Demote Windows Server 2000 Domain Controller

I replaced a server with a new server. Consequently, I now have two servers
that are configured exactly the same. Now, they are both a domain controller,
with the same name, on the same domain.

By reading here: http://technet.microsoft.com/en-us/l.../cc740017.aspx

I found out how to demote the old server from Domain Controller. However,
when I run through the dcpromo, I get this error message:

"The operation failed because:

A domain controller could not be contacted for the domain xxxxxxx.local that
contained an account for this computer.

Make the computer a member of a workgroup then rejoin the domain before
retrying the promotion.

"The specified domain does not exist or could not be contacted""



Unfortunately, I can not rename the computer because it is a domain
controller. Also, I can not demote it from a domain controller because the
new sever is using the same name on the domain.

Is this just a ridiculous catch 22, or is there a way around this?

"CHallisy" wrote:

> I replaced a server with a new server. Consequently, I now have two servers
> that are configured exactly the same. Now, they are both a domain controller,
> with the same name, on the same domain.
>
> By reading here: http://technet.microsoft.com/en-us/l.../cc740017.aspx
>
> I found out how to demote the old server from Domain Controller. However,
> when I run through the dcpromo, I get this error message:
>
> "The operation failed because:
>
> A domain controller could not be contacted for the domain xxxxxxx.local that
> contained an account for this computer.
>
> Make the computer a member of a workgroup then rejoin the domain before
> retrying the promotion.
>
> "The specified domain does not exist or could not be contacted""
>
>
>
> Unfortunately, I can not rename the computer because it is a domain
> controller. Also, I can not demote it from a domain controller because the
> new sever is using the same name on the domain.
>
> Is this just a ridiculous catch 22, or is there a way around this?







Looks like I may have solved it. While "dcpromo" has a problem with the name
resolution, using "dcpromo /forceremoval" bypassed that check and allowed me
to demote the domain controller.

http://support.microsoft.com/kb/332199

Hello CHallisy,

It is NOT possible to have to machines with the same name in one domain,
especially domain controllers. I assume that you built a NEW domain.

So please describe exactly how you built the new server and DO NOT DO ANYTHING
WITH THE OLD DC.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I replaced a server with a new server. Consequently, I now have two
> servers that are configured exactly the same. Now, they are both a
> domain controller, with the same name, on the same domain.
>
> By reading here:
> http://technet.microsoft.com/en-us/l.../cc740017.aspx
>
> I found out how to demote the old server from Domain Controller.
> However, when I run through the dcpromo, I get this error message:
>
> "The operation failed because:
>
> A domain controller could not be contacted for the domain
> xxxxxxx.local that contained an account for this computer.
>
> Make the computer a member of a workgroup then rejoin the domain
> before retrying the promotion.
>
> "The specified domain does not exist or could not be contacted""
>
> Unfortunately, I can not rename the computer because it is a domain
> controller. Also, I can not demote it from a domain controller because
> the new sever is using the same name on the domain.
>
> Is this just a ridiculous catch 22, or is there a way around this?
>

Hello CHallisy,

If understand you correct before:

Now you have kicked out the domain, even if the other DC has the same servername
and domainname it is a NEW domain where all user accounts, security groups,
pGroup policies etc. has to be re-created. Additional you have to re-join
the workstations to the domain and all users are not able to logon anymore
with there account.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> "CHallisy" wrote:
>
>> I replaced a server with a new server. Consequently, I now have two
>> servers that are configured exactly the same. Now, they are both a
>> domain controller, with the same name, on the same domain.
>>
>> By reading here:
>> http://technet.microsoft.com/en-us/l.../cc740017.aspx
>>
>> I found out how to demote the old server from Domain Controller.
>> However, when I run through the dcpromo, I get this error message:
>>
>> "The operation failed because:
>>
>> A domain controller could not be contacted for the domain
>> xxxxxxx.local that contained an account for this computer.
>>
>> Make the computer a member of a workgroup then rejoin the domain
>> before retrying the promotion.
>>
>> "The specified domain does not exist or could not be contacted""
>>
>> Unfortunately, I can not rename the computer because it is a domain
>> controller. Also, I can not demote it from a domain controller
>> because the new sever is using the same name on the domain.
>>
>> Is this just a ridiculous catch 22, or is there a way around this?
>>
> Looks like I may have solved it. While "dcpromo" has a problem with
> the name resolution, using "dcpromo /forceremoval" bypassed that check
> and allowed me to demote the domain controller.
>
> http://support.microsoft.com/kb/332199
>

