Demoting a server 2012 domain controller

    General discussion

  • I have DC5 and DC6 in a forest. Both were installed with an eval copy of server 2012 which we later found out cannot be upgraded to retail. Found procedure to convert to retail copy. Did dc6 first (DC5 was the fsmo master of all things). Successfuly converted dc6 licensing and reinstalled AD DS and promoted it to domain controller. Checked DNS replication - good to go. Checked sites and domains - both domain controllers have green icon by them. All looks well.

    So I then transfer all fsmo to DC6 so that I can take DC5 out of AD DS and demote it. "Netdom query fsmo" shows DC6 now as master which is the way I think we want it so we can demote DC5.

    I go to demote DC5, and I choose remove roles and features, choose AD DS, and get the normal error and click demote domain controller. Credentials screen pops up as expected, but this time says "No other domain controller could be contacted, but other domain controller objects are in the directory. If you are certain this is the last domain controller for the domain and want to proceed, confirm that this is the last domain controller in the domain" and two possible check boxes to check, or not, -- force the removal, and the last domain controller check boxes. 

    but it is not the last domain controller and I didnt get this with removing DC6. Can I NOT check the boxes to force removal or that its the last one in the domain and will i be fine?? Or what are the ramifications or effects of removing this domain controller with this message present. I have users, DNS, on this domain and one file server.

    PS. REgarding directions for converting to retail copy......rather than deleting the domain controller, It was just as easy to just remove it from DS, and delete object from DNS to get it licensed and then put it all back. But maybe this is a problem?

    Thanks in advance for any solutions or ideas.

    Thursday, June 20, 2013 5:52 PM

All replies

  • Did you check if both DCs are replicating all data? It may be that they are not up to date then you are getting such msg. Other than that, try this procedure:


    “The very concept of sin comes from the Bible. Christianity offers to solve a problem of its own making! Would you be thankful to a person who cut you with a knife in order to sell you a bandage?” ― Dan Barker, Losing Faith in Faith: From Preacher to Atheist

    Thursday, July 04, 2013 1:58 PM
  • Hello,

    assure with the support tools that the DCs are both fine after the change BEFORE going on, if needed please upload the files for review:

    ipconfig /all >c:\ipconfig.log [all DCs]
    dcdiag /v /c /d /e /s:dcname >c:\dcdiag.log
    repadmin /showrepl dc* /verbose /all /intersite >c:\repl.log  ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)]
    dnslint /ad /s "DCipaddress" (
    ADREPLSTATUS: can also be exported to file.

    As the output will become large, DON'T post them into the thread, please use Windows Sky Drive(with open access!) and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.

    Have you assured that the Dcs use ONLY the domain internal DNS servers on the NIC and no external like the ISPs?

    Best regards

    Meinolf Weber
    Microsoft MVP - Directory Services
    My Blog:

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Friday, July 05, 2013 6:39 AM
  • Looks like these 2 DCs are not replicating.  You need to resolve this issue first. Also, what procedure did you use to covert Eval to Full version?

    Santhosh Sivarajan | Houston, TX

    Windows 2012 Book - Migrating from 2008 to Windows Server 2012
    FaceBookTwitter LinkedIn SS Tech Forum
    This post is provided ASIS with no warran

    Friday, July 05, 2013 12:50 PM
  • Thanks for the responses all. I attached the files asked for..Also, doing a net share does not show sysvol or netlogon on DC8 so users cannot authenticate against DC8. 

    Please note, since my original question on jun 20th I have done the following. Took DC6 out of the AD and uninstalled it and its metadata. Added the server back into AD with a new name called DC8 (same IP) hoping that it would help. 

    Also, in our other forest (also a new forest and running eval copies), we have exact same issues. Netlogon and sysvol are not present during net share, can't authenticate against them, etc. 

    Please let me know if I can provide anything else. Link to skydrive share :


    Tuesday, July 09, 2013 5:14 PM
  • Thanks Santhosh

    I took AD DS off of them, demoted the server, removed metadata, licensed the server, and readded them to Active directory. I also tried to add a new domain controller to the mix, but same thing.

