Rebuilding 2003 DC

My main 2003 DC has some problems.

Most noticibly it seems to now longer believe it is a 2003 server for when I
run 2003 admin tools it tries to install them and then tells me it needs to
be Windows XP or a Windows 2003 server. It has been working fine for several
years.

Unless there is a easy solution to find out what is wrong I was thinking of
just rebuilding this DC but it was my PDC.

I transferred all services ( RID, PDC and Infrastructure master) to another
DC.

Question: is there anything else I need to do before running a DCPROMO on
this server to demote it and then reinstalling the OS and rerunning DCPROMO
to bring it back?

Thanks.

"Stryder" <Stryder@discussions.microsoft.com> wrote in message
news:7705521A-A210-4C9A-993D-F625B3FA078D@microsoft.com...
>
> My main 2003 DC has some problems.
>
> Most noticibly it seems to now longer believe it is a 2003 server for when
> I
> run 2003 admin tools it tries to install them and then tells me it needs
> to
> be Windows XP or a Windows 2003 server. It has been working fine for
> several
> years.

A 2003 DC IS a Windows 2003 Server.

> Unless there is a easy solution to find out what is wrong I was thinking
> of
> just rebuilding this DC but it was my PDC.

You need the other DC(s) to be a GC, DNS server, and to TRANSFER the
5 FSMO roles, not just the PDC Emulator.

> I transferred all services ( RID, PDC and Infrastructure master) to
> another
> DC.

Transfer the PDC emulator too then.

> Question: is there anything else I need to do before running a DCPROMO on
> this server to demote it and then reinstalling the OS and rerunning
> DCPROMO
> to bring it back?

GC (AD sites and services), DNS server, also WINS if you have more than one
subnet.

> Thanks.

Hi
Hi
Is that a Windows 2003? Or 2000?
What are you trying to install, adminpak?
--

I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE

"Stryder" <Stryder@discussions.microsoft.com> wrote in message
news:7705521A-A210-4C9A-993D-F625B3FA078D@microsoft.com...
>
> My main 2003 DC has some problems.
>
> Most noticibly it seems to now longer believe it is a 2003 server for when
> I
> run 2003 admin tools it tries to install them and then tells me it needs
> to
> be Windows XP or a Windows 2003 server. It has been working fine for
> several
> years.
>
> Unless there is a easy solution to find out what is wrong I was thinking
> of
> just rebuilding this DC but it was my PDC.
>
> I transferred all services ( RID, PDC and Infrastructure master) to
> another
> DC.
>
> Question: is there anything else I need to do before running a DCPROMO on
> this server to demote it and then reinstalling the OS and rerunning
> DCPROMO
> to bring it back?
>
> Thanks.

It is Windows 2003 DC. I am not trying to install anything. When I try and
run ADUC or any admin tool it lauches an install window then tells me it can
only install on a Windows 2003 or XP machine.

I have now found out that another domain admin tried to install CA on this
DC and then removed it as the DC was getting an error about Automatic
certificate enrollment for local system failed to enroll for one Domain
Controller certificate (0x800706ba). The RPC server is unavailable.

I also read to move the Schema master and Operations Master. I have already
moved the RID, PDC and Infrastrcture master. That shoukd be my 5 FSMO roles
correct?

My other DC's also run DNS.

Is there anything else I have to do before running DCPROMO?

Thanks.


"Jorge Silva" wrote:

> Hi
> Hi
> Is that a Windows 2003? Or 2000?
> What are you trying to install, adminpak?
> --
>
> I hope that the information above helps you.
> Have a Nice day.
> Jorge Silva
> MCSE
>
> "Stryder" <Stryder@discussions.microsoft.com> wrote in message
> news:7705521A-A210-4C9A-993D-F625B3FA078D@microsoft.com...
> >
> > My main 2003 DC has some problems.
> >
> > Most noticibly it seems to now longer believe it is a 2003 server for when
> > I
> > run 2003 admin tools it tries to install them and then tells me it needs
> > to
> > be Windows XP or a Windows 2003 server. It has been working fine for
> > several
> > years.
> >
> > Unless there is a easy solution to find out what is wrong I was thinking
> > of
> > just rebuilding this DC but it was my PDC.
> >
> > I transferred all services ( RID, PDC and Infrastructure master) to
> > another
> > DC.
> >
> > Question: is there anything else I need to do before running a DCPROMO on
> > this server to demote it and then reinstalling the OS and rerunning
> > DCPROMO
> > to bring it back?
> >
> > Thanks.
>

