I was trying to demote a domain controller but I was getting the following error
"The Operation faile because:
A domain controller could not be contacted for the domain <domain name> that contained an account for this computer. Make the computer a member of a workgroup the rejoin the domain before retrying the promotion.
"The specified domain either does not exist or could not be contacted"".
The server is not the last DC and i can ping the the other DC
Resolution:
1- Verify that the default domain controllers policy exists in Active Directory and is granting the “Enable computer and user accounts to be trusted for delegation” user right to the Administrators security group.
http://support.microsoft.com/kb/2002413
2- Make sure DNS is working, the DNS in the TCP/IP properties should contain the IP of a DC that's staying a DC, and you should check that replication is working either by viewing the Event Viewer and by forcing a replication in AD Sites and Services.
3- If you cannot get things to play well and you want to force the demotion anyway, you can use the /forceremoval switch on DCPROMO, proceed with the forced demotion, but then you'll have to do an NTDSUTIL / METADATA CLEANUP on your remaining DC(s) to remove the metadata of the old server from the active directory.
To Clean up Server Metadata: http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx
"The Operation faile because:
A domain controller could not be contacted for the domain <domain name> that contained an account for this computer. Make the computer a member of a workgroup the rejoin the domain before retrying the promotion.
"The specified domain either does not exist or could not be contacted"".
The server is not the last DC and i can ping the the other DC
Resolution:
1- Verify that the default domain controllers policy exists in Active Directory and is granting the “Enable computer and user accounts to be trusted for delegation” user right to the Administrators security group.
http://support.microsoft.com/kb/2002413
2- Make sure DNS is working, the DNS in the TCP/IP properties should contain the IP of a DC that's staying a DC, and you should check that replication is working either by viewing the Event Viewer and by forcing a replication in AD Sites and Services.
3- If you cannot get things to play well and you want to force the demotion anyway, you can use the /forceremoval switch on DCPROMO, proceed with the forced demotion, but then you'll have to do an NTDSUTIL / METADATA CLEANUP on your remaining DC(s) to remove the metadata of the old server from the active directory.
To Clean up Server Metadata: http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx
No comments:
Post a Comment