"CHallisy" <CHallisy@discussions.microsoft.com> wrote in message
news:6945AA7A-7320-4D73-99A8-9979C3037BED@microsoft.com...
>I replaced a server with a new server. Consequently, I now have two servers
> that are configured exactly the same. Now, they are both a domain
> controller,
> with the same name, on the same domain.
>
> By reading here: http://technet.microsoft.com/en-us/l.../cc740017.aspx
>
> I found out how to demote the old server from Domain Controller. However,
> when I run through the dcpromo, I get this error message:
>
> "The operation failed because:
>
> A domain controller could not be contacted for the domain xxxxxxx.local
> that
> contained an account for this computer.
>
> Make the computer a member of a workgroup then rejoin the domain before
> retrying the promotion.
>
> "The specified domain does not exist or could not be contacted""
>
>
>
> Unfortunately, I can not rename the computer because it is a domain
> controller. Also, I can not demote it from a domain controller because the
> new sever is using the same name on the domain.
>
> Is this just a ridiculous catch 22, or is there a way around this?


No, this is not a catch-22. It's the way AD and DCs work.

And creating a same name DNS and NetBIOS domain name on the same network,
you created a duplicate only in name, but not with AD. As Meinolf said, you
will need to disjoin your current machines, and rejoin them to the new
domain. This is because when a domain/forest is created, it creates a new
SID and GUID identifiying it, regardless of the domain name. Hhowever,
because of the same name, now NetBIOS services finding a duplicate NetBIOS
name, will cause the server service to stop, causing other issues.
Therefore, creating the same name will cause additional headaches.

Curious, what was the reason you had to go through this? Was there a problem
with the DC?

Also, can you post an unedited ipconfig /all from both DCs, please?

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right
things." - Peter F. Drucker
http://twitter.com/acefekay

"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "CHallisy" <CHallisy@discussions.microsoft.com> wrote in message
> news:6945AA7A-7320-4D73-99A8-9979C3037BED@microsoft.com...
> >I replaced a server with a new server. Consequently, I now have two servers
> > that are configured exactly the same. Now, they are both a domain
> > controller,
> > with the same name, on the same domain.
> >
> > By reading here: http://technet.microsoft.com/en-us/l.../cc740017.aspx
> >
> > I found out how to demote the old server from Domain Controller. However,
> > when I run through the dcpromo, I get this error message:
> >
> > "The operation failed because:
> >
> > A domain controller could not be contacted for the domain xxxxxxx.local
> > that
> > contained an account for this computer.
> >
> > Make the computer a member of a workgroup then rejoin the domain before
> > retrying the promotion.
> >
> > "The specified domain does not exist or could not be contacted""
> >
> >
> >
> > Unfortunately, I can not rename the computer because it is a domain
> > controller. Also, I can not demote it from a domain controller because the
> > new sever is using the same name on the domain.
> >
> > Is this just a ridiculous catch 22, or is there a way around this?
>
>
> No, this is not a catch-22. It's the way AD and DCs work.
>
> And creating a same name DNS and NetBIOS domain name on the same network,
> you created a duplicate only in name, but not with AD. As Meinolf said, you
> will need to disjoin your current machines, and rejoin them to the new
> domain. This is because when a domain/forest is created, it creates a new
> SID and GUID identifiying it, regardless of the domain name. Hhowever,
> because of the same name, now NetBIOS services finding a duplicate NetBIOS
> name, will cause the server service to stop, causing other issues.
> Therefore, creating the same name will cause additional headaches.
>
> Curious, what was the reason you had to go through this? Was there a problem
> with the DC?
>
> Also, can you post an unedited ipconfig /all from both DCs, please?
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
> Microsoft Certified Trainer
> aceman@mvps.RemoveThisPart.org
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> "Efficiency is doing things right; effectiveness is doing the right
> things." - Peter F. Drucker
> http://twitter.com/acefekay
>
>
>
>
>

Originally, there were 2 servers, let's call them S1 and S2. S1 was the DC.
The two servers were moved onto a third physical server, using VMWare, both
are running on the same machine now.

So, S1 and S2 exist, in their original form, on a new machine. The original
S1 and S2 laid unplugged and dormant.

I brought the original S1 online. Consequently, I now had 2 servers (both
S1) on the network.


Did that make sense?

