Here are the parameters:

We have two Windows 2008R2 Standard  servers (both set up on 2003 functional level) - one as Primary DC the other one as Backup DC. After a water break in an upper office, the PDC went out for good. Good thing was that the Backup DC was still 100% in shape. I installed 2008R2 on a new server and then I tried to set the new server up as PDC again. I installed it on a 2008 functional level this time, as we have no older servers anymore.

The DHCP, DNS and AD objects seemed to have transferred properly to the new server. B  

1. Problem I ran into was that the old PDC was still existing in AD. I tried to force remove it and clean the metadata using the AD tools - but I was stopped by a pop-up at the end saying I don't have the rights to complete the operation. I was logged in as Enterprise Administrator.

2. Problem occurred when I tried to seize the PDC roles (Schema Master, Domain Naming Master etc.) using ntdsutil  - I ran into the same problem. At the end of the procedure I was told that I don't have the rights to complete the operation. 

I am grateful for all suggestions that can help to resolve the issue.

 

To seize the roles you need to be owner of the roles, so Schema Admin to move Schema FSMO, Enterprise Admin for Domain Naming FSMO. 

Does the new domain controller have the same name as the old one?  Hopefully you just gave it a different name then you can clean the metadata out for the water logged server.

Not sure of your domain strucuture, but add yourself to Domain Admins for the domain the decommed server was a member even though documentation states Enterprise Admins works.

• Edited by vaadadmin2010 12 hours 53 minutes ago

did you run the ADPrep /forestprep /domainprep /rodcprep commands on the 2008 R2 servers?

Running the following command, what is your schema version?

dsquery * cn=schema,cn=configuration,dc=domainname,dc=local -scope base -attr objectVersion

The PowerShell version below does not require any customization:

Get-ADObject (get-adrootdse).schemaNamingContext -Property objectVersion

Windows 2000 Server	13
Windows 2003 RTM, SP1, SP2	30
Windows 2003 R2	31
Windows 2008	44
Windows 2008 R2	47
Windows Server 2012 Beta	52
Windows Server 2012	56
Windows Server 2012 R2	69

Other things to check:

Run

DCDIAG /C /V > C:\dcdiag.txt

Net Share

GPUpdate /force

Repadmin /syncall

NSLookup (resolve DNS queries)

What are the results?

The article below guides you through FSMO role transfers

https://support.microsoft.com/en-us/kb/324801

I named the new server differently. I always thought that Enterprise Admin is the highest level, Domain Admin one below. But anyway, I signed in to the domain as a member of both groups.

I will try that. Thanks.

Silly question, but did you run ntdsutil in an elevated command prompt?

Below is the result of the dcdiag run on the new server. Backup server on 2nd part.

It seems to me that the old server is causing problems - but I cannot force delete it or remove the connected metadata as I am apparently not having the proper log-on credentials anymore.

Directory Server Diagnosis (Backup server)
Performing initial setup:

   Trying to find home server...

   Home Server = tks-server2n

   * Identified AD Forest.
   Done gathering initial info.
Doing initial required tests   
   Testing server: Default-First-Site-Name\TKS-SERVER2N

      Starting test: Connectivity

         ......................... TKS-SERVER2N passed test Connectivity

 Doing primary tests

      Testing server: Default-First-Site-Name\TKS-SERVER2N

      Starting test: Advertising

         ......................... TKS-SERVER2N passed test Advertising

      Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... TKS-SERVER2N passed test FrsEvent

      Starting test: DFSREvent

         ......................... TKS-SERVER2N passed test DFSREvent

      Starting test: SysVolCheck

         ......................... TKS-SERVER2N passed test SysVolCheck

      Starting test: KccEvent

         ......................... TKS-SERVER2N passed test KccEvent

      Starting test: KnowsOfRoleHolders

         [TKS-SERVER2] DsBindWithSpnEx() failed with error 1722,

         The RPC server is unavailable..
         Warning: TKS-SERVER2 is the Schema Owner, but is not responding to DS

         RPC Bind.

