• Forcefully Demoting a 2K8R2 Domain Controller Results in Error - DFS Replication: Access is Denied
    4 replies, posted
So the last week or so we've been having difficulty pushing group policy to our servers. Long story short, I discovered our primary domain controller (DC1) is in a USN rollback state, so I have to demote it and repromote it. I seized roles over to the secondary (DC2) and ran dcpromo /forceremoval. I move through the wizard and I get an error while it's attempting to demote: DFS Replication: Access is Denied. I am running dcpromo as a user in the Enterprise Administrator group, there should be no reason to not have sufficient privileges. Has anyone else encountered this before, or know of a solution short of wiping the damn thing and rebuilding from scratch? I spent the last few hours just reading forum posts that were tangentially related, but I hadn't seen anyone with this problem, and I can't find actual documentation about the error.
Why was the DC rolled back? What changes are missing from the directory? Depending on why it ended up in this state, you're going to be better off rebuilding it. Make sure to clean up the metadata: [url]https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx[/url]
[QUOTE=birkett;50147972]Why was the DC rolled back? What changes are missing from the directory? Depending on why it ended up in this state, you're going to be better off rebuilding it. Make sure to clean up the metadata: [url]https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx[/url][/QUOTE] Honestly, I'm not even sure who rolled it back or why. I just know that last week it stopped replicating and I encountered the USN rollback event code. My guess is that someone reloaded a snapshot or something without realizing that's bad juju on a DC. And the primary is missing about 50 objects that the secondary had. My plan was to dcpromo /forceremoval, clean up metadata, and make it the new secondary after repromoting it. But because of this error, I can't even forcefully demote it.
Not too difficult, just demote the server with your foot.
[QUOTE='[EG] Pepper;50186703']Not too difficult, just demote the server with your foot.[/QUOTE] I mean, that's basically what I ended up doing. We quarantined the PDC vm, made the secondary into the new PDC, and built a new secondary from scratch. [editline]23rd April 2016[/editline] I just found it strange that it wouldn't even let me /forceremoval. Like, what is the point of having that function if it's gonna fight me on it?
Sorry, you need to Log In to post a reply to this thread.