indicating that the connection has been established.

An Warning Event occurred. EventID: 0x800034FE

Time Generated: 07/05/2009 17:59:10

Event String:

File Replication Service is scanning the data in the
system volume. Computer server2 cannot become a domain controller
until this process is complete. The system volume will then be shared
as SYSVOL.

To check for the SYSVOL share, at the command prompt,
type:

net share

When File Replication Service completes the scanning
process, the SYSVOL share will appear.

The initialization of the system volume can take some
time. The time is dependent on the amount of data in the system
volume.

An Warning Event occurred. EventID: 0x800034C4

Time Generated: 07/05/2009 18:02:00

Event String:

The File Replication Service is having trouble enabling
replication from server1.domain.dns to server2 for
c:\windows\sysvol\domain using the DNS name server1.domain.dns. FRS
will keep retrying.

Following are some of the reasons you would see this
warning.

[1] FRS can not correctly resolve the DNS name
server1.domain.dns from this computer.

[2] FRS is not running on server1.domain.dns.

[3] The topology information in the Active Directory
Domain Services for this replica has not yet replicated to all the
Domain Controllers.

This event log message will appear once per connection,
After the problem is fixed you will see another event log message
indicating that the connection has been established.

An Warning Event occurred. EventID: 0x800034FE

Time Generated: 07/05/2009 18:08:29

Event String:

File Replication Service is scanning the data in the
system volume. Computer server2 cannot become a domain controller
until this process is complete. The system volume will then be shared
as SYSVOL.

To check for the SYSVOL share, at the command prompt,
type:

net share

When File Replication Service completes the scanning
process, the SYSVOL share will appear.

The initialization of the system volume can take some
time. The time is dependent on the amount of data in the system
volume.

An Warning Event occurred. EventID: 0x800034C4

Time Generated: 07/05/2009 18:10:22

Event String:

The File Replication Service is having trouble enabling
replication from server1.domain.dns to server2 for
c:\windows\sysvol\domain using the DNS name server1.domain.dns. FRS
will keep retrying.

Following are some of the reasons you would see this
warning.

[1] FRS can not correctly resolve the DNS name
server1.domain.dns from this computer.

[2] FRS is not running on server1.domain.dns.

[3] The topology information in the Active Directory
Domain Services for this replica has not yet replicated to all the
Domain Controllers.

This event log message will appear once per connection,
After the problem is fixed you will see another event log message
indicating that the connection has been established.

An Warning Event occurred. EventID: 0x800034C4

Time Generated: 07/05/2009 18:18:22

Event String:

The File Replication Service is having trouble enabling
replication from server1 to server2 for c:\windows\sysvol\domain using
the DNS name server1.domain.dns. FRS will keep retrying.

Following are some of the reasons you would see this
warning.

[1] FRS can not correctly resolve the DNS name
server1.domain.dns from this computer.

[2] FRS is not running on server1.domain.dns.

[3] The topology information in the Active Directory
Domain Services for this replica has not yet replicated to all the
Domain Controllers.

This event log message will appear once per connection,
After the problem is fixed you will see another event log message
indicating that the connection has been established.

......................... server2 passed test FrsEvent

Starting test: DFSREvent

The DFS Replication Event Log.
There are warning or error events within the last 24 hours
after the
SYSVOL has been shared. Failing SYSVOL replication problems
may cause

Group Policy problems.
An Error Event occurred. EventID: 0xC00004B2
Time Generated: 07/05/2009 17:59:35

Event String:

The DFS Replication service failed to contact domain
controller to access configuration information. Replication is
stopped. The service will try again during the next configuration
polling cycle, which will occur in 60 minutes. This event can be
caused by TCP/IP connectivity, firewall, Active Directory Domain
Services, or DNS issues.

Additional Information:

Error: 160 (One or more arguments are not correct.)

......................... server2 failed test DFSREvent

Starting test: SysVolCheck

* The File Replication Service SYSVOL ready test
The registry lookup failed to determine the state of the
SYSVOL. The
error returned was 0x0 "The operation completed
successfully.".

Check the FRS event log to see if the SYSVOL has successfully
been

shared.
......................... server2 passed test SysVolCheck
Starting test: KccEvent

* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the
last 15
minutes.
......................... server2 passed test KccEvent
Starting test: KnowsOfRoleHolders

Role Schema Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
Configuration,DC=domain,DC=dns
Role Domain Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
Configuration,DC=domain,DC=dns
Role PDC Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
Configuration,DC=domain,DC=dns
Role Rid Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
Configuration,DC=domain,DC=dns
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
Configuration,DC=domain,DC=dns
......................... server2 passed test
KnowsOfRoleHolders
Starting test: MachineAccount

