Demoting a DC using dcpromo

I am trying to demote a DC that runs 2008r2 but am getting the following:

The operation failed because:

Managing the network session with XXXXXXXXX.XXXX failed

"Logon Failure: The target account name is incorrect"

What is the Target account name its having trouble with?  I entered both my admin credentials and also entered the AD DS password when prompted.

May 20th, 2015 1:50pm

Hello,

Have a look : https://support.microsoft.com/en-us/kb/2183411/en-us

How many DCs you have ? is problematic server is owner of FSMO Roles ? Check by "netdom query fsmo" in CMD. If then, Seize the FSMO roles to other DC.

Try Run dcpromo /forceremoval to focibly demote the DC and do a metadata cleanup.

Free Windows Admin Tool Kit Click here and download it now
May 20th, 2015 2:56pm

1. Follow this advice

https://technet.microsoft.com/en-us/library/cc771844(v=ws.10).aspx

2. Before doing any changes in AD, it must be healthy. Use dcdiag to test is.

3. More exact information is needed, namely from Event logs and error messages

4. If the removal was unsuccesful, follow support article

https://support.microsoft.com/en-us/kb/216498

Regards

Milos

May 20th, 2015 3:12pm

I have 3 DCs.  It is not a holder of any FSMO roles.  What has prompted us to demote is the Tomb Stone Life, it was powered off for 64 days and the TLS is set for 60 days. Thus showing AD replication 8614 errors with repadmin.
Free Windows Admin Tool Kit Click here and download it now
May 20th, 2015 3:30pm

Hi,

In that case Try doing DCPROMO /Forceremoval and make sure if any roles are there transfer to good Dc.

If DCPROMO /Forceremoval failed you can do metadata clean-up of the DC run the blow script from PDC server and then delete the entry of bad DC manually from below manual steps. Everything is done you can format that bad DC. 

Script: https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3

Manual Steps

Dnsmgmt.msc [Dns Management]
A.Expand the forward lookup zones\_msdcs folder
i. Make sure only the actual domain controllers are listed, delete wrong Alias recordsremove wrong name server records
ii. Select the container [forward lookup zones\_msdcs.domain.com\dc\_sites_\sitename\_tcp] > delete incorrect _ldap and _kerberos records are listed.
iii. Select the container [forward lookup zones\_msdcs.domain.com\dc\_tcp] and delete incorrect _ldap and _kerberos records
iv. Expand the [forward lookup zones\_msdcs.domain.com\domains\guid\_tcp] and delete incorrect _ldap entries
v. Select [forward lookup zones\_msdcs.domain.com\gc] delete incorrect HostA records
vi. Expand the [forward lookup zones\_msdcs.domain.com\gc\_sites\sitename\_tcp] delete incorrect _ldap entries
vii.Select the [forward lookup zones\_msdcs.domain.com\gc\_tcp] delete incorrect _ldap entries
viii. Select the [forward lookup zones\_msdcs.domain.com\pdc\_tcp] delete incorrect _ldap entries
 
B.Expand the forward lookup zones\domain.com folder
i.Delete Host(A) records of dcs which are non-existant.
ii.Correct the NameServer (NS) records
iii. Follow steps similar to A ii >> A viii
 
Dssite.msc [Sites and Services]
A.Expand the [Sites\Sitename\Servers] delete incorrect servers
B.Delete incorrect subnet configurations [Sites\Subnets]
C.Delete incorrect site links [Sites\IP]
 
Make sure the domain controllers are pointing to the correct dns servers in tcp\ip settings.
Force replication repadmin /syncall

May 20th, 2015 11:38pm

Hi,

In that case Try doing DCPROMO /Forceremoval and make sure if any roles are there transfer to good Dc.

If DCPROMO /Forceremoval failed you can do metadata clean-up of the DC run the blow script from PDC server and then delete the entry of bad DC manually from below manual steps. Everything is done you can format that bad DC. 

