none
Can't remove Domain Controller role from SBS 2008 after migrating domain to WS 2012 R2 Essentials

    Question

  • Hello

    I'm in the process of migrating from a Windows Small Business Server 2008 DC to a Windows Server 2012 Essentials DC. I've been following a TechNet Blog post detailing how to do this (http://blogs.technet.com/b/sbs/archive/2014/02/21/deploying-windows-server-2012-r2-essentials-in-an-existing-active-directory-environment.aspx) until the last item which said to run the command "Uninstall-ADDSDomainController" from an elevated PowerShell. 

    When I ran the command, I got the following output: 

    PS C:\Windows\system32> Uninstall-ADDSDomainController
    The term 'Uninstall-ADDSDomainController' is not recognized as the name of a cmdlet, function, script file, or operable
     program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
    At line:1 char:31
    + Uninstall-ADDSDomainController <<<<
        + CategoryInfo          : ObjectNotFound: (Uninstall-ADDSDomainController:String) [], CommandNotFoundException
        + FullyQualifiedErrorId : CommandNotFoundException

    After consulting the Internet I found out that the DC role must be removed from the SBS 2008 using the DCPROMO wizard. I ran the wizard and it complained that the Certification Authority must be removed before it's possible to proceed with the wizard. 

    I removed the Certification Authority and ran the wizard again. This time I got about halfway through and got the following error:

    "The operation failed because:

    A domain controller could not be contacted for the domain <domain.name> that contained an account for this computer. Make computer a member of a workgroup then rejoin the domain before retrying the promotion.

    "The specified domain either does not exist or could not be contacted""

    At this point I wasn't sure what to do because I'm logged on to the domain. I checked in Active Directory Sites and Services to make sure that both DCs are visible and they both appear under Default-First-Site-Name > Servers. 

    Since the new DC is set as a Replica Domain Controller, I continued on and finally got another error to do with DNS. I didn't save the exact contents, but it wouldn't let me remove Active Directory Domain Services unless DNS was first removed. 

    I removed the DNS Server role and attempted to correct the issue by manually transferring roles to the new DC using a series of commands:

    ntdsutil
    roles
    conn
    connect to server <NewDC>
    q
    Transfer infrastructure master
    Transfer naming master
    Transfer PDC
    Transfer RID master
    Transfer schema master
    q
    q

    The command "netdom query fsmo" confirmed that the new domain controller has all the roles. Despite all this I still can't remove the Active Directory Domain Services role using DCPROMO. 

    Please let me know if there's something I can do. How can I get the old DC to see the new DC? Should I just make the old DC part of a workgroup and manually remove it from Active Directory on the new DC.

    Many thanks in advance

    Adrian

    Wednesday, January 13, 2016 4:00 PM

All replies

  • I hope you have imported the AD Modules to the powershell before running that command from the source server.

    Import-Module ActiveDirectory

    Moreover, now you have moved all the FSMO roles to the new server and the old server cannot contact the domain, are you able to access the old server from new?

    Do you still see both the servers in the output of netdom query dc.

    If you do not want to waste time in troubleshooting this mess, remove the network cable from the old server and shut it down then do a metadata cleanup from the new server.

    Make sure you remove the entry of the old server and not the new, and before doing this step you might wanna verify AD replication, file replication on the new server.

    • Proposed as answer by jjdlc Wednesday, July 19, 2017 6:18 PM
    Wednesday, January 13, 2016 9:12 PM
  • Hi,

    Below are the general steps when demoting/removing the source server from the WS 2012 R2 Essentials network:
    1. Remove Active Directory Certificate Services
    2. Disconnect printers that are directly connected to the Source Server
    3. Demote the Source Server
    4. Remove and repurpose the Source Server

    Check to see if the steps provided by below link is applied to your problem”
    https://technet.microsoft.com/en-us/library/dn408635.aspx

    You may reference link below for more information about Migrate from Previous Versions to Windows Server 2012 R2 Essentials or Windows Server Essentials Experience:
    https://technet.microsoft.com/en-us/library/dn408633.aspx

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, January 15, 2016 6:45 AM
    Moderator
  • Hi Mahesh

    The Import-Module ActiveDirectory command has the following output: 

    PS C:\Windows\system32> Import-Module ActiveDirectory
    WARNING: Error initializing default drive: 'Unable to find a default server with Active Directory Web Services
    running.'.

    The Uninstall-ADDSDomainController command didn't work at all, so no problem there. I also tried running DCPROMO prior to moving FSMO roles and it couldn't see any other domain controllers then either. 

    If I run netdom query dc it shows both domain controllers. 

    I just tried turning off the network on the old DC though and it seems to break everything - can't service login requests, can't open Active Directory Domain Services on the new DC and can't browse the directory from domain computers. Also, computers which join the network after I disable the network on the old DC see the network location as Public so clearly they just ignore the new DC. 