Checking machine account for DC server2 on DC server2.
* SPN found :LDAP/server2.domain.dns/domain.dns
* SPN found :LDAP/server2.domain.dns
* SPN found :LDAP/server2
* SPN found :LDAP/server2.domain.dns/domain
* SPN found
:LDAP/d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/d963b078-1f27-4154-8436-870d1993
5efe/domain.dns
* SPN found :HOST/server2.domain.dns/domain.dns
* SPN found :HOST/server2.domain.dns
* SPN found :HOST/server2
* SPN found :HOST/server2.domain.dns/domain
* SPN found :GC/server2.domain.dns/domain.dns
......................... server2 passed test MachineAccount
Starting test: NCSecDesc

* Security Permissions check for all NC's on DC server2.
The forest is not ready for RODC. Will skip checking ERODC
ACEs.
* Security Permissions Check for
DC=ForestDnsZones,DC=domain,DC=dns
(NDNC,Version 3)
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=domain,DC=dns
* Security Permissions Check for
DC=DomainDnsZones,DC=domain,DC=dns
(NDNC,Version 3)
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=domain,DC=dns
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=domain,DC=dns
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=domain,DC=dns
(Configuration,Version 3)
* Security Permissions Check for
DC=domain,DC=dns
(Domain,Version 3)
......................... server2 failed test NCSecDesc
Starting test: NetLogons

* Network Logons Privileges Check
Unable to connect to the NETLOGON share! (\\server2\netlogon)
[server2] An net use or LsaPolicy operation failed with error
67,

The network name cannot be found..

......................... server2 failed test NetLogons

Starting test: ObjectsReplicated

server2 is in domain DC=domain,DC=dns
Checking for CN=server2,OU=Domain
Controllers,DC=domain,DC=dns in
domain DC=domain,DC=dns on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
Configuration,DC=domain,DC=dns
in domain CN=Configuration,DC=domain,DC=dns on 1 servers
Object is up-to-date on all servers.
......................... server2 passed test
ObjectsReplicated
Test omitted by user request: OutboundSecureChannels

Starting test: Replications

* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=domain,DC=dns
Latency information for 8 entries in the vector were
ignored.
8 were retired Invocations. 0 were either:
read-only
replicas and are not verifiably latent, or dc's no longer replicating
this
nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=domain,DC=dns
Latency information for 8 entries in the vector were
ignored.
8 were retired Invocations. 0 were either:
read-only
replicas and are not verifiably latent, or dc's no longer replicating
this
nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=domain,DC=dns
Latency information for 9 entries in the vector were
ignored.
9 were retired Invocations. 0 were either:
read-only
replicas and are not verifiably latent, or dc's no longer replicating
this
nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=domain,DC=dns
Latency information for 9 entries in the vector were
ignored.
9 were retired Invocations. 0 were either:
read-only
replicas and are not verifiably latent, or dc's no longer replicating
this
nc. 0 had no latency information (Win2K DC).
DC=domain,DC=dns
Latency information for 9 entries in the vector were
ignored.
9 were retired Invocations. 0 were either:
read-only
replicas and are not verifiably latent, or dc's no longer replicating
this
nc. 0 had no latency information (Win2K DC).
......................... server2 passed test Replications
Starting test: RidManager

* Available RID Pool for the Domain is 16606 to 1073741823
* server2.domain.dns is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 16106 to 16605
* rIDPreviousAllocationPool is 16106 to 16605
* rIDNextRID: 16106
......................... server2 passed test RidManager
Starting test: Services

* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: DFSR
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... server2 passed test Services
Starting test: SystemLog

* The System Event log test
An Warning Event occurred. EventID: 0x8000001D
Time Generated: 07/05/2009 17:58:50

Event String:

The Key Distribution Center (KDC) cannot find a suitable
certificate to use for smart card logons, or the KDC certificate could
not be verified. Smart card logon may not function correctly if this
problem is not resolved. To correct this problem, either verify the
existing KDC certificate using certutil.exe or enroll for a new KDC
certificate.

An Error Event occurred. EventID: 0xC0001B72

Time Generated: 07/05/2009 18:08:40

Event String:

The following boot-start or system-start driver(s) failed
to load:

storflt

superbmc

An Warning Event occurred. EventID: 0x00002724

Time Generated: 07/05/2009 18:19:30

Event String:

This computer has at least one dynamically assigned IPv6
address.For reliable DHCPv6 server operation, you should use only
static IPv6 addresses.