Script: https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3

Manual Steps

Dnsmgmt.msc [Dns Management]
A.Expand the forward lookup zones\_msdcs folder
i. Make sure only the actual domain controllers are listed, delete wrong Alias recordsremove wrong name server records
ii. Select the container [forward lookup zones\_msdcs.domain.com\dc\_sites_\sitename\_tcp] > delete incorrect _ldap and _kerberos records are listed.
iii. Select the container [forward lookup zones\_msdcs.domain.com\dc\_tcp] and delete incorrect _ldap and _kerberos records
iv. Expand the [forward lookup zones\_msdcs.domain.com\domains\guid\_tcp] and delete incorrect _ldap entries
v. Select [forward lookup zones\_msdcs.domain.com\gc] delete incorrect HostA records
vi. Expand the [forward lookup zones\_msdcs.domain.com\gc\_sites\sitename\_tcp] delete incorrect _ldap entries
vii.Select the [forward lookup zones\_msdcs.domain.com\gc\_tcp] delete incorrect _ldap entries
viii. Select the [forward lookup zones\_msdcs.domain.com\pdc\_tcp] delete incorrect _ldap entries
 
B.Expand the forward lookup zones\domain.com folder
i.Delete Host(A) records of dcs which are non-existant.
ii.Correct the NameServer (NS) records
iii. Follow steps similar to A ii >> A viii
 
Dssite.msc [Sites and Services]
A.Expand the [Sites\Sitename\Servers] delete incorrect servers
B.Delete incorrect subnet configurations [Sites\Subnets]
C.Delete incorrect site links [Sites\IP]
 
Make sure the domain controllers are pointing to the correct dns servers in tcp\ip settings.
Force replication repadmin /syncall

Free Windows Admin Tool Kit Click here and download it now
May 21st, 2015 3:36am

I have 3 DCs.  It is not a holder of any FSMO roles.  What has prompted us to demote is the Tomb Stone Life, it was powered off for 64 days and the TLS is set for 60 days. Thus showing AD replication 8614 errors with
May 21st, 2015 10:55am

Hello Francisco,

hope your query is answered.

Free Windows Admin Tool Kit Click here and download it now
May 25th, 2015 10:02am

Hello Any updates on above?
May 27th, 2015 9:43am

Making progress. Did a dcpromo /forceremoval, restarted and now going thru a manual metadata cleanup in DNS.
Free Windows Admin Tool Kit Click here and download it now
May 27th, 2015 10:41am

Hello Francisco,

Thanks for updating once it is completed please do update us.

May 27th, 2015 10:53am

Hi 

Do a Dcpromo /forceremoval and do a metadata cleanup .  From 2008 R2 you can do the metadata cleanup by just deleting the computer object from Active Directory users computers at Domain Controller OU .  Thats all with demotion.

Free Windows Admin Tool Kit Click here and download it now
May 27th, 2015 12:14pm

Hello Francisco,

Hope your query is resolved and you have successfully demoted the domain controller. 

May 28th, 2015 1:54am

Hi Team,

I have a lingering issue.  repadmin gives me a 8524 the DSA operation is unable to proceed because of a DNS lookup failure.  In AS SS I still see a NTDS Settings entry for the DC but when I try to deleted it I get the AD message:  

Windows cannot delete object

XXXXXXXXX

XXXXXXXXX

XXXXXXXX

Access is denied.

Free Windows Admin Tool Kit Click here and download it now
June 1st, 2015 3:46pm

Hi dvua,

For error 8524: "The DSA operation is unable to proceed because of a DNS lookup failure", you could the following links to solve you problem.

https://support.microsoft.com/en-us/kb/2021446

For failure of  deleting the NTDS Settings, maybe you could follow this article for a reference.

https://support.microsoft.com/en-us/kb/318698

Best Regards,

Mary Dong

June 1st, 2015 10:17pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics