Ok I have an odd problem, I have just created two fresh server 2012 installs... no updates, nothing just straight out the box. they are called dc1 and dc2.

dc1 has the active directory role installed and is promoted to a DC, the wizard installs DNS etc... all the defaults. domain name is test.local, reboots and can log in fine

dc2 is then joined to the domain, has the active directory role installed, reboots, then promote it to a second domain controller. DC1 holds the FSMO roles, I want to demote DC1 to ensure DC2 takes over, so I transfer the FSMO roles to DC2, demote DC1 it gives me a warning about the domain and forest dns zones partitions (I select remove to proceed with the wizard), I run the fixfsmo.vbs script on DC2 to check if the domain and forest dns zones partitions are now being held by DC2 and the script reports back that it is... all looks smooth.

BUT... when I go to log into DC1, it now gives me the message "there are currently no logon servers available to service the logon request" yet the IP address of the DC1 network adapter is pointing to DC2 (and itself but that's second in the list) if DC2 is now the role holder for everything, and has DNS installed (all by the wizard) why cant I log in?

Thanks

Steve

What exactly was the warning you received about the partitions?

Did you select the checkbox, "This is the last DC in the domain?"

Let's see the following to better understand what's going on:

• Unedited ipconfig /all from DC2 (assuming DC1 is no longer a DC)
• Event log errors - Please check all Event log errors (Application, System, and under Application and Services Logs on a DC for the AD Web services, DFS Replication, Directory Services, DNS Server & File Replication Server logs. Copy and paste any error entries, please.
• Results from a netdom query fsmo
• Is DC2 a GC?

-

Let's also take a look at ADSI Edit to see if the ForestDnsZones and DomainDnsZones partitions still exist. Use the guideline to my blog below to show you how to connect and view the partitions. Let us know if they are there.

Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx

-

ok my test environment is at home so I'd have to post details later but you should be able to replicate this exact behaviour if you do the following (exactly what I did):

install DC1 server 2012, set static IP4 address; 192.168.1.2 (DNS 192.168.1.2) enable active directory roles, create new forest test.local complete the wizard.

install DC2 server 2012, set static IP4 address; 192.168.1.3 (DNS 192.168.1.2 and 192.168.1.3), join to domain, reboot, enable AD roles, DCPromo to be a second DC in the domain. reboot.

transfer the FSMO roles to DC2 (all 5 of them)

demote DC1, it gives a warning about the forestdnszones and domaindnszones partitions, check box to remove them (you can't continue unless you check the box). demotion completes, server reboots.

login into DC2, run the script fixfsmo and it shows that DC2 now has the forestdnszones and domaindnszones (it didn't show it transferred there partitions, there are usually two lines from the script to indicate this if it wasn't a clean demotion, it was a clean demotion and there was no transfer required. DC2 now appears to be in the state DC1 is... functioning as the primary DC holding all roles and partitions).

try to login using domain admin account on DC1 and it fails with no logon servers available, so I log in as local DC1 admin and edit the DNS IP address to 192.168.1.3 pointing to DC2.... reboot, still cant login to the domain

if you follow those steps you should get exactly the same issue as I had.

oh and both DC1 and DC2 were global catalogs I selected this option during the dcpromo process

Hello,

how long did you wait before starting to demote DC1? You should at least give AD 24 hours for full replication after fresh installing a DC. Basic replication is done fast but sometimes it may happen that just waiting fixes problems.

Also if you promote a server, DC2, to DC and it is NOT DNS server at that time do NOT use it's own ip address on the NIC. WAIT until the DNS server role is installed and the initial replication is done complete.

The reason im doing this is to replicate a real world environment which has had a long time to replicate things. although I didn't wait 24 hours, I am running this environment on a high performance memory and disk based system, the entire process seemed to go smoothly.

in the real world environment what we wanted to do was demote DC1 because we wanted to phase it out, we transferred the FSMO roles to DC2 and allowed plenty of time to replicate (a weekend), demoted the DC1 yesterday morning then found there were issues with logons, so we had to promote it again to solve the problem. in an environment which has been stable for a long time this threw up the question of why this issue occurred in the live environment, hence the test environment I created last night and then this post. the behaviour I expected was that DC2 would take care of the logons, it is also a DNS server.... so i'm puzzled by this, and even more so when I see this in a freshly installed test environment! have I missed any critical step in my process of transferring responsibility to DC2? as far as I can tell I think it's correct....

cheers

Hello,

to understand your domain setup and existing problems please upload the following files:

ipconfig /all >c:\ipconfig.log [all DCs]
dcdiag /v /c /d /e /s:dcname >c:\dcdiag.log
repadmin /showrepl dc* /verbose /all /intersite >c:\repl.log  ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)]
dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)
ADREPLSTATUS: http://www.microsoft.com/en-us/download/details.aspx?id=30005 can also be exported to file.

As the output will become large, DON'T post them into the thread, please use Windows Sky Drive(with open access!) https://skydrive.live.com and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.

Steve,

I don't remember anything about removing the DNS partitions during a demotion unless you selected that it's the last DC in the domain. And just to make sure, I went through a whole promotion AND demotion. And just for fun, I recorded it.

Windows 2012 DC Promotion and Demotion, including DNS records
http://www.youtube.com/watch?v=CQnwiRHoveY

-

So my evaluation with what you did still stands. There shouldn't have been any sort of error message to remove the DNS partitions. If you did, you may have wacked the zones.

When you look in DNS, do the zones still exist and all the records?

How about ADSI Edit? Did you check to see if the partitions and the zones still exist, and all the records?

Im going to start from scratch again on this, because I must have pressed a wrong option somewhere during the demotion. I know on previous DC's (like 2008 and 2008 R2 I didn't get the option to remove the partitions, this was a new thing I saw in 2012... but I must have pressed a wrong button somewhere. ill post back in the next couple of days.

cheers for your time.

Steve

Sounds good. :-)