         Ldap search capabality attribute search failed on server TKS-SERVER2,

         return value = 81
         Warning: TKS-SERVER2 is the Schema Owner, but is not responding to

         LDAP Bind.

         ......................... TKS-SERVER2N failed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... TKS-SERVER2N passed test MachineAccount

      Starting test: NCSecDesc

         ......................... TKS-SERVER2N passed test NCSecDesc

      Starting test: NetLogons

         [TKS-SERVER2N] User credentials does not have permission to perform

         this operation.

         The account used for this test must have network logon privileges

         for this machine's domain.

         ......................... TKS-SERVER2N failed test NetLogons

      Starting test: ObjectsReplicated

         ......................... TKS-SERVER2N passed test ObjectsReplicated

      Starting test: Replications

         [Replications Check,TKS-SERVER2N] DsReplicaGetInfo(PENDING_OPS, NULL)

         failed, error 0x2105 "Replication access was denied."

         ......................... TKS-SERVER2N failed test Replications

      Starting test: RidManager

         ......................... TKS-SERVER2N passed test RidManager

      Starting test: Services

            Could not open NTDS Service on TKS-SERVER2N, error 0x5

            "Access is denied."

         ......................... TKS-SERVER2N failed test Services

      Starting test: SystemLog

         A warning event occurred.  EventID: 0x80000068

            Time Generated: 07/20/2015   18:05:18

            EvtOpenPublisherMetaData failed, publisher = G200e, error 2 The system cannot find the file specified..
            (Event String (event log = System) could not be retrieved, error

            0x2)

         A warning event occurred.  EventID: 0x80000068

            Time Generated: 07/20/2015   18:09:12

            EvtOpenPublisherMetaData failed, publisher = G200e, error 2 The system cannot find the file specified..
            (Event String (event log = System) could not be retrieved, error

            0x2)

         ......................... TKS-SERVER2N passed test SystemLog

      Starting test: VerifyReferences

         ......................... TKS-SERVER2N passed test VerifyReferences

      
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

      Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

      Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

  
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

      Running partition tests on : elp

      Starting test: CheckSDRefDom

         ......................... elp passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... elp passed test CrossRefValidation

  
   Running enterprise tests on : elp.tks

      Starting test: LocatorCheck

         ......................... elp.tks passed test LocatorCheck

      Starting test: Intersite

         ......................... elp.tks passed test Intersite

Backup Server:

Directory Server Diagnosis

Performing initial setup:

   Trying to find home server...

   Home Server = TKS-SERVER3

   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

      Testing server: Default-First-Site-Name\TKS-SERVER3

      Starting test: Connectivity

         ......................... TKS-SERVER3 passed test Connectivity

 Doing primary tests

  
   Testing server: Default-First-Site-Name\TKS-SERVER3

      Starting test: Advertising

         ......................... TKS-SERVER3 passed test Advertising

      Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... TKS-SERVER3 passed test FrsEvent

      Starting test: DFSREvent

         ......................... TKS-SERVER3 passed test DFSREvent

      Starting test: SysVolCheck

         ......................... TKS-SERVER3 passed test SysVolCheck

      Starting test: KccEvent

         ......................... TKS-SERVER3 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         [TKS-SERVER2] DsBindWithSpnEx() failed with error 1722,

         The RPC server is unavailable..
         Warning: TKS-SERVER2 is the Schema Owner, but is not responding to DS

         RPC Bind.

         Ldap search capabality attribute search failed on server TKS-SERVER2,

         return value = 81
         Warning: TKS-SERVER2 is the Schema Owner, but is not responding to

         LDAP Bind.

         ......................... TKS-SERVER3 failed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... TKS-SERVER3 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... TKS-SERVER3 passed test NCSecDesc

      Starting test: NetLogons

         [TKS-SERVER3] User credentials does not have permission to perform

         this operation.