    Tuesday, July 09, 2013 5:15 PM
  • Also - I downloaded and ran the adreplstatus - I didn't include the log file - but all the sync messages for both domain controllers say "the operation completed successfully" - there are 5 different partitions it was ran on it looks like...Thanks
    Tuesday, July 09, 2013 5:54 PM
  • Forgot to make public - here is new link. Thanks!!

    Tuesday, July 09, 2013 6:19 PM
  • Hello,

    have you used during promotion from DC8 ONLY the DC5 as preferred DNS server on the NIC and none else? I have often seen that missing shares belong to a used DNS server on the NIC, itself, even the DNS server role wasn't installed and just was chosen during promotion.

    In your case demote the server again and run metadata cleanup steps again and then see about adding the new OS DC.

    Best regards

    Meinolf Weber
    Microsoft MVP - Directory Services
    My Blog:

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Tuesday, July 09, 2013 6:28 PM
  • I tried various combinations of DNS server addresses (as I have stepped through the demotion/promotion process a few times trying to get it right). One forum said to use the servers own IP, another said to use the other domain controllers IP as first, and its own as 2nd, etc. I will do as you suggest by demoting, cleaning metadata, and following the website for readding it.


    Tuesday, July 09, 2013 6:35 PM
  • Followed closely the step for demoting the DC and carefully cleaned up metadata, then followed your doc for readding it. After demoting, I went back and cleaned up metadat by doing the following: removed AD DS and DNS roles. I changed the DNS to point to the other domain controller. I deleted DNS entries from _msdcs subfolders (none were found). I removed server object from Sites and Services under NTDS. I went into two different place in asdiedit. I then forced replication by typing repadmin /syncall /Aped.  I then promote it (with its only DNS as the other domain controller) and everything promoted fine. But..No luck.  "dcdiag /test:netlogons says unable to connect to the netlogon share <\\dc8\netlogon>, A net use or lsapolicy operation failed with error 67, the network name cannot be found." 

    On the other forest, I have tried a completely new domain controller - new IP and hostname. Same errors basically - no netlogon share. I just wonder what I am doing wrong here. Unfortunately my licensing expires July 26th. This is a new microsoft network. Our licensing wasn't ordered in time for us to start the project, so thought we could convert the servers to retail later. Then we found out we could  not and the network is in production.
    Wednesday, July 10, 2013 1:11 PM
  • Meinolf

    I was using the same password for the local admin account as what is the domain admin's password. When promoting a server to domain controller is this an issue? Can the passwords be the same? We are trying it again with a different local password.

    Wednesday, July 10, 2013 2:15 PM
  • Hello,

    passwords are not an issue here. If a server is promoted to DC the local SAM database is removed and only a registry based administrator account/password is created for DSRM logon ONLY.

    I would ask you to upload the above mentioned files again for verifying. Normally there is no problem adding a new OS DC to the existing domain, I never had problems with missing sysvol/netlogon shares, doesn't matter which OS version.

    Best regards

    Meinolf Weber
    Microsoft MVP - Directory Services
    My Blog:

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Wednesday, July 10, 2013 7:38 PM
  • Meinolf - I reran the tools and put them in this location. Logs with a 2 in the name are on the 1st domain controller we installed, and without the 2 in the name is the 2nd domain controller that we have licensed but cannot readd correctly. Its all server 2012. In our other forest we are having the same problem. Thanks kindly for taking the time to look at these files.

    Wednesday, July 17, 2013 5:06 PM
  • Hi,

    I am having the same exact issue as you do. Have you solved this problem? Also, my first 180 eval expired, now I have rearmed the license for another 180 days, but time is running out and I can't figure a way to fix this.

    Please let me know if you have resolved your issue and how.

    Thanks, Shuja Najmee

    Monday, January 20, 2014 5:48 AM