This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 22%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
I have recently performed promoted a Windows 2019 Server to a Windows 2008 domain with the 2019 DC as the primary with the FSMO roles and Windows 2008 as secondary.
Prior to Adding the Windows 2019 server, I did what I did to be proper steps:
1. DCDiag health Checks
2. Updated Domain and forest level to Windows 2008 R2 (recently Windows 2000)
3. Updated from FRS to DFRS replication
4. Added Windows 2008 to domain, added as ADC and moved FSMO roles
5. Verified FSMO roles
6. Verified Replication (Users accounts and GPO)
7. Verified Replication through Sites and Services (Replicate Now)
8. Verified DNS Forward and Reverse Lookup
9. Let it sit for a few days to make sure no issues
My problem is that I am getting an error when I run the DCPromo due to what I believe is a ghost server that is no longer on the network. I am looking for some definitive steps since when I search for this this problem, it generates multiple hits with 'suggested' methods of metadata clean up with NTDSUTIL.exe but doesn't necessarily indicate how to remove this 'ghost' server that is no longer there.
The error message in the event viewer references a 'Server1' however I now see that within Sites and Services there is a ServerA entry along with a ServerA name server decleared within the msdcs forward lookup zone. So, what I am seeking are definitive actions to move Roles off of the ghost 'Server1' as well as remove this 'ServerA' entry and then hopefully proceed with a successful DCPromo of w2k8-clesen
Here are specific error messages I am receiving. Any definitive action items on how to correctly proceed with the final DCPromo of server w2k8-clesen is my end game.
Any assistance appreciated.
(W19-Clesen-DC1 has the FSMO roles....w2k8-clesen is an additional DC.)
You can remove remnants of failed ones from active directory here.
Clean up Active Directory Domain Controller server metadata
Step-By-Step: Manually Removing A Domain Controller Server
--please don't forget to upvote and Accept as answer if the reply is helpful--
The GUI examples in this link don't seem to apply since the server I am wishing to remove doesn't show as an active DC.
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup
Unless, I need to manually add it in Sites and Services?
For the 2091 error it seems you may need to seize roles to another healthy one.
--please don't forget to upvote and Accept as answer if the reply is helpful--
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--
The second link seems more applicable to this client's scenario. I don't have an open window from them to work on their site until the weekend (or holidays). I'll implement this strategy over the weekend and comment if it was successful.
I am just hoping that I can execute these PS commands when the server itself is not physically in the network anymore.
I am just hoping that I can execute these PS commands when the server itself is not physically in the network anymore.
Yes, it should not be a problem. No down time or interruption is required either.
--please don't forget to upvote and Accept as answer if the reply is helpful--
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--
Little confused about what role to 'seize'. When I run netdom command, everything looks correct as far as the roles are concerned. This windows 2019 server is in fact the correct DC, so I am not sure what role the server that is no longer on the network is retaining. My only thought is to run through the Ntdsutil and seize all the roles even though they show that my main Windows 2019 DC already has them (see pic)
This is the command I would need to run. I am 'assuming' that based on the netdom query fsmo output, it would not hurt anything since the server already has that role.
Move-ADDirectoryServerOPerationMasterRole -Identity W19-Clesen-Dc1 -OperationsMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster -force
No...still a problem. Ran the above PS command...which executed in half a second. Tried the DCPromo and received the same error.
Wondering if the FSMO role issue is just a red herring.
Here is the source of the problem. The old server w2k8-clesen thinks it is retaining a role but it is clearly shown that all roles are on the correct server.
Reading more carefully, it may be the infrastructure role giving me the problem...which seems to be a assigned to 'Server1'. However, netdom query shows it is something else.
Operations which require contacting a FSMO operation master will fail until this condition is
corrected.
FSMO Role: CN=Infrastructure,DC=ForestDnsZones,DC=SE1,DC=CLESENBROTHERS,DC=COM
FSMO Server DN: CN=NTDS Settings\0ADEL:77180853-81d8-4c3a-9631-8e5892ab2469,CN=SERVER1\0ADEL:47ed3332-bb40-464c-a9e7-a2b8b1540f79,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SE1,DC=CLESENBROTHERS,DC=COM
Investigating to see if the problem is more DNS related.
https://video2.skills-academy.com/en-us/troubleshoot/windows-server/identity/dcpromo-demotion-fails
Per the original you're adding a new 2008 domain controller? or 2019 or both? Not sure where you're seeing these problems.
I am trying to DCPromo (remove a Windows 2008 Server).
From above:
"So, what I am seeking are definitive actions to move Roles off of the ghost 'Server1' as well as remove this 'ServerA' entry and then hopefully proceed with a successful DCPromo of w2k8-clesen"
So from above I believe you said netdom query fsmo says the roles have been successfully moved? If so you could turn off the old 2008 for some time to prove things are good and if so then you can do cleanup to remove the 2008 from active directory.
Clean up Active Directory Domain Controller server metadata
Step-By-Step: Manually Removing A Domain Controller Server
--please don't forget to upvote and Accept as answer if the reply is helpful--
I'll try that but the error log suggests it is trying to move a FSMO role that is no longer there. This is the error above. there is no Server 1 on the network. This error occurs when trying to DCPromo the 'existing' server w2k8-clesen.
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Are you promoting a 2008 or trying to demote one?
I am demoting the server w2k8-clesen. The server fails to demote due to what appears to be "Ownership of the following FSMO role set to a server which is deleted or or does not exist". The following line in the error 'suggests' (from screen shot) it is a server called Server1. So goal is to cleanly demote w2k8-clesen (windows 2008 server) from the domain. Where the problem is is unclear FSMO roles appear to have been moved over correctly.
Ok, well the 2008 is dazed and confused and no longer connected so I would not worry about it. You could turn off the old 2008 for some time to prove things are good and if so then you can do cleanup to remove the 2008 from active directory. (links above)
--please don't forget to upvote and Accept as answer if the reply is helpful--
You are not understanding. W2k8-clesen is the server that is connected. It fails to DCPromo due to a server that is not connected...at least from the error log.