Windows 2003 DC I added a 2008 R2 domain controller Issue
How do I fix this?
We have a Windows 2003 DC I added a 2008 R2 domain controller to the domain but forgot the raise the functionality to 2003 until after. There is no SYSVOL or NETLOGIN share on the new DC. I did transfer all the Roles over to the new DC without error but has since moved them back to the old DC (2003). I do not want to demote this DC and then promote it back because they are now using it.
Here is a section from the logs.
11/06/2011 11:00:43 [INFO] EVENTLOG (Warning): NTDS General / Replication : 2115
The forest functional level is not high enough to complete addition of application directory
partitions during installation of the directory. Therefore specified application directory partitions will not be added to this Active Directory Domain Controller during installation.
If you would like to make this server a replica of an application directory partition, you could re-add these application partition after the installation is complete.
We have a Windows 2003 DC I added a 2008 R2 domain controller to the domain but forgot the raise the functionality to 2003 until after. There is no SYSVOL or NETLOGIN share on the new DC. I did transfer all the Roles over to the new DC without error but has since moved them back to the old DC (2003). I do not want to demote this DC and then promote it back because they are now using it.
Here is a section from the logs.
11/06/2011 11:00:43 [INFO] EVENTLOG (Warning): NTDS General / Replication : 2115
The forest functional level is not high enough to complete addition of application directory
partitions during installation of the directory. Therefore specified application directory partitions will not be added to this Active Directory Domain Controller during installation.
If you would like to make this server a replica of an application directory partition, you could re-add these application partition after the installation is complete.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
1.First check if you have sysvol content intact ie: policy and script,if in case you dont have in any of the DC then run the command DCGPOfix /ignoreschema
2.If sysvol content is present then take a back of sysol folder
3.If there is a missing polciy and script folder in any of the dc ,then perfrom D4-d2 non authorative and authorative restore.
4. Now please let me know what is the FFL(forest functional level ) and DFL (domain functional level)
5.I assume DFL is 2003 now transfer the role in new 2008 and demote 2003
2.If sysvol content is present then take a back of sysol folder
3.If there is a missing polciy and script folder in any of the dc ,then perfrom D4-d2 non authorative and authorative restore.
4. Now please let me know what is the FFL(forest functional level ) and DFL (domain functional level)
5.I assume DFL is 2003 now transfer the role in new 2008 and demote 2003
Demoting can remove some permissions sometimes I have experienced.
ASKER
One of the Domain Controllers is running fine. The 2003 still functioning 100%.
Would it be better to spin up a 2008 R2 and promote it and leave the non-function DC as a dysfunctional DC?
Would it be better to spin up a 2008 R2 and promote it and leave the non-function DC as a dysfunctional DC?
Run adrpep and promote 2008 dc..,now dont raise any functional level let it be 2003 native.
ASKER
I already ran Run adrpep before I did anything I had planed on leave it at 2003 level.
Will it hurt anything to leave the non-function DC as a dysfunctional DC
Will it hurt anything to leave the non-function DC as a dysfunctional DC
what do you mean by leave the non-function DC as a dysfunctional DC
please give the meaning in details
If you promote the 2008 dc ,with DFL 2003 it will not effect anything .go ahead and continue with the promotion .
ASKER
What I mean is right now we have two servers (this is a virtual environment) if we add a third one (we have the license) and make it a DC now that the functional level is up to 2003 that new one should promote fine. Then leave the one that is not functioning as a complete DC (the one missing the SYSVOL or NETLOGIN shares) as is. I am afraid to demote it because all the roaming profiles are on it and I do not want the permissions to get messed up.
MIssing sysvol is not a great problem ,that can be fixed using d4-d2..right now dont have to demote ..any dc,simply promote the dc,and wait for the dc replication,
2.dc replication may not work ,so we have to fix replication issue .
3.missing sysvol is not a great problem
Second secenerio:
IFFL or DFL is nothing to concern about forget about this issue now.
1.we will try to fix sysvol missing problem
2.take back up of policy and script on a working dc on D drive and on a folder name sysvol back up
3.Share this folder with the all permission "share and NTFS"
4.Go to the non workign dc and copy the policy and script files on sysvol
5.Type net stop ntfrs on both the dc
5.go to working dc and open the regedit and make it D4 (KEY_LOCAL_MACHINE\System\
6.go the non working dc and make it D2 (KEY_LOCAL_MACHINE\System\
7 type net start ntfrs on both the dc.
More information follow Microsoft KB article (http://support.microsoft.com/kb/290762).
Let me know after doing this.
2.dc replication may not work ,so we have to fix replication issue .
3.missing sysvol is not a great problem
Second secenerio:
IFFL or DFL is nothing to concern about forget about this issue now.
1.we will try to fix sysvol missing problem
2.take back up of policy and script on a working dc on D drive and on a folder name sysvol back up
3.Share this folder with the all permission "share and NTFS"
4.Go to the non workign dc and copy the policy and script files on sysvol
5.Type net stop ntfrs on both the dc
5.go to working dc and open the regedit and make it D4 (KEY_LOCAL_MACHINE\System\
6.go the non working dc and make it D2 (KEY_LOCAL_MACHINE\System\
7 type net start ntfrs on both the dc.
More information follow Microsoft KB article (http://support.microsoft.com/kb/290762).
Let me know after doing this.
If you have a non functioning DC the new DC could have issues during promotion I would demote the failed DC. Once you have this DC demoted you can promote the second server.
ASKER
We have to wait before I try these things until a few thing have been taken care please stand by.
Thanks!!
Thanks!!
ASKER
Plan of action spin up another 2008 R2 server and promote it to be a domain controller. Then we can demote this current 2008 R2 DC that is not functioning properly. What do you think?