......................... server2 failed test SystemLog

Test omitted by user request: Topology

Test omitted by user request: VerifyEnterpriseReferences

Starting test: VerifyReferences

The system object reference (serverReference)

CN=server2,OU=Domain Controllers,DC=domain,DC=dns and
backlink on

CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configura
tion,DC=domain,DC=dns

are correct.
The system object reference (serverReferenceBL)
CN=server2,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=domain,DC=dns

and backlink on

CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
Configuration,DC=domain,DC=dns

are correct.
......................... server2 passed test
VerifyReferences
Test omitted by user request: VerifyReplicas

Test omitted by user request: DNS

Test omitted by user request: DNS

Running partition tests on : ForestDnsZones

Starting test: CheckSDRefDom

......................... ForestDnsZones passed test
CheckSDRefDom

Starting test: CrossRefValidation

......................... ForestDnsZones passed test

CrossRefValidation

Running partition tests on : DomainDnsZones

Starting test: CheckSDRefDom

......................... DomainDnsZones passed test
CheckSDRefDom

Starting test: CrossRefValidation

......................... DomainDnsZones passed test

CrossRefValidation

Running partition tests on : Schema

Starting test: CheckSDRefDom

......................... Schema passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... Schema passed test
CrossRefValidation

Running partition tests on : Configuration

Starting test: CheckSDRefDom

......................... Configuration passed test
CheckSDRefDom

Starting test: CrossRefValidation

......................... Configuration passed test
CrossRefValidation

Running partition tests on : domain

Starting test: CheckSDRefDom

......................... domain passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... domain passed test
CrossRefValidation

Running enterprise tests on : domain.dns

Test omitted by user request: DNS

Test omitted by user request: DNS

Starting test: LocatorCheck

GC Name: \\server1.domain.dns

Locator Flags: 0xe00011fc
PDC Name: \\server2.domain.dns
Locator Flags: 0xe00013fd
Time Server Name: \\server1.domain.dns
Locator Flags: 0xe00011fc
Preferred Time Server Name: \\server1.domain.dns
Locator Flags: 0xe00011fc
KDC Name: \\server1.domain.dns
Locator Flags: 0xe00011fc
......................... domain.dns passed test LocatorCheck
Starting test: Intersite

Skipping site Default-First-Site-Name, this site is outside
the scope

provided by the command line arguments provided.
......................... domain.dns passed test Intersite
repadmin /showrepl from server2:

Repadmin: running command /showrepl against full DC localhost

Default-First-Site-Name\server2

DSA Options: IS_GC

Site Options: (none)

DSA object GUID: d963b078-1f27-4154-8436-870d19935efe

DSA invocationID: 08e803de-61a0-4db8-bd91-8fdbfa816035

==== INBOUND NEIGHBORS ======================================

DC=domain,DC=dns

Default-First-Site-Name\server1 via RPC

DSA object GUID: 10054e4e-3786-4858-a745-5a3b299c2326

Last attempt @ 2009-07-05 18:11:12 was successful.

CN=Configuration,DC=domain,DC=dns

Default-First-Site-Name\server1 via RPC

DSA object GUID: 10054e4e-3786-4858-a745-5a3b299c2326

Last attempt @ 2009-07-05 18:08:23 was successful.

CN=Schema,CN=Configuration,DC=domain,DC=dns

Default-First-Site-Name\server1 via RPC

DSA object GUID: 10054e4e-3786-4858-a745-5a3b299c2326

Last attempt @ 2009-07-05 18:08:23 was successful.

DC=DomainDnsZones,DC=domain,DC=dns

Default-First-Site-Name\server1 via RPC

DSA object GUID: 10054e4e-3786-4858-a745-5a3b299c2326

Last attempt @ 2009-07-05 18:08:24 was successful.

DC=ForestDnsZones,DC=domain,DC=dns

Default-First-Site-Name\server1 via RPC

DSA object GUID: 10054e4e-3786-4858-a745-5a3b299c2326

Last attempt @ 2009-07-05 18:28:46 was successful.

"Meinolf Weber [MVP-DS]" wrote:

Hello Haji,

Run diagnostics dcdiag /v and repadmin /showrepl to check for errors
and make sure both DCs have replicated. Are both listed in the DNS
zones with there A record and nema server record and also under all
subfolders?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
I've got a Windows 2008 box that was my only DC in my test network
that is on some rather aged hardware. I've built a new box to
replace the old DC with, installed Server 2008 on it, added it to
the domain, ran dcpromo, kicked it up to a GC, and transfered the
FSMO roles over to it. However, when I run dcpromo on the old box
that I'm wanting to retire, I get the following message:

"You did not indicate that this Active Directory domain controller
is the last domain controller for the domain test.dns. However, no
other Active Directory domain controllers for that domain can be
contacted."

I've also noticed that when the old box is powered down, none of my
test workstations can map a drive to the new server, due to an
authentication failure. The ID that the server is logged into is an
enterprise admin ID, and this is a single domain setup (no child
domains in the forrest). Both the forrest and the domain are at
2008 functional level. Each server has DNS installed and is AD
Integrated. Each server points to the other for DNS primary, and
itself for secondary.

I'm sure there is more information that is needed that I haven't
provided, just let me know what you need and I'll post it, but if
anyone can help me out, I'd really like to learn what this issue is
and how to fix it.



.

Relevant Pages