Demotoed a DC, unable to remove it from DNS on new PDC

georgecook3 · 2018-05-22T18:12:34.000Z

Ok guys, I’ll try to make the background on this one brief:

Over the weekend, while remotely performing Windows updates on our servers, our PDC went down. It became caught in a boot loop. After hours restoring from a backup, it was running again but having issues speaking to the backup domain controller. I decided to demote it completely as my current faith in that server is pretty low. It also serves as our only file server, with about 4TB of data on it, which is used by all users.

I demoted the machine, as previously explained, and removed it from Active Directory on the new PDC. I then removed it from the domain and rejoined it back to the domain and everything seemed to be running smoothly. We are now seeing issues stemming from DNS though. The issues are with communicating with other devices on the network. When trying to access file shares, users are being prompted for their credentials as it states that a DC was not available to handle their request. This seems to clear up if I point their machine’s DNS directly to the IP of the new PDC. Additionally, when trying to add machines to the domain now, I’m receiving a message stating “Cannot complete this function” despite the computer being able to resolve the domain.

When looking at DNS on the new PDC, I see many entries for the old DC. When I try to remove those entries, I receive a message “Failed to write NS record. Refused”. This is happening across the DNS completely. Additionally the old DC still shows under AD Sites and Services, with only a “DNS Settings” showing. If I try to delete the DC completely I receive a message stating “A device attached to the system is not functioning”. If I try to delete it’s msDNS-ServerSettings, I receive a message stating “While access the hard disk, a disk operation failed even after retries”

I know that best practice is never to put a previous DC back onto a domain, but sadly that machine is our sole file server. We had no other option, as of right now, but to put it back onto the network as business was at a standstill. Does anyone have any suggestions on what can be done to clear this from the new PDC so that we can get back to normal? Any help is beyond appreciated at this point.

erichassler · 2018-05-22T22:38:32.000Z

Does your backup solution specially support restoring a DC? Restoring a DC from backup has historically been bad juju due to how replication works. Sometimes DNS issues like you are referencing can occur along with other issues. You need a backup solution that can match the tombstone versions upon restoration. I would check the replication status if you are back on two DCs.

Redmondmag

How To Use Repadmin for Active Directory Troubleshooting -- Redmondmag.com

The Windows Server tool Repadmin can be your best friend when trying to pinpoint and fix Active Directory issues.

bsod · 2018-05-23T02:48:06.000Z

Can you transfer the FSMO roles to the other DC, then demote the problematic one and run a metadata cleanup using Ntdsutil?

After that maybe scour back over DNS for erroneous entries for the problematic old PDC at this stage if you are happy promote it again?

Chinny Chukwudozie, Cloud Solutions. – 27 Jan 14

Using NTDSUTIL Metada Cleanup to Remove a Failed/Offline Domain Controller...

In this post, I would like to talk about using the ntdsutil utility for metadata cleanup. A domain controller failure ‘DC00’ recently occurred in my lab. Running the repadmin /replsum c…

georgecook3 · 2018-05-23T12:47:35.000Z

We restored from an Acronis backup, which is when we started having a lot of replication issues. That’s why I ended up demoting the DC originally. Now we just have one DC up and running with the restored server only running as a file server.

georgecook3 · 2018-05-23T12:58:23.000Z

BSOD’D - I was able to transfer the FSMO roles for RID, PDC and Infrastructure to the new DC. All of that is good to go. I’ll try cleaning the metadata via NTDSUTIL.

georgecook3 · 2018-05-24T12:20:39.000Z

This has been resolved. I noticed continuous DNS-Service errors in the event viewer that were related to Active Directory. I knew that AD was functional on the new PDC so I went back to the old DC to see what may be causing it. I found AD and DNS remnants still on the server. Once everything was removed, and both the old DC and the new PDC were restarted, the domain was once again available.

Thanks for the help everyone. I’ve learned an incredible amount about domains in the last 4 days.

bagaudin-acronis · 2018-05-26T01:36:56.000Z

Hi George,

I’ve been off for severall days

Did you report the issue to our support team by any chance? I would love to have our developers to look into this.

georgecook3 · 2018-05-29T14:50:15.000Z

Bagaudin (Acronis):

Hi George,

I’ve been off for severall days

Did you report the issue to our support team by any chance? I would love to have our developers to look into this.

Hi Bagaudin,

I have not reached out to the support team about the issue. I feel like the replication issues most likely existed, without my knowledge, before the restoration.

bagaudin-acronis · 2018-05-30T00:16:23.000Z

Thanks for clarification, let me know if you’ll need our assistance.