ok
To manually remove CA from AD
follow
http://support.microsoft.com/kb/555151

To Force remove:
Assuming that this Dc is an Aditional Dc for an existent domain:
- Disconnect (unplug the network cable) the Dc from network and run dcpromo
/forceremoval.
Restart the server.
Delete the NTDS folder.
Follow
Domain controllers do not demote gracefully when you use the Active
Directory Installation Wizard to force demotion in Windows Server 2003 and
in Windows 2000 Server
http://support.microsoft.com/kb/332199/en-us
- Then remove all references to that Dc on AD database (Metadata cleanup).
- Remove any Dns references to the Dc. - nltest /dsderegdns:<dns host name>
- If necessary seize any left Op Master roles that were hosted by that Dc.
*Note: The domain controller that seizes the role must be fully up-to-date
with the updates performed on the previous role owner. Because of
replication latency, it is possible that the domain controller might not be
up-to-date. To check the status of updates for a domain controller, use the
Repadmin.exe /Showutdvec switch.
*C:\> repadmin/showutdvec server2. mydomain.com dc= mydomain,dc=com
*C:\> repadmin/showutdvec server3. mydomain.com dc= mydomain,dc=com
- If some discrepancies Use the Repadmin /Syncall switch to make the
replication happen immediately.
- If the domain controller that you are demoting is a DNS server or global
catalog server, you must create a new GC or DNS server to satisfy load
balancing, fault tolerance, and configuration settings in the forest, don't
forget that you need at least one GC per Forest..
-Dont forget to export the *EFS* certificate. If one of these two dcs is
the first dc that was installed in your domain then the EFS certificate
resides locally on that dc. When you remove the dc before you export the
efs certificate you will loose it. Without this certificate you are not
able to recover efs encrypted files.
http://support.microsoft.com/?scid=k...41201&x=5&y=13
- Manually remove it from Sites and Services snap-in.
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
http://support.microsoft.com/kb/255504/
How to remove data in Active Directory after an unsuccessful domain
controller demotion
http://support.microsoft.com/?kbid=216498
Clean up server metadata
http://technet2.microsoft.com/Window....mspx?mfr=true


--

I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE

"Stryder" <Stryder@discussions.microsoft.com> wrote in message
news:A513928D-1924-4582-B8D6-9429DE48D2D1@microsoft.com...
> It is Windows 2003 DC. I am not trying to install anything. When I try
> and
> run ADUC or any admin tool it lauches an install window then tells me it
> can
> only install on a Windows 2003 or XP machine.
>
> I have now found out that another domain admin tried to install CA on this
> DC and then removed it as the DC was getting an error about Automatic
> certificate enrollment for local system failed to enroll for one Domain
> Controller certificate (0x800706ba). The RPC server is unavailable.
>
> I also read to move the Schema master and Operations Master. I have
> already
> moved the RID, PDC and Infrastrcture master. That shoukd be my 5 FSMO
> roles
> correct?
>
> My other DC's also run DNS.
>
> Is there anything else I have to do before running DCPROMO?
>
> Thanks.
>
>
> "Jorge Silva" wrote:
>
>> Hi
>> Hi
>> Is that a Windows 2003? Or 2000?
>> What are you trying to install, adminpak?
>> --
>>
>> I hope that the information above helps you.
>> Have a Nice day.
>> Jorge Silva
>> MCSE
>>
>> "Stryder" <Stryder@discussions.microsoft.com> wrote in message
>> news:7705521A-A210-4C9A-993D-F625B3FA078D@microsoft.com...
>> >
>> > My main 2003 DC has some problems.
>> >
>> > Most noticibly it seems to now longer believe it is a 2003 server for
>> > when
>> > I
>> > run 2003 admin tools it tries to install them and then tells me it
>> > needs
>> > to
>> > be Windows XP or a Windows 2003 server. It has been working fine for
>> > several
>> > years.
>> >
>> > Unless there is a easy solution to find out what is wrong I was
>> > thinking
>> > of
>> > just rebuilding this DC but it was my PDC.
>> >
>> > I transferred all services ( RID, PDC and Infrastructure master) to
>> > another
>> > DC.
>> >
>> > Question: is there anything else I need to do before running a DCPROMO
>> > on
>> > this server to demote it and then reinstalling the OS and rerunning
>> > DCPROMO
>> > to bring it back?
>> >
>> > Thanks.
>>

Thanks for all the great info.

