New win2k server fails to take over DC from old win2k server

daniel_cw
daniel_cw used Ask the Experts™
on
Hi All,

I'm having some major problems with my windows 2000 server and I'm hoping on some comments and insight into what my problem might be. I've spent almost 60 hours trying to figure this out using all the resources I could find on the web, having done the main reinstall several times. It seems like a simple thing, changing server from one to another, but apparently not so.

Problem:
New win 2k server won't take over as DC for domain.

Setup:
Old server had a minor hardware failure. So investing in some new hardware I then built two "Frankensteinish" servers, the old server still running as usual and the new server with a fresh install of win 2k server (with service pack 4 installed straight afterwards). The old server was the only DC on a win2k network with about 15 clients. It was running AD, DNS and DHCP as the main services. I then dcpromo'd the new server to AD and DNS and added it as an additional server to the existing domain. Then I waited for replication, which worked immediately. I transfered the FSMO's to the new server, which also seemed to work. Finally I changed the Global Catalog to be resident on the new server.

What happens:
The new server doesn't seem to accept it's role as DC and GC controller. I've tried to downgrade the old server with dcpromo, but it refuses saying that there is no DC around. If I just disconnect the old DC and restart the new server and then try to login on a client it says that the domain is not available. If I try to manage the GPO on User & Groups it says that the domain controller is unavailable. Ergo: I can't downgrade the old server, and the new server won't run on it's own. Running them both at once works just fine though.

What I've already checked:
The DNS seems to be in order, and I've cleared cache and rebooted many times. The FSMO's on both servers point to the new one as the controller. The same goes for the GC. I've tried installing DCDiag on both servers, but it keeps on returning error on startup saying it can't find a link library (SP4 problem perhaps?). I've installed the admin tools from the win 2k server CD, but they don't seem to give me much info. Ergo: I can't pinpoint where along the chain something is breaking.

The alternatives as far as I can see:
1) I try to transfer all control back to the old server, format and reinstall the new server and try all the above again (uuurgghhh).
2) I reinstall the new server and recreate the AD & DNS & GPO's by hand (backup and restore of system state is not an option, already tried that and failed). It would take time and I'd probably lose lots in the process as well.
3) Fix the obviously overlooked 'something' and get it all working in 15 minutes flat. What's the something??

Grateful for any help!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2005
Commented:
Remove the role of GC from the new server, making sure at least one of the others is a GC.  Make sure all five roles are being held by the new server.

Now, run DCPROMO and demote each of the old servers - one by one.

Unless installing from scratch, the Infrastructure Master cannot co-locate with a GC.

Once all the other servers have been gracefully removed you can make the new server a GC - it will warn you about the action and as long as you will only have the one DC it's okay.

Advise.
Is it your goal to remove the old DC completely? If not, you should spread the FSMO roles and let both have a copy of the GC.
Back to your problem: it is probably DNS related. That's the first thing to check anyway. Could you please post the output of ipconfig /all command on both servers (you may edit out the domain/server names for security reasons)  and could you explain how you set up DNS replication. Also: did you set up DNS on the new server, and changed the network configurations on the servers to reflect this before you ran DCPromo?
LOL Netman66: you typed faster than me! I see in your profile you're MCT. Is training what you do for a living? Your answer is a good one. Your point about the GC not wanting to reside with the infrastructure certainly overrules my comment about that. My answer comes from what I run into most in the field. "AD problems? Check and double check the DNS!" is my motto.
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Pete LongTechnical Consultant

Commented:
New Domain Controller

First DON’T consider using a cloning tool like Norton/Symantec Ghost to make an image of the server, this is fraught with pitfalls!
Consider keeping the old Domain Controller running, having two domain controllers build redundancy/Fault tolerance into your network.

1.      Build the new server in the live environment, put on all the relevant service packs (remember MS service packs are inclusive, SP2 includes SP1 etc) and join the server to the domain (You Must have the rights to do this)
2.      Promote the New server to a domain controller by running DCPromo (The server MUST be able to see DNS or it will fail) to run DC Promo Click Start >Run >type “dcpromo” {enter}
3.      When the server has finished and rebooted, you need to make the decision on weather to keep the old Domain Controller (I would say yes) If you do then your job is finished.
4.      You will now need to “seize” the FSMO roles there are 5 FSMO roles which are

·      Schema master - Forest-wide and one per forest.
·      Domain naming master - Forest-wide and one per forest.
·      RID master - Domain-specific and one for each domain.
·      PDC - PDC Emulator is domain-specific and one for each domain.
·      Infrastructure master - Domain-specific and one for each domain.
5.      To do this you need to use the “ntdsutil” tool

To move the FSMO roles from one computer to another, you can use two different methods. The first method is a transfer and is the method that is recommended. You can use the first method if both computers are running. Use the second method if the FSMO roles holder is offline. The second method requires you to use the Ntdsutil.exe tool to seize the roles.

Note Only seize the FSMO roles to the remaining Active Directory domain controllers if you are removing the FSMO role holder from the domain or forest.

