none
Having problem upgrading, after demoting all but one DC

    Question

  • This has been a nightmare, as I have a small home network that I use to use for supporting clients, but over the years now only has two 2003 servers,  a DC that I demoted to a stand-alone Web server, and the former eMail server that is now only a DC.  I was actually trying to upgrade to 2008, and eventually 2012/16, but being the 2008 would not work without AdPrep of the AD, I encounter a whole host of DNS issues that I eventually fixed everything except a VerifyEnterpriseReferences.

    I tried to follow several online ADSIedit/LDP instructions, but am having difficulty with the repair of the records.   I had first transferred FMSO & GC (all 5 categories to the remaining DC (Mail01), then tried regular demotion of the DC (Web01), and finally did a FORCED demotion.  I then went in and cleaned up DC entries within "Users & Computers", not realizing that FRS was also going to have issues too.

    The only errors I am having after running a clean NetDiag -v, and a DCDiag -v /Fix is:

    Starting test: VerifyEnterpriseReferences
             The following problems were found while verifying various important DN

             references.  Note, that  these problems can be reported because of latency in

             replication.  So follow up to resolve the following problems, only if the same

             problem is reported on all DCs for a given domain or if  the problem persists

             after replication has had reasonable time to replicate changes.
                [1] Problem: Missing Expected Value

                 Base Object:

                CN=WEB01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=mydomain,DC=com

                 Base Object Description: "SYSVOL FRS Member Object"

                 Value Object Attribute Name: frsComputerReference

                 Value Object Description: "DC Account Object"

                 Recommended Action: Check if this server is deleted, and if so clean up this

                DCs SYSVOL FRS Member Object.  Also see Knowledge Base Article:  Q312862

                 
                [2] Problem: Missing Expected Value

                 Base Object:

                CN=WEB01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=mydomain,DC=com

                 Base Object Description: "SYSVOL FRS Member Object"

                 Value Object Attribute Name: serverReference

                 Value Object Description: "DSA Object"

                 Recommended Action: Check if this server is deleted, and if so clean up this

                DCs SYSVOL FRS Member Object.  Also see Knowledge Base Article  Q312862
             
             ......................... MAIL01 failed test VerifyEnterpriseReferences

    Then I ran the NTFRSUTL DS command with these results:

    NTFRS CONFIGURATION IN THE DS
    SUBSTITUTE DCINFO FOR DC
       FRS  DomainControllerName: (null)
       Computer Name            : MAIL01
       Computer DNS Name        : mail01.mydomain.com

    BINDING TO THE DS:
       ldap_connect     : mail01.mydomain.com
       DsBind     : mail01.mydomain.com

    NAMING CONTEXTS:
       SitesDn    : CN=Sites,cn=configuration,dc=mydomain,dc=com
       ServicesDn : CN=Services,cn=configuration,dc=mydomain,dc=com
       DefaultNcDn: DC=mydomain,DC=com
       ComputersDn: CN=Computers,DC=mydomain,DC=com
       DomainCtlDn: OU=Domain Controllers,DC=mydomain,DC=com
       Fqdn       : CN=MAIL01,OU=Domain Controllers,DC=mydomain,DC=com
       Searching  : Fqdn

    COMPUTER: MAIL01
       DN   : cn=mail01,ou=domain controllers,dc=mydomain,dc=com
       Guid : 04942f68-4854-4959-b3646eb91c9ced79
       UAC  : 0x00082000
       Server BL : CN=MAIL01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
       Settings  : cn=ntds settings,cn=mail01,cn=servers,cn=default-first-site-name,cn=sites,cn=configuration,dc=mydomain,dc=com
       DNS Name  : mail01.mydomain.com
       WhenCreated  : 9/10/2007 16:36:54 Central Standard Time Central Daylight Time [360]
       WhenChanged  : 1/6/2017 5:14:48 Central Standard Time Central Daylight Time [360]

       SUBSCRIPTION: NTFRS SUBSCRIPTIONS
          DN   : cn=ntfrs subscriptions,cn=mail01,ou=domain controllers,dc=mydomain,dc=com
          Guid : 184aed6a-a860-41e2-8d82042d2de3da73
          Working       : c:\windows\ntfrs
          Actual Working: c:\windows\ntfrs
          WhenCreated  : 9/10/2007 16:50:57 Central Standard Time Central Daylight Time [360]
          WhenChanged  : 9/10/2007 16:50:57 Central Standard Time Central Daylight Time [360]

          SUBSCRIBER: DOMAIN SYSTEM VOLUME (SYSVOL SHARE)
             DN   : cn=domain system volume (sysvol share),cn=ntfrs subscriptions,cn=mail01,ou=domain controllers,dc=mydomain,dc=com
             Guid : b06a53cb-6f6b-4c90-81d2ef2c73035bb3
             Member Ref: (null)
             Root      : c:\windows\sysvol\domain
             Stage     : c:\windows\sysvol\staging\domain
             WhenCreated  : 9/10/2007 16:50:57 Central Standard Time Central Daylight Time [360]
             WhenChanged  : 9/10/2007 16:50:57 Central Standard Time Central Daylight Time [360]
       MAIL01 IS NOT A MEMBER OF ANY SET!

    Any ideas on how I could fix this ?

    I was also setting up a VMware Workstation, and installed  a 2008 Server on that, but was also unable to DCPROMO that station to a DC as it is not detecting a completed ADPREP  on Mail01 either !

    Sincerely,

    John in Chgo....

      

    Sunday, January 8, 2017 10:31 PM

All replies

  • Hi,
    After the demotion of that DC, have you cleaned up its metadata? Metadata cleanup is a required procedure after a forced removal of Active Directory Domain Services (AD DS). Please see: https://technet.microsoft.com/en-us/library/cc816907%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
    And regarding the error “failed test VerifyEnterpriseReferences”, please follow the KB as below to see if it helps: https://support.microsoft.com/en-sg/kb/2512643
    And generally, before we demote an old DC, it is always to firstly add the new server as domain controller and please make sure that you have at least 2 DCs running in the environment.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, January 9, 2017 7:05 AM
    Moderator
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, January 13, 2017 9:09 AM
    Moderator