> Originally, there were 2 servers, let's call them S1 and S2. S1 was the DC.
> The two servers were moved onto a third physical server, using VMWare, both
> are running on the same machine now.
>
> So, S1 and S2 exist, in their original form, on a new machine. The original
> S1 and S2 laid unplugged and dormant.
>
> I brought the original S1 online. Consequently, I now had 2 servers (both
> S1) on the network.
>
>
> Did that make sense?


By the way, when I dcpromo /forceremoval the old S1 was not on the network,
but rather stand alone.

Hello CHallisy,

This doesn't make sense and is not supported!!!

This will result in USN rollback. NEVER have 2 same DCs, like VM and physical,
running together.

USN rollback:
http://support.microsoft.com/kb/875495

Remove immediately the physical machine from the network, because the VMs
are more uptodate. Then check with the above article if you have the USN
rollback.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> "Ace Fekay [Microsoft Certified Trainer]" wrote:
>
>> "CHallisy" <CHallisy@discussions.microsoft.com> wrote in message
>> news:6945AA7A-7320-4D73-99A8-9979C3037BED@microsoft.com...
>>
>>> I replaced a server with a new server. Consequently, I now have two
>>> servers
>>> that are configured exactly the same. Now, they are both a domain
>>> controller,
>>> with the same name, on the same domain.
>>> By reading here:
>>> http://technet.microsoft.com/en-us/l.../cc740017.aspx
>>>
>>> I found out how to demote the old server from Domain Controller.
>>> However, when I run through the dcpromo, I get this error message:
>>>
>>> "The operation failed because:
>>>
>>> A domain controller could not be contacted for the domain
>>> xxxxxxx.local
>>> that
>>> contained an account for this computer.
>>> Make the computer a member of a workgroup then rejoin the domain
>>> before retrying the promotion.
>>>
>>> "The specified domain does not exist or could not be contacted""
>>>
>>> Unfortunately, I can not rename the computer because it is a domain
>>> controller. Also, I can not demote it from a domain controller
>>> because the new sever is using the same name on the domain.
>>>
>>> Is this just a ridiculous catch 22, or is there a way around this?
>>>
>> No, this is not a catch-22. It's the way AD and DCs work.
>>
>> And creating a same name DNS and NetBIOS domain name on the same
>> network, you created a duplicate only in name, but not with AD. As
>> Meinolf said, you will need to disjoin your current machines, and
>> rejoin them to the new domain. This is because when a domain/forest
>> is created, it creates a new SID and GUID identifiying it, regardless
>> of the domain name. Hhowever, because of the same name, now NetBIOS
>> services finding a duplicate NetBIOS name, will cause the server
>> service to stop, causing other issues. Therefore, creating the same
>> name will cause additional headaches.
>>
>> Curious, what was the reason you had to go through this? Was there a
>> problem with the DC?
>>
>> Also, can you post an unedited ipconfig /all from both DCs, please?
>>
>> -- Ace
>>
>> This posting is provided "AS-IS" with no warranties or guarantees and
>> confers no rights.
>>
>> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
>> Microsoft Certified Trainer
>> aceman@mvps.RemoveThisPart.org
>> For urgent issues, you may want to contact Microsoft PSS directly.
>> Please check http://support.microsoft.com for regional support phone
>> numbers.
>>
>> "Efficiency is doing things right; effectiveness is doing the right
>> things." - Peter F. Drucker
>> http://twitter.com/acefekay
> Originally, there were 2 servers, let's call them S1 and S2. S1 was
> the DC. The two servers were moved onto a third physical server, using
> VMWare, both are running on the same machine now.
>
> So, S1 and S2 exist, in their original form, on a new machine. The
> original S1 and S2 laid unplugged and dormant.
>
> I brought the original S1 online. Consequently, I now had 2 servers
> (both S1) on the network.
>
> Did that make sense?
>

Hello CHallisy,

This is then not longer a DC, just a member server. So the above mentioned
part with USN rollback hopefully doesn't occur. But as stated before, in
my opinion you have a new domain.

