Announcement

Collapse
No announcement yet.

Server Demotion

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Server Demotion

    A server was installed on one of our forests (functional level 2003) which has a single domain. another 2003 server was joined to the domain, so we now have two DC's on the one domain. This was all fine except for an old database program has now been installed on the newest server and before the program can be upgraded to the newest version the DC must be demoted to a member server. I am unable to transfer the roles because the other server is unable to connect. I just keep getting a "rpc server is unavailable" error.
    I know I could seize the roles, but if I do will I then have to reformat the demoted DC? That will mean losing the Database program, which cost a lot of man hours to install in the first place, along with paying for tech support, etc.
    Is there any way to seize roles, demote to a member server and keep the server on the domain, without having to reformat?
    Caught between two HDD/s..

  • #2
    Re: Server Demotion

    AFAIK there is no way as the forced removal is on other DCs so your one thinks it is still one - hence the "never bring back up" rule.

    Have you checked network connectivity between the 2 DCs -- use DCDIAG and REPLMON, as well as normal network tools like DNS.

    You may want to get Microsoft Product Support Services on the case (there is $$$ involved, but maybe cheaper than the database support) as they have knowledge and tools mere mortals do not. Certainly worth getting a quote from them.
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Server Demotion

      Originally posted by dbeu View Post
      A server was installed on one of our forests (functional level 2003) which has a single domain. another 2003 server was joined to the domain, so we now have two DC's on the one domain. This was all fine except for an old database program has now been installed on the newest server and before the program can be upgraded to the newest version the DC must be demoted to a member server. I am unable to transfer the roles because the other server is unable to connect. I just keep getting a "rpc server is unavailable" error.
      I know I could seize the roles, but if I do will I then have to reformat the demoted DC? That will mean losing the Database program, which cost a lot of man hours to install in the first place, along with paying for tech support, etc.
      Is there any way to seize roles, demote to a member server and keep the server on the domain, without having to reformat?
      Caught between two HDD/s..
      Are the windows firewalls turned on by any chance??

      Comment


      • #4
        Re: Server Demotion

        Originally posted by wullieb1 View Post
        Are the windows firewalls turned on by any chance??
        No, both have Symantec running though. It seems that, no matter what I do, I still keep getting the "DsBindW error 0X6ba (the RPC server is unavailable.)...

        Comment


        • #5
          Re: Server Demotion

          I have determined that, using ntdsutil, I can connect from srv2 (the one I wish to demote) to srv1 using the "connect to server" command (this is while on srv2) But, while on srv1, and cannot do the reverse, namely "connect to server srv1": at this point I get an error that states, "DxBindW error 0x80090322 (target principle name is incorrect).
          Last edited by dbeu; 30th July 2013, 17:07.

          Comment


          • #6
            Re: Server Demotion

            Check out this KB: http://support.microsoft.com/kb/288167
            Regards,
            Jeremy

            Network Consultant/Engineer
            Baltimore - Washington area and beyond
            www.gma-cpa.com

            Comment


            • #7
              Re: Server Demotion

              Thanks Jeremy, but I am unable to run netdom because the support tools were never installed and I am now unable to install them on the second server, which means I am unable to run any of the netdom commands. I have decided it best to not use any more man hours on avoiding what must be done.
              I instructed our DBA to relocate the program back to its original location on the old server and will then seize all five FSMO roles, reformat the server before bringing it back online as a member server only, and then let the DBA proceed with his transfer and upgrade as planned.
              Thank you all your help. Though I did not find my "easy button", I learned from all of you!

              Comment


              • #8
                Re: Server Demotion

                HEY! Dont give up yet I just got here....


                What happens if you run NETDIAG /fix?
                Rules of life:
                1. Never do anything that requires thinking after 2:30 PM
                2. Simplicity is godliness
                3. Scale with extreme prejudice


                I occasionally post using a savantphone, so please don't laugh too hard at the typos...

                Comment


                • #9
                  Re: Server Demotion

                  As per Joe's link it would appear to be a Secure channel issue.

                  What happens when you run the netdom command?

                  From memory netdom is installed by default. (Sorry I don't have a DC available and can't be bothered building one at this time of night.)

                  Comment


                  • #10
                    Re: Server Demotion

                    Both, Netdom and netdiag are "unrecognized" commands" on both of my DCs.
                    When highlighting the "Active Directory Users and Computers" tab in the ADUC console and choosing "Action>connect to a domain controller" both servers are listed, but when an attempt to connect to server2 is made a popup states, "The following domain controller could not be contacted: *** Access is denied" None of the known passwords work. I am able to use RDP to remote to it and I am able to connect to server1 from server two using the samed method as I tried to use on server1 to connect to sever2; but, this does not help since I must be on server1 and connected to server2 to transfer fsmo roles.
                    The time spend on this is becoming ridiculous. I am just going to shut down server2, then run a clean up on server1, reformat server2 as a member server only (it has no data or anything on it anyhow), and reintroduce it to the domain as a member server, and then transfer the DB program to it. From there the DBA can take over and do what he needs to to update the DB.

                    Comment


                    • #11
                      Re: Server Demotion

                      By the sounds of it, you are just removing it now. With regards to Netdiag and Netdom, you would ensure you install the Support Tools for Windows 2003 and then ensure you run the command from the folder in the command prompt that has the tools, which is %Program Files%\Support Tools

                      Comment


                      • #12
                        Re: Server Demotion

                        Got the support tools installed on server1 and have run the netdom commands. Have confirmed that all five fsmo roles are on server2. Ran net view on server1 access is denied to server2. Ran netdiag /fix on server1. Part of what the read out says is

                        Trust relationship test. . . . . . : Passed
                        Secure channel for domain '*********' is to '\\*****srv2.**********.local'.

                        Yet; when I run the "connect to server" command in ntdsutil.exe I get two strange responses:
                        1. If I say connect to ......******srv2.**********.local, I get "(The target principal name is incorrect.)"
                        2. If I say connect to ...... *****srv2.**********, I get "DsBindW error 0x6ba(The RPC server is unavailable.)"

                        Comment


                        • #13
                          Re: Server Demotion

                          Both, server1 and server2 are still up for now. I must either solve the problem within the next hour or so, or shut down server2 so they can ship it (today) to my office for me to reformat.

                          Comment


                          • #14
                            Re: Server Demotion

                            Post the results of netdiag and dcdiag from both systems.
                            Please re-verify if there isn't any firewall (symantec/windows firewall etc) blocking the ports.
                            Marcel
                            Technical Consultant
                            Netherlands
                            http://www.phetios.com
                            http://blog.nessus.nl

                            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                            "No matter how secure, there is always the human factor."

                            "Enjoy life today, tomorrow may never come."
                            "If you're going through hell, keep going. ~Winston Churchill"

                            Comment


                            • #15
                              Re: Server Demotion

                              Originally posted by Dumber View Post
                              Post the results of netdiag and dcdiag from both systems.
                              Please re-verify if there isn't any firewall (symantec/windows firewall etc) blocking the ports.
                              Server2 has been shut down and physically removed from the network: shipped to me at my office for reformatting.
                              Server1 (the original DC) is still online and I am now in process of using ntdsutil.exe to seize all five fsmo roles.
                              I think my next step at this point will be to perform a Metadata Cleanup on server1?
                              Sorry, I could not take any more time to try other avenues. I am under pressure to get this resolved ASAP.
                              My goal now is to make sure that all this does not effect the original DC (now the only DC again) in any negative manner.

                              Comment

                              Working...
                              X