SOLVED

DCPromo to remove AD DS fails with "Logon Failure: The target account name is incorrect."

Copper Contributor

Good thing this is just my test network! I have a VM clone of my ancient WS 2008 R2 ("OldDC") running AD DS in a test network along with two spiffy new instances of WS 2022 (NewDC1 and NewDC2), both also running AD DS, all on Domain Functional Level 2008 R2.

I want to remove AD DS from OldDC, in preparation for some upgrades, so I ran dcpromo on it, and when I got to the final step it failed with error:

 

The operation failed because:

Managing the network session with

NewDC2.MyDomain.pvt failed

Logon Failure: The target account name is incorrect."

Based on these instructions I stopped the KDC service on NewDC1, set Startup to Manual, rebooted NewDC1, and then ran the following on NewDC1:

 

netdom resetpwd /s:NewDC2 /ud:MyDomain\Administrator /pd:*


and typed in the same password we've been using for the past few months, and which successfully logged into all 3 machines today. netdom reported success.

I rebooted OldDC, logged in with the same password, ran dcpromo, and I got the same error.

I tried browsing from OldDC to shares on NewDC1 and NewDC2, and those fail with a similar error:

 

\\NewDC2 is not accessible. You might not have permission to use this network resource. 
Contact the administrator of this server to find out if you have access permissions.

Logon Failure: The target account name is incorrect.

If I try from OldDC:

 

net use \\NewDC1 \share

that results in:

 

System error 1396 has occurred.

Logon Failure: The target account name is incorrect.

Curiously, if I type the IPs of NewDC1 and NewDC2 into Windows Explorer on OldDC, e.g. \\192.168.0.10 or \\192.168.0.6, respectively, I can see the shares and open their contents, including SYSVOL.

This also succeeds:

 

net use \\192.168.0.10 \share


OldDC's TCP/IP is set to use NewDC1's IP as its primary DNS server, and nslookup NewDC1 and nslookup NewDC2 from OldDC both return the correct addresses.

Browsing from NewDC1 and NewDC2 to \\OldDC works, and I can see OldDC's shares.

I've rebooted all 3 machines many, many times, just in case that might magically fix it, but it didn't.

What other options are there for me to fix this? Or do I need to fix? Can I remove AD DS from OldDC some other way? I still want to keep it around as a member of the domain. If I were to upgrade this in place to Server 2012-->Server 2022, would that magically fix the problem?

Last week I was on a Zoom call with a consultant who was trying to help me with GPOs for cybersecurity, and based on the intermittent network problems I was having at that time, but which are now fixed, he directed me to seize the roles from OldDC to either NewDC1 or NewDC2 (can't remember which) using fsmo maintenance. Could that be the root of the problem?

5 Replies

Simplest solution is to seize roles (if necessary) to another healthy one. Then turn off the failed one and do cleanup to remove the remnants from active directory.    

Clean up Active Directory Domain Controller server metadata
Step-By-Step: Manually Removing A Domain Controller Server

 

 

 

Thanks! The roles have been seized already (see last paragraph).

My problem is that I still want to use OldDC on the domain as a non-DC member server. Is there a way to convince this box not to be a DC any more?

Yes, just do the mentioned cleanup. I don't think it will remove it from the domain, but worst case you could join it again as a member server.   

 

 

@TheWaterbug just checking if there's any progress or updates? please don't forget to mark helpful replies.   

 

 

best response confirmed by TheWaterbug (Copper Contributor)
Solution
Thanks for the reminder. After trying a bunch of different things, I ended up trying an in-place upgrade to Server 2012 R2. After the upgrade finished, not only were the credentials fixed for OldDC, they also were fixed for OldDC2.

I did not try running dcpromo, because I am thinking that I may no longer want to demote them if I can upgrade them (testing applications as we speak!), but I was able to browse from both OldDC and OldDC2 to shares on NewDC1 and to NewDC2, whereas previously I could not, and previously browsing to those shares generated the same error that popped up when attempting to finish dcpromo, so I am guessing they had the same root cause.
1 best response

Accepted Solutions
best response confirmed by TheWaterbug (Copper Contributor)
Solution
Thanks for the reminder. After trying a bunch of different things, I ended up trying an in-place upgrade to Server 2012 R2. After the upgrade finished, not only were the credentials fixed for OldDC, they also were fixed for OldDC2.

I did not try running dcpromo, because I am thinking that I may no longer want to demote them if I can upgrade them (testing applications as we speak!), but I was able to browse from both OldDC and OldDC2 to shares on NewDC1 and to NewDC2, whereas previously I could not, and previously browsing to those shares generated the same error that popped up when attempting to finish dcpromo, so I am guessing they had the same root cause.

View solution in original post