So please describe in detail what you have done.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


>> Originally, there were 2 servers, let's call them S1 and S2. S1 was
>> the DC. The two servers were moved onto a third physical server,
>> using VMWare, both are running on the same machine now.
>>
>> So, S1 and S2 exist, in their original form, on a new machine. The
>> original S1 and S2 laid unplugged and dormant.
>>
>> I brought the original S1 online. Consequently, I now had 2 servers
>> (both S1) on the network.
>>
>> Did that make sense?
>>
> By the way, when I dcpromo /forceremoval the old S1 was not on the
> network, but rather stand alone.
>

"CHallisy" <CHallisy@discussions.microsoft.com> wrote in message
news:EF3ACD6F-1B42-4BA2-838E-EB5264229391@microsoft.com...
>
>> Originally, there were 2 servers, let's call them S1 and S2. S1 was the
>> DC.
>> The two servers were moved onto a third physical server, using VMWare,
>> both
>> are running on the same machine now.
>>
>> So, S1 and S2 exist, in their original form, on a new machine. The
>> original
>> S1 and S2 laid unplugged and dormant.
>>
>> I brought the original S1 online. Consequently, I now had 2 servers (both
>> S1) on the network.
>>
>>
>> Did that make sense?
>
>
> By the way, when I dcpromo /forceremoval the old S1 was not on the
> network,
> but rather stand alone.


No, not really. The explanation is kind of jumbled, technology-wise.

Let me see if my interpretations are correct:

So you had S1 and S2 configured both as a DC with the same domain name?

Then you fired up S2, which has the same name?

Then you did a forceremoval on S2? If they are the same name, but different
domains, there was no reason to run a forceremoval. Nothing to remove it
from other than itself. But you did create a dupe name issue on the network.
If this was the case, a simple demotion would have sufficed. However, you
should have did it off the main network, and not plugged into the network
with the other DC.

Am I right so far?

Ace

"Ace Fekay [Microsoft Certified Trainer]" wrote:

> No, not really. The explanation is kind of jumbled, technology-wise.
>
> Let me see if my interpretations are correct:
>
> So you had S1 and S2 configured both as a DC with the same domain name?
>
> Then you fired up S2, which has the same name?
>
> Then you did a forceremoval on S2? If they are the same name, but different
> domains, there was no reason to run a forceremoval. Nothing to remove it
> from other than itself. But you did create a dupe name issue on the network.
> If this was the case, a simple demotion would have sufficed. However, you
> should have did it off the main network, and not plugged into the network
> with the other DC.
>
> Am I right so far?
>
> Ace
>
>
>

S1 was the only DC. It was cloned, basically, onto a new machine.

The original S1 was shutdown and taken off line.

So, there were two servers that were exactly the same. Both identical. But
only one was in use.

The original, I wanted to use, so I turned it back on, off the main network.

I eventually wanted to bring it into the domain, now being hosted by a new
DC, with the same name. In order to do that, I was trying to change the name.
But, I could not change the name because it was still a DC. Not wanting
conflict, as Meinolf pointed out, I wanted the old server to no longer
function as a DC on the network. However, I could not demote it because the
domain could not be contacted. Obviously, since it was outside of the LAN, it
could not contact the domain. In order to demote it, I had to forceremoval.

I hope that makes more sense.

"CHallisy" <CHallisy@discussions.microsoft.com> wrote in message
news:7F350176-9B09-4838-9492-755DA96DF23C@microsoft.com...
>
> S1 was the only DC. It was cloned, basically, onto a new machine.
>
> The original S1 was shutdown and taken off line.
>
> So, there were two servers that were exactly the same. Both identical. But
> only one was in use.
>
> The original, I wanted to use, so I turned it back on, off the main
> network.
>
> I eventually wanted to bring it into the domain, now being hosted by a new
> DC, with the same name. In order to do that, I was trying to change the
> name.
> But, I could not change the name because it was still a DC. Not wanting
> conflict, as Meinolf pointed out, I wanted the old server to no longer
> function as a DC on the network. However, I could not demote it because
> the
> domain could not be contacted. Obviously, since it was outside of the LAN,
> it
> could not contact the domain. In order to demote it, I had to
> forceremoval.
>
> I hope that makes more sense.

Ok, no wonder I didn't understand it. You cloned it, then tried to bring ig
back in as a server, not a DC because you were done testing it off the
network. And it could not contact the domain because it's DNS settings were
pointed to something else, the other DC, your ISP or something else and not
to itself, which is what should have been done. Note: never use your ISP's
DNS as a DNS server for a DC or any other machine in your network, or expect
additonal problems.

If you had pointed the DNS server to itself, it would have demoted properly.
Not knowing your ipconfig /all settings on the machine prior to the demotion
attempt, I won't be able to comment, but that's what seems to have happened.

Yes, the forceremoval should work fine. I would really have opted to rebuild
it from scratch, then join it to the domain. I would also promote it as an
additonal replica DC into the domain.

Ace