To seize or transfer the FSMO roles by using Ntdsutil, follow these steps:
1.      On any domain controller, click Start, click Run, type ntdsutil in the Open box, and then click OK.

Note Microsoft recommends that you use the domain controller that is taking the FSMO roles.
2.      Type roles, and then press ENTER.

To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER.
3.      Type connections, and then press ENTER.
4.      Type connect to server servername, where servername is the name of the server you want to use, and then press ENTER.
5.      At the server connections: prompt, type q, and then press ENTER again.
6.      Type seize role, where role is the role you want to seize. For a list of roles that you can seize, type ? at the Fsmo maintenance: prompt, and then press ENTER, or consult the list of roles at the beginning of this article. For example, to seize the RID Master role, you would type seize rid master. The one exception is for the PDC Emulator role, whose syntax would be "seize pdc" and not "seize pdc emulator".

Note All five roles need to be in the forest. If the first domain controller is out of the forest then seize all roles. Determine which roles are to be on which remaining domain controllers so that all five roles are not on only one server.

Microsoft recommends that you only seize all roles when the other domain controller is not returning to the domain, otherwise fix the broken domain controller with the roles.

If the original domain controller with the FSMO roles is still online, transfer the roles. Type transfer role.
7.      After you seize or transfer the roles, type q, and then press ENTER until you quit the Ntdsutil tool.
Note Do not put the Infrastructure Master role on the same domain controller as the global catalog.

To check if a domain controller is also a global catalog server:
1.      Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
2.      Double-click Sites in the left pane, and then browse to the appropriate site or click Default-first-site-name if no other sites are available.
3.      Open the Servers folder, and then click the domain controller.
4.      In the domain controller's folder, double-click NTDS Settings.
5.      On the Action menu, click Properties.
6.      On the General tab, locate the Global Catalog check box to see if it is selected.
*****References*****

Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller
http://support.microsoft.com/?kbid=255504

Windows 2000 Active Directory FSMO Roles
http://support.microsoft.com/default.aspx?scid=kb;EN-US;197132

Flexible Single Master Operation Transfer and Seizure Process
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223787

Author

Commented:
Ok, some clarification is needed.

I will only be keeping the new server. The old server has to go (unfortunately). So I will end up with only ONE server upon which all the services must reside.

Netman66: There are only two servers, so I'm slightly confused by your reference "run DCPROMO and demote each of the old servers - one by one". I only have one server, the old one, that I wish to demote. I understand what you are saying about GC and infrastructure master not residing together on a multiserver network, I will try this in the morning. However, when I run dcpromo there are only two options available to me: "Is this the last DC for this domain?". If I check it, it threatens me that it will completely annihilate the whole AD, recursively (and demote the server to a stand-alone server as opposed to a domain member server). Which alternative is applicable to me? When I try to run dcpromo without this option (ie to become a member server), it stops saying it can't find another DC for the domain. The second alternative, I'm afraid, might delete the AD on my new server, so I'm hesitant to try it.

Redwulf__53: Yes, I see what you mean by your motto. I am in absolute control over my network, it is and internal LAN with a router gateway outwards. When I check the ipconfig from both servers they both point to the NEW server as the DNS. The new server is also the designated DHCP server (DNS and DHCP works fine from clients, as does both internal and external name resolution), although both servers have assigned IP's. This leads me to believe that the DNS is correct, although I'm still in certain doubt whether or not the cache has been cleared locally on the old server (I've tried).

PeteLong: Thanks for the comment, although I've already read these articles and several guides outlining the same thing you've commented. I've already been through this process repeatedly, but still stuck.

/Daniel

Commented:
Daniel, One long shot guess.....in the IP properties of the new machine, is it pointed to itself for DNS resolution?  It should be.

Conversely, is the old machine still running DNS and if so, is it still pointing to itself.  If that is the case, disable DNS on the old machine and point it to the new machine for DNS.  I'm sure you have already thought of this, but sometimes it pays to revisit the obvious.........
Top Expert 2005

Commented:
Red..

No I don't train for a living (I'd starve!) - I do train our own internal guys (about 1500 or so nationally).  I help manage our infrastructure.
In a single domain\single server site there is no other option than to co-locate the GC - it's automatic with the first DC installed.  It disables the Infrastructure Master role (which isn't necessary in a single server role).  It is very crucial with multi-server\multi-domain forests.

Daniel..

Sorry, must have misread your original post - I thought you had two old servers and one new one.  Now, when you joined the new server to the domain did you select, "additional Domain Controller in an existing Domain"?  I hope so..since it must be a peer to the old server in order to move FSMO roles to it.  When demoting the old server (DCPROMO) make sure that you do NOT select the option of it being the last DC in the domain - choose the other option.  Your statement about stand-alone and member server seems a bit confusing - a stand-alone server is, in fact, a member server.  You want to make sure you are removing the role of DC from that server - so, yes, you are demoting it to a member server.  You can check if it was successful in AD Users and Computers from the new DC.  If the computername has been moved out of the Domain Controllers OU and into the Computers OU then it was successful.  It is then safe to delete the computer account and recycle the hardware if you do not intend to use it in that role.

