No announcement yet.

Demote a DC after its been switched off for longer than the tombstone lifetime

  • Filter
  • Time
  • Show
Clear All
new posts

  • Demote a DC after its been switched off for longer than the tombstone lifetime

    Hi guys,

    we have a child domain which has been switched off for well over 6 months pending a migration to it. Its now been decided that its not going to be used to we want rid of it.

    When i try and demote, I first got a tombstone lifetime error saying that it haddnt replicated since the tombston expired which i fixed by forcing replication between the 2 DC's for the child domain.

    Now when I try and demote them i get an error saying :

    Active Directory could not transfer the remaining data in directory partition DC=ForestDnsZones,DC=gb,DC=*****,DC=net to domain controller \\ "Logon Failure: The target account name is incorrect."

    Errors in the event log are as follows:

    Event ID: 1645
    Active Directory did not perform an authenticated remote procedure call (RPC) to another domain controller because the desired service principal name (SPN) for the destination domain controller is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN.

    Destination domain controller:****.net
    E3514235-4B06-11D1-AB04-00C04FC2DCD2/8556b6de-aff3-4ba7-85d0-15c1[email protected]****.net

    User Action
    Verify that the names of the destination domain controller and domain are correct. Also, verify that the SPN is registered on the KDC domain controller. If the destination domain controller has been recently promoted, it will be necessary for the local domain controllerís computer account data to replicate to the KDC before this computer can be authenticated.

    Event ID: 2023
    The local domain controller was unable to replicate changes to the following remote domain controller for the following directory partition.

    Remote domain controller:
    Directory partition:

    The local domain controller cannot complete demotion.

    User Action
    Investigate why replication between these two domain controllers cannot be performed. Then, try to demote this domain controller again.

    Additonal Data
    Error value:
    1396 Logon Failure: The target account name is incorrect.

    Is there any way I can cleanly demote these servers (and thus the child domain) without having to do a forced removal?

    Any help apreciated!


  • #2
    Re: Demote a DC after its been switched off for longer than the tombstone lifetime

    I don't think so - I think you're going to have to do a metatdata clean-up and all the DNS and DFS and WINS stuff that goes with it. I would have left it powered on, until a decision was made... (helps for future reference and for others who read the thread).

    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you