Question : Windows 2003 Best Practices to Demote and promote a new DC

Gents

yes i know GOOGLE exists for these types of questions i am looking for experts insight and real life examples, i have read a lot of forums and i would like to get a better feeling for this scenario which i came across 2 days ago. long time not doing this kind of job but i tought what hell it is like riding a bike...

1. Simple Dc promotion PE2950, then client wanted the smaller server to be a DC PE1950, i decided to do this the easier way.. i had hoped at the time.
2. Bring the second W2003 server online on the domain, promote to a DC, successful.
3. Transfer the Operations master roles to the second DC, tied to tried to demote the first DC using the DC PROMO error came up saying something like Floating roles... i knocked my head and use the NTDS Utility to transfer the FSMO roles... Reboot.
4. Still could not demote the first DC, did not check any SYNC conditions at the time.. did not know where to look... or too lazy to remember...
5. Checked for the Global catalog option and checked it on the second DC so it would start replicating all 250 objects i just created... Successful.
6. rebooted the server to make sure the AD would sync or so i hoped...
7. Tried one more time to demote the DC... error again... something was missing i did not know what... all of a sudden it said it lost connectivity to the first DC... i could oing the dam thing and i did a NSLOOKUP and all was working... Shit got fed up and did a DCPROMO /FORCEREMOVAL on the first DC... hahahaha now shit hits the fan...
8. reboot both DCs hoping for the second one to have had all the needed GC info and ALL roles, it did have all INFO and ALL the roles but know i had hundreds of DNS error on the event log... i had no clue what was going on and did research google... cant remember what the error was... it just said look on the DNS log... i tought it was a normal thing... once again too long since i use to do this kind of work... i am into LINUX now...
9. Well long story short I removed AD on the second DC using the FORCEREMOVAL command and re-installed... i read somewhere i should have formatted the machine but i did not have the time... Something about when the machine is a PDC even if you format the bloody thing never will be the same... not sure if this is true or not.

Feel free to pass by and leave your PROFESSIONAL experience on this situations or NOT.

The question is What did i do right? 'cause obviously i messed up big time...

BTW i ha to recreate the 250 objects again, but it was fast due to scripts and excel tables with user names.

Your thoughts will be awarded based on the value of the input... thanks for taking your time to make me learn better ways to complete this simple mission of DC promotion.

PLEASE i GOGGLED my fingers off already, DO NOT POINT me to any Microsoft links i probably know then all by now about demoting and windows best practices.

this is purely and insight question to the masters out there if they feel like it.

once again thanks.

Answer : Windows 2003 Best Practices to Demote and promote a new DC

I have been where you are many times.... I have promoted and demoted hundreds of DCs, and I have to tell you, there IS magic involved and some luck... or at least it always seems that way.  
Here has been my experience and my 10 rules surrounding DCPROMO

1.  NEVER replace a dead DC server with a server with the same name!  You can NTDU Util until your fingers fall off, but there will always be some record on some late replicating DC somewhere that is going to screw things up for you!
2.  NEVER DCPROMO a box that doesn't have DNS already installed
3.  NEVER create a zone on a DNS server before you promote it... you will NEVER get it to sync correctly.
4.  NEVER try to PCPROMO a box that doesn't have it's NIC pointing to your PDC emulator or RIDS server.
5.  NEVER configure a newly promoted DC's NIC to point to itself for DNS- for several hours or until the NTFRS logs shows complete replication.
6.  NEVER, EVER, EVER, do a force removal.  If the box can replicate ANYWHERE, it will throw ghost GUIDs out to another DC and when it replicates back it's other partner will see changes that were already committed and refuse replication.  You were right on the money when you used the NTDS utility.  I think the official Microsoft word for it is "lingering objects" (see below)
7.  NEVER, EVER, NEVER, EVER, EEEVVVEEERRRR- bring up a DC on it's own and make changes to it before it has a chance to do it's sanity checks and clear FRS, NTDS, and DNS.  If it is the only server it can talk to, it could take an HOUR, yes, AN HOUR before you can make any changes that will not royally screw up your domain.  This has to be to guard against the potential DNS island problems that can occur when you have a circuit failure or something akin to that...

My thinking is you never had a good sync with the second server to begin with... yes, I know, you say I am nuts, but too many times I have seen the DCPromo process complete FULLY and had a totally worthless DC that never fully replicates, or who's DNS server duplicates or drops DNS host and server records.  If you happen to have event viewer logs from the servers, I would be happy to take a look at them for you and tell you exactly why it happened.

Are you sure you weren't on the second box trying to transfer the roles?  If you wanted the roles to be on the second server, you would have had to have been on it, otherwise it would not have show the server you wanted in the box below the CHANGE button.  The make you pull the role you want over from the existing role holder to the new one.

Most likely the servers were looking at each other as corrupt partners or at least one was- which would explain why you were able to transfer everything to the new box during DCPromo and never get any love back.  

I have also run into situation where I am absolutely sure all DCs are cool, yet I still get a replication error due to "lingering objects".  If you are 100% sure you don't have a DC that has experienced a USN rollback of some kind, you can clear that error by changing the registry on the DC that is throwing that error:

Stop the Netlogon service

Cruise to:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters
Add a REG_DWORD called:
"Allow Replication With Divergent and Corrupt Partner"
and set the decimal value to 1

Start Netlogon

I have to warn you though, if you do have a situation were some goof-ball has restored some objects and that is the cause of your problem, you will have made the problem considerably worse.  Not in a 2 DC situation, but in one with 100 DCs in 20 states, you will be chasing down 40 or 50 servers with the lingering objects message by the end of the next day...

Rest assured and take great comfort in knowing this is one of the very hardest experiences in all of IT.  Second only perhaps to SMS and SCCM troubleshooting.  The good news is that in both cases the answers are right there in front of you.  However, it seemed to me for YEARS to be AES encrypted.  After paying a worthless "expert" 6 grand to come in and fix our AD problems, I was forced to learn way more than I ever wanted to...

Hope this helps,

Captain Clam

P.S.  ADSI Edit and the System tree of ADUC is extremely helpful in determining problems like this too.  ADSI allows you to see the USN, GUID and object information as well as resource registrations... the other tool that you HAVE to get to know if you get stuck doing this again is LDP.  Finally, if you end up with a bunch of DCs and the crap is hitting the fan again, download an eval of "Spotlight on Active Directory".  You can't possibly believe how much easier your life will become... it makes it almost embarrassingly simple to find problems and it has all kinds of cool graphics and dynamic images that show the replication traffic moving and stuff... the boss with think you are running NORAD.