         The account used for this test must have network logon privileges

         for this machine's domain.

         ......................... TKS-SERVER3 failed test NetLogons

      Starting test: ObjectsReplicated

         ......................... TKS-SERVER3 passed test ObjectsReplicated

      Starting test: Replications

         [Replications Check,TKS-SERVER3] A recent replication attempt failed:

            From TKS-SERVER2 to TKS-SERVER3

            Naming Context: DC=ForestDnsZones,DC=elp,DC=tks

            The replication generated an error (1256):

            The remote system is not available. For information about network troubleshooting, see Windows Help.

           

            The failure occurred at 2015-07-20 18:56:08.

            The last success occurred at 2015-07-19 00:58:29.

            44 failures have occurred since the last success.

         [Replications Check,TKS-SERVER3] A recent replication attempt failed:

            From TKS-SERVER2 to TKS-SERVER3

            Naming Context: DC=DomainDnsZones,DC=elp,DC=tks

            The replication generated an error (1256):

            The remote system is not available. For information about network troubleshooting, see Windows Help.

           

            The failure occurred at 2015-07-20 18:56:08.

            The last success occurred at 2015-07-19 00:58:29.

            44 failures have occurred since the last success.

         [Replications Check,TKS-SERVER3] A recent replication attempt failed:

            From TKS-SERVER2 to TKS-SERVER3

            Naming Context: CN=Schema,CN=Configuration,DC=elp,DC=tks

            The replication generated an error (8524):

            The DSA operation is unable to proceed because of a DNS lookup failure.

           

            The failure occurred at 2015-07-20 18:56:20.

            The last success occurred at 2015-07-19 00:58:29.

            43 failures have occurred since the last success.

            The guid-based DNS name

            4ee7c0a8-91a7-477b-a224-c678ebac32ee._msdcs.elp.tks

            is not registered on one or more DNS servers.

         [Replications Check,TKS-SERVER3] A recent replication attempt failed:

            From TKS-SERVER2 to TKS-SERVER3

            Naming Context: CN=Configuration,DC=elp,DC=tks

            The replication generated an error (8524):

            The DSA operation is unable to proceed because of a DNS lookup failure.

           

            The failure occurred at 2015-07-20 18:56:14.

            The last success occurred at 2015-07-19 00:58:29.

            43 failures have occurred since the last success.

            The guid-based DNS name

            4ee7c0a8-91a7-477b-a224-c678ebac32ee._msdcs.elp.tks

            is not registered on one or more DNS servers.

         [Replications Check,TKS-SERVER3] A recent replication attempt failed:

            From TKS-SERVER2 to TKS-SERVER3

            Naming Context: DC=elp,DC=tks

            The replication generated an error (8524):

            The DSA operation is unable to proceed because of a DNS lookup failure.

           

            The failure occurred at 2015-07-20 18:56:08.

            The last success occurred at 2015-07-19 01:18:35.

            43 failures have occurred since the last success.

            The guid-based DNS name

            4ee7c0a8-91a7-477b-a224-c678ebac32ee._msdcs.elp.tks

            is not registered on one or more DNS servers.

         ......................... TKS-SERVER3 failed test Replications

      Starting test: RidManager

         ......................... TKS-SERVER3 passed test RidManager

      Starting test: Services

            Could not open NTDS Service on TKS-SERVER3, error 0x5

            "Access is denied."

         ......................... TKS-SERVER3 failed test Services

      Starting test: SystemLog

         An error event occurred.  EventID: 0xC00A0032

            Time Generated: 07/20/2015   18:05:37

            Event String:

            The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.