This DC is still running. Can I not try and gracefully run DCPROMO so that
the domain sees the removal of this DC and then reinstall and DCPROMO it
again to return it to being a DC?

Thanks.

"Jorge Silva" wrote:

> ok
> To manually remove CA from AD
> follow
> http://support.microsoft.com/kb/555151
>
> To Force remove:
> Assuming that this Dc is an Aditional Dc for an existent domain:
> - Disconnect (unplug the network cable) the Dc from network and run dcpromo
> /forceremoval.
> Restart the server.
> Delete the NTDS folder.
> Follow
> Domain controllers do not demote gracefully when you use the Active
> Directory Installation Wizard to force demotion in Windows Server 2003 and
> in Windows 2000 Server
> http://support.microsoft.com/kb/332199/en-us
> - Then remove all references to that Dc on AD database (Metadata cleanup).
> - Remove any Dns references to the Dc. - nltest /dsderegdns:<dns host name>
> - If necessary seize any left Op Master roles that were hosted by that Dc.
> *Note: The domain controller that seizes the role must be fully up-to-date
> with the updates performed on the previous role owner. Because of
> replication latency, it is possible that the domain controller might not be
> up-to-date. To check the status of updates for a domain controller, use the
> Repadmin.exe /Showutdvec switch.
> *C:\> repadmin/showutdvec server2. mydomain.com dc= mydomain,dc=com
> *C:\> repadmin/showutdvec server3. mydomain.com dc= mydomain,dc=com
> - If some discrepancies Use the Repadmin /Syncall switch to make the
> replication happen immediately.
> - If the domain controller that you are demoting is a DNS server or global
> catalog server, you must create a new GC or DNS server to satisfy load
> balancing, fault tolerance, and configuration settings in the forest, don't
> forget that you need at least one GC per Forest..
> -Dont forget to export the *EFS* certificate. If one of these two dcs is
> the first dc that was installed in your domain then the EFS certificate
> resides locally on that dc. When you remove the dc before you export the
> efs certificate you will loose it. Without this certificate you are not
> able to recover efs encrypted files.
> http://support.microsoft.com/?scid=k...41201&x=5&y=13
> - Manually remove it from Sites and Services snap-in.
> Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
> http://support.microsoft.com/kb/255504/
> How to remove data in Active Directory after an unsuccessful domain
> controller demotion
> http://support.microsoft.com/?kbid=216498
> Clean up server metadata
> http://technet2.microsoft.com/Window....mspx?mfr=true
>
>
> --
>
> I hope that the information above helps you.
> Have a Nice day.
> Jorge Silva
> MCSE
>
> "Stryder" <Stryder@discussions.microsoft.com> wrote in message
> news:A513928D-1924-4582-B8D6-9429DE48D2D1@microsoft.com...
> > It is Windows 2003 DC. I am not trying to install anything. When I try
> > and
> > run ADUC or any admin tool it lauches an install window then tells me it
> > can
> > only install on a Windows 2003 or XP machine.
> >
> > I have now found out that another domain admin tried to install CA on this
> > DC and then removed it as the DC was getting an error about Automatic
> > certificate enrollment for local system failed to enroll for one Domain
> > Controller certificate (0x800706ba). The RPC server is unavailable.
> >
> > I also read to move the Schema master and Operations Master. I have
> > already
> > moved the RID, PDC and Infrastrcture master. That shoukd be my 5 FSMO
> > roles
> > correct?
> >
> > My other DC's also run DNS.
> >
> > Is there anything else I have to do before running DCPROMO?
> >
> > Thanks.
> >
> >
> > "Jorge Silva" wrote:
> >
> >> Hi
> >> Hi
> >> Is that a Windows 2003? Or 2000?
> >> What are you trying to install, adminpak?
> >> --
> >>
> >> I hope that the information above helps you.
> >> Have a Nice day.
> >> Jorge Silva
> >> MCSE
> >>
> >> "Stryder" <Stryder@discussions.microsoft.com> wrote in message
> >> news:7705521A-A210-4C9A-993D-F625B3FA078D@microsoft.com...
> >> >
> >> > My main 2003 DC has some problems.
> >> >
> >> > Most noticibly it seems to now longer believe it is a 2003 server for
> >> > when
> >> > I
> >> > run 2003 admin tools it tries to install them and then tells me it
> >> > needs
> >> > to
> >> > be Windows XP or a Windows 2003 server. It has been working fine for
> >> > several
> >> > years.
> >> >
> >> > Unless there is a easy solution to find out what is wrong I was
> >> > thinking
> >> > of
> >> > just rebuilding this DC but it was my PDC.
> >> >
> >> > I transferred all services ( RID, PDC and Infrastructure master) to
> >> > another
> >> > DC.
> >> >
> >> > Question: is there anything else I need to do before running a DCPROMO
> >> > on
> >> > this server to demote it and then reinstalling the OS and rerunning
> >> > DCPROMO
> >> > to bring it back?
> >> >
> >> > Thanks.
> >>
>

