No announcement yet.

Win2000 AD removal Error

  • Filter
  • Time
  • Show
Clear All
new posts

  • Win2000 AD removal Error


    well i have successfully upgraded most of the servers in the business. i have left the windows 2000 OLD DC off-line and thought i would remove them from AD at a later point. that is now and of course i can't.
    what the heck am i doing wrong. i run dcpromo and it says it can't login in. even when i try to look at the new server from the old it says the account is invalid. time is sync'd up, all FSMO's transferred,etc. had no problems when i did the last server but i am thinking it has been too long or something and now it won't let me remove it???
    any suggestions would be great! this may be a really simple question, sorry if it is.


    Edit, the exact error message says: "Logon Failure: The account name is incorrect"
    Last edited by swixtt; 9th May 2008, 18:07.

  • #2
    Re: Win2000 AD removal Error

    How long was it offline?

    Please read this before you post:

    Quis custodiet ipsos custodes?


    • #3
      Re: Win2000 AD removal Error

      Originally posted by AndyJG247 View Post
      How long was it offline?
      thanks for the reply, it was offline for about 2 months or so!!!

      any suggestions?


      • #4
        Re: Win2000 AD removal Error

        that is not good , the DC was off line over it's Tombstone life time meaning you might have lingering objects in the Directory, The default tombstone lifetime in Windows2000 Domain (which you are at now since you still got a Win2000 DC) is 60 days.
        I would say don't bring the DC back online (preventing the DC from trying to replicate Lingering Objects).
        don't even try demoting this DC, just manually remove it using NTDSUTIL -> MetadaCleanup.
        the "Logon Failure: The account name is incorrect" , is most likely b/c you had the DC offline for longer then 30 days ,by then the DC/Computer's account Password had expired there for it is not able to log back on to the Domain. you might want and try reseting the DC's computer object password by right clicking on the computer object in "Users and Computers" and choosing "Reset Password".
        check in "Site and Services" if the DC still has replication partners it might be that you already demoted it some how , since you get an "The account name is incorrect"" message.

        after you remove the DC I would highly recommend you run a Lingering Objects checkup/cleanup
        in your Directory, you can find how to do so in the following link:
        Last edited by Akila; 11th May 2008, 14:06.


        • #5
          Re: Win2000 AD removal Error

          THanks Akila,

          yes, i've read about the Tombstone and i guess that is probably what happened. strangely after having that old 2000 DC back online a couple of workstations couldn't log into the domain. i powered off the 2000 DC and everything started working fine. SO... i will manually remove that DC as per the instructions on Petri site. thanks for the links as well!
          Very much appreciated!


          • #6
            Re: Win2000 AD removal Error

            As Akila explained, those workstations were probably now trying to log on to the domain with new credentials, and your old DC did not have them.

            Make sure you do the metadata cleanup properly, stale DCs will come back and bite at the moment you least expect it if there's anything left !

            (I can't count how many times I could not perform a certain task right away at a client because "some-dc-that-was-setup-before-I-was-born" is not running Windows 2003...duh!)
            VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah


            • #7
              Re: Win2000 AD removal Error

              you could use those two MS TID for this task if needed.

              1) Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller (KB255504)
              2) How to remove data in Active Directory after an unsuccessful domain controller demotion (KB216498 )

              P.S Use Windows Server 2003 Service Pack 1 (SP1) or later service packs – Enhanced version of Ntdsutil.exe.
              The version of Ntdsutil.exe that is included with Service Pack 1 or later service packs for Windows Server 2003 has been enhanced to make the metadata cleanup process complete. The Ntdsutil.exe version that is included with SP1 or later service packs does the following when metadata cleanup is run:
              • Removes the NTDSA or NTDS Setting subject.
              • Removes inbound AD connection objects that existing destination DCs use to replicate from the source DC being deleted .
              • Removes the computer account .
              • Removes FRS member object.
              • Removes FRS subscriber objects.
              • Tries to seize flexible single operations master roles (also known as flexible single master operations or FSMO) held by the DC that are being removed .
              Last edited by Akila; 13th May 2008, 19:42.