    What a mess... 

    So with both DCs appearing, why can't DCPROMO hand the domain over to the other DC? Would removing the old DC from AD fix this? How do I clean up metadata - is there a command or do I need to do it manually?

    Cheers

    Adrian

    Monday, January 18, 2016 12:24 PM
  • Hi Eve

    Thanks for your reply. I've removed Active Directory Certificate Services already and there are not printers connected to the source server. 

    I can't demote the server because DCPROMO can't see any other domain controllers in my domain. 

    Cheers

    Adrian

    Monday, January 18, 2016 12:56 PM
  • I did some more digging yesterday and found a few more issues which are contributing to this overall problem.

    Among those problems is the fact that group policy appears to be read-only. I can't make any changes because I get errors when I try. 

    I believe the cause of the read-only GPOs is that the SYSVOL share on the new DC didn't exist. The directory was there but nothing was shared or replicated from the old DC. I tried going into ADSIEDIT and manipulating the settings to do with DFS but I couldn't find "CN=SYSVOL Subscription", or "CN=DFSR-LocalSettings", or even "CN=DFSR-GlobalSettings". I could only find "CN=Dfs-Configuration".

    Also, while reading the TechNet blogs for possible solutions I found some mention of a "Dfsrmig" utility. I was hoping this would be the answer to all my problems but when I first used it, it threw an error that the domain functional level was 2003 and that the utility only worked with 2008 and upwards. I changed the domain functional level but even though the utility works now I don't really know what to do with it and I don't want to just run commands at random until I break something. 

    I believe at this point if I remove the old DC I won't have an active directory at all. Please help.

    Tuesday, January 19, 2016 10:06 AM
  • Hi all,

    was there a resolution to this as i have the exact same problem and am currently stuck as to how to proceed

    any assistance will be great, thanks

    Saturday, March 25, 2017 12:31 AM
  • Hi

    If memory serves me, I never got anywhere with properly migrating the domain from the SBS2008. I believe that this is mostly due to the number of iterations between the versions (2008 => 2008R2 => 2012 => 2012R2). In the end I had to abandon the old domain and ended up having to create a new one and manually disjoin and add all the member PCs. 

    Also, my company opted not to use 2012 R2 Essentials and instead stick with a domain on 2012 R2 Standard. 

    Sorry to disappoint. 

    Adrian

    Sunday, March 26, 2017 4:38 PM
  • This is a DNS issue and you should not have uninstalled DNS from the old SBS. AD depends on DNS and without that it does not work properly. It may still work if DNS on the new server has all records in place of your domain. If that is the case point the preferred DNS server IP  address setting on the SBS to the new servers IP address and try to demote the SBS again. Hopefully this works.

    Really, in almost all cases trouble like this is caused by problems with DNS. You should always check before you start introducing new DC's health of your AD and DNS.


    Mariëtte Knap
    www.server-essentials.com | Linkedin | Twitter | Facebook | Migrations done the easy way

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Saturday, April 08, 2017 4:13 PM
  • Thanks, Mariëtte.

    I was following the instructions on one of the Microsoft sites and the instructions said to decommission the SBS along with its DNS role, but not to disable DNS until it was up and running on the new server. Please excuse the lack of specifics, but I was doing this almost a year and a half ago so I don't have any of my notes to hand.

    The errors I was getting at the time suggested that while the new DC could see the SBS, the SBS could not see the new DC's Active Directory roles or the fact that it even existed despite using it as a DNS server. I think you're right when you say that it was a DNS issue, but I also believe that there was some incompatibility which prevented the SBS from transferring roles to the new DC. 

    I think that the only way to execute this would have been to transfer the DC roles to incrementally higher versions of Windows Server. What I mean is that I should have installed a 180 day trial of a Server 2008R2, transferred roles from the SBS, installed a trial of Server 2012, transferred the roles again, installed the Server 2012 R2 Essentials I actually had a license for and finally transferred the roles to that. 

    That could have potentially worked, despite taking several days to execute. Creating a new domain and transferring 25 remote users to it wasn't exactly a quick process but I was fed up with SBS 2008 at the time and I thought that I had messed up the domain beyond repair in the process of trying to transfer it directly.

    Thanks for your input though - if I ever have to do this again I'll take it into consideration.

    Adrian

    Sunday, April 09, 2017 4:59 PM
  • There is really no need for an extra hop with an extra OS in between. If you ever run into such a situation again please contact me. 

    Mariëtte Knap
    www.server-essentials.com | Linkedin | Twitter | Facebook | Migrations done the easy way

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Sunday, April 09, 2017 5:33 PM
  • I will, thanks. 
    Sunday, April 09, 2017 5:36 PM