"Stryder" <Stryder@discussions.microsoft.com> wrote in message
news:0B386AE3-077B-4E43-B589-AD72FCEDAB0B@microsoft.com...
> Thanks for all the great info.
>
> This DC is still running. Can I not try and gracefully run DCPROMO so
> that
> the domain sees the removal of this DC and then reinstall and DCPROMO it
> again to return it to being a DC?

Yes, as long as you have at least one other fully functioning DC online.

It is best to transfer the PDC Emulator role first -- the DCPromo will
attempt this, but you can't be sure and you don't get to pick the "target"
DC to accept the role.


--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)

Thanks.

I ran both dcdiag and netdiag on this DC and this is what I mean by it think
it is a Windows 2000 DC server instead of a Windows 2003 DC server.

This is from NetDiag:
Computer Name: WEL-DC01
DNS Host Name: wel-dc01.company.com
DNS Domain Name: company.com
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 3 Stepping 4, GenuineIntel

This is from DCDIAG:

DC: wel-dc01.company.com
Domain: company.com

TEST: Basic (Basc)
Microsoft(R) Windows(R) Server 2003, Standard Edition
(Service Pack level: 1.0) is supported
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server

I would rather figure this out then reinstall but I think a reinstall may be
quicker.

"Herb Martin" wrote:

>
> "Stryder" <Stryder@discussions.microsoft.com> wrote in message
> news:0B386AE3-077B-4E43-B589-AD72FCEDAB0B@microsoft.com...
> > Thanks for all the great info.
> >
> > This DC is still running. Can I not try and gracefully run DCPROMO so
> > that
> > the domain sees the removal of this DC and then reinstall and DCPROMO it
> > again to return it to being a DC?
>
> Yes, as long as you have at least one other fully functioning DC online.
>
> It is best to transfer the PDC Emulator role first -- the DCPromo will
> attempt this, but you can't be sure and you don't get to pick the "target"
> DC to accept the role.
>
>
> --
> Herb Martin, MCSE, MVP
> http://www.LearnQuick.Com
> (phone on web site)
>
>
>

"Stryder" <Stryder@discussions.microsoft.com> wrote in message
news:0C8F850F-D0A5-42C7-8A5B-87681041DB1F@microsoft.com...
> Thanks.
>
> I ran both dcdiag and netdiag on this DC and this is what I mean by it
> think
> it is a Windows 2000 DC server instead of a Windows 2003 DC server.
>
> This is from NetDiag:
> System info : Windows 2000 Server (Build 3790)
> I would rather figure this out then reinstall but I think a reinstall may
> be
> quicker.

Is this a dual boot system?

Did you run NetDiag LOCALLY on that DC?


--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)

No, it is not a dual boot system and yes it was run locally.

Thanks.

"Herb Martin" wrote:

>
> "Stryder" <Stryder@discussions.microsoft.com> wrote in message
> news:0C8F850F-D0A5-42C7-8A5B-87681041DB1F@microsoft.com...
> > Thanks.
> >
> > I ran both dcdiag and netdiag on this DC and this is what I mean by it
> > think
> > it is a Windows 2000 DC server instead of a Windows 2003 DC server.
> >
> > This is from NetDiag:
> > System info : Windows 2000 Server (Build 3790)
> > I would rather figure this out then reinstall but I think a reinstall may
> > be
> > quicker.
>
> Is this a dual boot system?
>
> Did you run NetDiag LOCALLY on that DC?
>
>
> --
> Herb Martin, MCSE, MVP
> http://www.LearnQuick.Com
> (phone on web site)
>
>
>