Domain Controller / Promotion and Demotion


  • Hello,

    I have a Windows 2003 Server Standard that I am replacing with Windows Server 2016 Standard.  I have went through all the demotion and promotion steps outlined on the technical support articles.  The active directory I verified copied over and over everything on the new server appears to be correct. When I go to power off the old server the workstations cannot see the new server.  I have checked DNS as well, the old server was handling DNS and I did setup the New DNS on the new server with the correct forwarders.  Can anyone point me in the right direction and help pretty please? I also changed DNS on the workstations to point to the new server with no luck.   I will post some system even information below:


    The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
     and APPID 
     to the user HCDETENTION\Administrator SID (S-1-5-21-746137067-1532298954-725345543-500) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.


    Dynamic registration or deregistration of one or more DNS records failed with the following error: 
    No DNS servers configured for local system.


    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server hcdetentiondc$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/ae5c1c84-f694-4a85-9281-bf741af0a343/HCDETENTION.local@HCDETENTION.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (HCDETENTION.LOCAL) is different from the client domain (HCDETENTION.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.


    The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.


    The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

    mercredi 20 juin 2018 18:51

Toutes les réponses

  • so your 2003 machine has been demoted and you only have the 2016 machine?
    mercredi 20 juin 2018 19:14
  • Hi,

    As asked above, for now, is your server 2016 the only domain controller? Is the server 2016 DC also a global catalog server?

    And when you add server 2016 to the domain as the domain controller, have you seized all the FSMO roles to server 2016?

    If server 2003 hasn't been  demoted, please get it on. And seize the roles.

    The server 2016 is also a DNS server, right? Have you point the dns address to itself?

    Please follow the guide check the DNS settings.

    Best Regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    jeudi 21 juin 2018 07:52
  • We was scared to complete demote the 2003 in case of failure we just turned it off completely and we did change and point the DNS with no success.  We went through the entire wizard on the 2016 server as well and on that server we have green lights on everything like it is ready to go.   
    jeudi 21 juin 2018 12:44
  • We Turned off the 2003 for testing but it is currently back on since the new server did not take. 
    jeudi 21 juin 2018 12:44
  • Hi Justin !

    As I can see you have to perform few steps before you can shut down and decommission the old 2003 DC.

    First, you have to make sure that the new 2016 DC is a Global Catalog and has the DNS roles installed.

    After that, please test replication and make sure that the DCs replicate the changes without any issues using Active Directory Sites and Services.

    Next, please make sure that the new domain controller is included as a Name Server in all the DNS zones that you have on your DNS server.

    The new DC has to have itself as a first DNS server and the old one as an alternate DNS server in the network configuration.

    Finally, you have to change the DHCP settings so they set the new DNS server IP as a DNS server on all DHCP scopes. After you change the DHCP scope options, you can run ipconfig /release and ipconfig /renew in order to verify the new configuration.

    Once you verify that, you have to move all the FSMO roles from the old to the new domain controller.

    If everything is okay you should be able to reach the new DC and shut down the old one.

    Please let me know if you need any help further!

    jeudi 21 juin 2018 13:12
  • Hi,
    Have you also check the information mentioned above?

    Could that be helpful?

    Best Regards,

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    lundi 25 juin 2018 07:19