         A warning event occurred.  EventID: 0x80000068

            Time Generated: 07/20/2015   18:53:30

            EvtFormatMessage failed, error 1813 The specified resource type cannot be found in the image file..
            (Event String (event log = System) could not be retrieved, error

            0x715)

         ......................... TKS-SERVER3 failed test SystemLog

      Starting test: VerifyReferences

         ......................... TKS-SERVER3 passed test VerifyReferences

  
  
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

  
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

  
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

  
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

  
   Running partition tests on : elp

      Starting test: CheckSDRefDom

         ......................... elp passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... elp passed test CrossRefValidation

  
   Running enterprise tests on : elp.tks

      Starting test: LocatorCheck

         ......................... elp.tks passed test LocatorCheck

      Starting test: Intersite

         ......................... elp.tks passed test Intersite

 

the link below tells of two ways to do a meta data cleanup, have you tried both ways?

https://technet.microsoft.com/en-us/library/Cc816907%28v=WS.10%29.aspx?f=255&MSPPError=-2147217396

Hi,

Yes you can remove the Crashed /Decommission DC from AD. First run the following command see is there any FSMO roles resides on that DC. If yes kindly Transfer or Seized the role.

Net dom Query Fsmo

Once you have done the above steps then download the script from below link for metadata clean-up.

https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3

Copy the code in notepad and save as metadatacleanup.vbs and then open the command prompt run as administrator on one of the Working DC and go to the path where you have copied the script and then run the command cscript metadatacleanup.vbs

It will ask for Domain controller name which you want to remove just type Crashed /Decommission DC name and then script will remove automatically. Once this is done you have to remove Crashed /Decommission DC from DNS manually as given below.

Manual Steps

Dnsmgmt.msc [Dns Management]
 A.Expand the forward lookup zones\_msdcs folder
 i. Make sure only the actual domain controllers are listed, delete wrong Alias recordsremove wrong name server records
 ii. Select the container [forward lookup zones\_msdcs.domain.com\dc\_sites_\sitename\_tcp] > delete incorrect _ldap and _kerberos records are listed.
 iii. Select the container [forward lookup zones\_msdcs.domain.com\dc\_tcp] and delete incorrect _ldap and _kerberos records
 iv. Expand the [forward lookup zones\_msdcs.domain.com\domains\guid\_tcp] and delete incorrect _ldap entries
 v. Select [forward lookup zones\_msdcs.domain.com\gc] delete incorrect HostA records
 vi. Expand the [forward lookup zones\_msdcs.domain.com\gc\_sites\sitename\_tcp] delete incorrect _ldap entries
 vii.Select the [forward lookup zones\_msdcs.domain.com\gc\_tcp] delete incorrect _ldap entries
 viii. Select the [forward lookup zones\_msdcs.domain.com\pdc\_tcp] delete incorrect _ldap entries
 
 B.Expand the forward lookup zones\domain.com folder
 i.Delete Host(A) records of dcs which are non-existant.
 ii.Correct the NameServer (NS) records
 iii. Follow steps similar to A ii >> A viii
 
Dssite.msc [Sites and Services]
 A.Expand the [Sites\Sitename\Servers] delete incorrect servers
 B.Delete incorrect subnet configurations [Sites\Subnets]
 C.Delete incorrect site links [Sites\IP]
 
  Make sure the domain controllers are pointing to the correct dns servers in tcp\ip settings.
  Force replication repadmin /syncall

Hi Juergen M21,

>>We have two Windows 2008R2 Standard  servers (both set up on 2003 functional level).

>>the PDC went out for good. Good thing was that the Backup DC was still 100% in shape.

>>I installed 2008R2 on a new server and then I tried to set the new server up as PDC again.

Based on my understanding, there are two active DCs. One is a new DC in the forest and a backup dc in your scenairo now. The old PDC is down. Right?

And according to your log, there exists replication error between the new DC and backup DC. That may be the cause of the not proper log-on credentials. You could try to fix the problem.

https://technet.microsoft.com/en-us/library/replication-error-8524-the-dsa-operation-is-unable-to-proceed-because-of-a-dns-lookup-failure(v=ws.10).aspx

In addition, is there any other error in the event log? If you have any other information related to the issue, please feel free to contact us.

Best Regards,

Mary Dong