Cannot transfer controller operations master role or demote a domain controller

domain-controllerwindows-server-2012-r2

Server 2012 R2, Server 2012, Domain Controller role

After experiencing some permissions problems on my domain I noticed that my 2nd domain controller appears to be corrupted in some way (I'm sorry the naming is confusing. When I say the 2nd DC, it is actually named vswbcdc1). I have included some screen shots below to explain why I think the DC is corrupted. I had previously made this DC the operations master and transferred all the FSMO roles to it. The original DC on svrwbc is installed on Server 2012, the 2nd DC on vswbcdc1 is on Server 2012 R2 in case that is an issue.

I thought maybe a viable solution was to remove the 2nd DC role from its server and the problem might go away when I add the role back in, but I can't transfer things back to the original 1st DC b/f removing the 2nd DC's role. When I tried to transfer the operations master back, I received these screens:

On the 1st DC which is where I want to transfer the ops master back to I get "ERROR" for the current operations master. I figured that can't be good:
enter image description here

On the 2nd DC which is where I want to transfer the ops master from it initially looks OK, but upon clicking Change the error panel shown below explains there are problems with contacting the current FSMO role holder:

enter image description here

But the fsmo roles appear to still be with the 2nd DC:
enter image description here

After I demoted the 2nd DC and tried to remove the DC role, the role removal terminated with this error.

enter image description here

All this leads me to believe the 2nd DC is corrupted, so what is the best course of action? My system is quite small and setting up AD DS again won't be a terrible pain, but I'd like to take the shortest path through this.

My questions:

1) Is there a tool to 'repair' DC's?

2) If not, is the info above enough to point to what I could go in and fix manually?

3) If necessary, can I just kill both DC servers and start over?

3a) Does all of the domain info reside totally on the 2 DC servers so that if I kill those VM's and rebuild new DC's, I won't have any lingering DC data hanging around?

Thanks.

Best Answer

Microsoft has a scenario of transfering FSMO roles from a "dead" server. It means you dont need approval from old fsmo holder or negotiation. New server simply states that now he holds fsmo roles. According to this scenario, you can simply turn off vswbcdc1 and seize roles by svrwbc

To seize an operations master role

Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

At the command prompt, type ntdsutil, and then press ENTER.

At the ntdsutil: prompt, type roles, and then press ENTER.

At the fsmo maintenance: prompt, type connections, and then press ENTER.

At the server connections: prompt, type connect to server <servername> (where <servername> is the name of the domain controller that will assume the operations master role), and then press ENTER.

After you receive confirmation of the connection, type quit, and then press ENTER.

Depending on the role that you want to seize, at the fsmo maintenance: prompt, type the appropriate command, and then press ENTER.

https://technet.microsoft.com/en-us/library/cc816779%28v=ws.10%29.aspx

Related Topic