Once the old DC has been removed and is not on the wire, you can add the role of GC to the new server - keep in mind it disables the Infrastructure Master role - and that's fine if you do not plan on adding any further DCs to the domain.

Hope that clarifies things.

Commented:
How are the two DNS servers configured?  Are they "Active Directory Integrated", "Primary/Secondary" or "Primary/Primary" (Not a good thing). I would suggest "Active Directory Integrated".  Make sure that both servers are listed in the DC and GC folders in the domain's zone in both DNS servers.  Your error is can't find domain controller, that implies a DNS issue.

If DNS servers are "Active Directory Integrated" or "Primary/Secondary" with both servers listed in the DC and GC folders on both DNS servers.  make sure that both servers have themselves as Primary DNS server and the other DNS server as secondary.  Workstations should have the new server as Primary DNS server and about to be retired DNS server as secondary.

Author

Commented:
vern2727: Having taken a closer look at the DNS settings I've set up both server to point to themselves first, the other second. Looking into the records I found that the OLD server didn't carry a record of the NEW server as a DNS server, so I simply added it under "Properties (of the domain) > Name Servers > Add...". Then I took a look into the DC container in AD Users&Groups which show them both as DC's. The IP's and names seem to resolve. IPConfig reflects this and name resolution is fine using, for example, Ping. In the DNS records on BOTH servers only the OLD server shows up as GC, which is what I am led to believe is correct.

Netman66: As you said, I moved the GC control back to the OLD server. Now (after the above DNS changes) I tried to DCPromo the OLD server to become a member server without the option of "last DC". As a note, yes, I did add the NEW server as an additional DC.

Still no change when trying to DCPromo the OLD server. The error message is the same, basically stating that it cannot find another DC which contains a record of the OLD server. The NEW server has a record of the OLD server as one of the two DC's, so it's obviously there, it's just not connecting. Also, there seems to be a tendency on both server to default to the OLD server when opening the AD administrative tools, but I'm unsure of what this means (if anything at all).

/Daniel
Oh no! you should set up Zone Transfers between the DNS servers! Creating recors manually is not going to work, as there are many complex records created by AD.  I assume the old server now holds the Primary zone for your domain. Set up the new server as secondary DNS zone for the domain and configure zone transfers. That is the only way to make sure that changes on the network are carried trhough. Then you can change the new server to be Primary for your domain zone  and remove the old DNS server.

Commented:
If you are going to do Primary/Secondary zone transfers, then both servers must use the Primary for DNS resolution/dynamic registration.  A Secondary is a read-only DNS server.  Active Directory Integrated zones can act as multiple masters because the zone info is in AD and replicated with AD replication.

DNS is definately the issue here.  Both servers must be found with DC server records in the domains zone.
Top Expert 2005

Commented:
Remove DNS from the old server.  Make sure the network properties point to the DNS on the new server.  Restart the old server.

Stop and restart the Netlogon service on the new server.

Check DNS to make sure everything is registered correctly.  

Try again to demote the old server.

Author

Commented:
Both DNS servers are already set up with zone transfers. I disabled the DNS server on the old server, then pointed it to the new server. Rebooted, restarted NetLogon on the new server. When checking the DNS on the new server I found that under "Forward Lookup Zones > [domain] > _msdc > pdc > _tcp" there is only one record which points to the old server. The same goes for the "... > gc" catalog.  Presumably this means that the registered PDC and GC is the old server. Obviously the GC still resides on the old server, but why is the PDC registered to the old server now as well? Is this normal? Should I change this by hand?

Demoting the old server still didn't work.

/Daniel
Commented:
Make sure that the new server's zone is a "Primary Zone" has "Dynamic Updates Enabled" and that all servers are pointed to this DNS Zone's server for primary DNS.

The both servers should have an "A" record the Forward Zone regardless of it's DC status if this is working.

If they both have a "Dynamically Registered" "A" record, the run "IPCONFIG/FLUSHDNS" followed by "IPCONFIG/REGISTERDNS" and restart the Netlogon Service and check server records again.

Then check DNS again.  The DNS server records should not be modified by hand.

You cannot remove AD from the old server unless the old server sees itself and the new server's server records in DNS

Author

Commented:
Hi all,

Thanks for your help. Most likely this was a DNS problem combined with some FSMO and GC ownership confusion, although we'll never know for sure. I've simply run out of time and have had to choose a rather more direct approach, namely re-installing the new server and rebuilding the AD by hand. It's a gruesome task, but at least it'll work in the end.

Still, I have learned a great deal during this ordeal and your comments have been of great help, pointing me in the right direction. Alos, I think this question could be of some help to others who may come along in the future. I believe it would be most fair if I increased the points to 300 and split them into three to netman, redwulf and vern. If this is fine by all involved I'll do so tomorrow. If not, please leave a comment.

Thanks,
Daniel

Commented:
Seems fair to me.......good luck

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial