Solved

adding 2008 dc

Posted on 2008-09-29
23
839 Views
Last Modified: 2010-04-21
hi im just testing rolling out a new dell server into our 2003 AD, i have moved a duplicate 2003 server and the new server onto their own private network and am trying to first add the 2008 server as a DC then promote and demote to make the 2008 machine the DC and retire the 2003 machine.

What is happening though is when i try to dcpromo the 2008 machine and it tells me that i need to adprep /domainprep but i have done this both to the forest and domain and tried it again on the 2003 machine and it confirmed that it had already been done.

dns etc seems to be all working correctly as i can join disjoin the domain name resolution appears fine so im sort of stuck for a reason as to why it keeps asking to be adprepped?
0
Comment
Question by:dadd0012
  • 13
  • 10
23 Comments
 
LVL 8

Expert Comment

by:sstone55423
ID: 22602161
You have to run ADprep from the WIndows 2008 install media, and against your other domain controllers.  Are there other DC's that may appear in your AD, but are not on the private network that you have set up?  
0
 

Author Comment

by:dadd0012
ID: 22602167
nope just the one DC and yes have run it from the 2k8 dvd on the 2k3 server and as i said it reported that that has been done with no errors
0
 
LVL 8

Expert Comment

by:sstone55423
ID: 22602290
One thing (may not apply here) with 2003, there are TWO differed adprep, and they are different versions.  The one on CD2 was the right one, and the other one is an older version.  With 2008, it is is the sources\adprep folder, and you have run it with elevated privileges.  Also, your login has to be a member of the Enterprise, Schema and DOmain asmins groups.
0
 

Author Comment

by:dadd0012
ID: 22602301
yeah the priveledges issue got me at first but it warned me so logged back in with ent and\schema\d adm priviledges and ran the version off the 2k8 dvd from the sources\adprep folder
0
 
LVL 8

Expert Comment

by:sstone55423
ID: 22602363
Are you using the 32-bit ADprep or the 64-bit ADprep?
0
 
LVL 8

Expert Comment

by:sstone55423
ID: 22602370
Does the adprep.log give you any useful information?  (Found in the C:\windows\debug directory)
0
 

Author Comment

by:dadd0012
ID: 22602411
that an interesting question im using the one off the first one i grabbed in the office here which was a 32bit version i have 64bit 2k8 on the 2k8 server and 32 bit 2003 on the other. ill check the debug folder but the adprep side of things completed correctly and when i try to rerun it it tells me that the changes have already been done and skips
0
 

Author Comment

by:dadd0012
ID: 22602431
just had a look through the logs found some errors...


Adprep was unable to modify the security descriptor on object CN=DirectoryEmailReplication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=bio,DC=flinders,DC=edu,DC=au.

[Status/Consequence]

ADPREP was unable to merge the existing security descriptor with the new access control entry (ACE).

[User Action]

Check the log file ADPrep.log in the C:\WINDOWS\debug\adprep\logs\20080929101507 directory for more information.

Adprep encountered an LDAP error.

Error code: 0x20. Server extended error code: 0x208d, Server error message: 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:
      'CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=bio,DC=flinders,DC=edu,DC=au'
.

got a duplicate entry for CN=DomainControllerAuthentication, and KerberosAuthentication objects aswell
0
 
LVL 8

Expert Comment

by:sstone55423
ID: 22602493
Rerun the 64-bit ADprep on the 64-bit 2008 server.  I am not sure about the error messages.  The duplicate entries could be normal.  
0
 

Author Comment

by:dadd0012
ID: 22602506
shouldnt i be running the adprep on the 2003 dc as the 2008 machine isnt a dc at the moment
0
 
LVL 8

Expert Comment

by:sstone55423
ID: 22602551
Mmmm.  Yes.  You are right.  And you ran the 32-bit ADprep on the Win 2003 server I bet.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:dadd0012
ID: 22602592
correct
0
 
LVL 8

Expert Comment

by:sstone55423
ID: 22611310
Have you gotten anywhere with this?
0
 

Author Comment

by:dadd0012
ID: 22611376
no unfortunately
0
 
LVL 8

Expert Comment

by:sstone55423
ID: 22614298
Let's try again.  Make a copy of the logfile, and empty the original.  Then run the ADprep again and let's look at the logfile in detail to see what is going on.  If the schema is not getting updated correctly, there must be some kind of registry or AD permissions issue.  As we talked about before, make sure that the user has full rights (including being Domain Admin, Schema Admin, Enterprise Admin).  Also, document any error message you get at the command line.  We will figure this out.
0
 

Author Comment

by:dadd0012
ID: 22618592
ok im off today and wont be back in thwe office tomorrow but will do that first thing :D
0
 

Author Comment

by:dadd0012
ID: 22629473
ok after relocating the logfiles and re-running adprep there are no recorded errors as it detect that the changes have been done and doesnt continue, still receive the error though on the 2008 server when i run dcpromo that i need to adprep /domainprep the DC
0
 
LVL 8

Expert Comment

by:sstone55423
ID: 22632742
That's frustrating.  You rebooted the server?  Hmmm.  You ran the Windows 2009 32-bit ADprep on the older 32-bit DC.  YOu ran Adprep /forestprep and Adprep /domainprep both?  YOu say there is nothing in the log file?   Your 2003 DC has SP2 on it?  That existing DC is your only DC?  So it has the Schema master on it?  Are there any other DC's?  Do we have good communication between the new server and the old server?  Both have good IP addresses -- on the same subnet -- -- no IP conflicts -- can ping one another?   What does a dcdiag and a netdiag look like on the DC?
If all of those check out, try Copying the contents of the \sources\adprep folder on the Server 2008 DVD to a folder on your DC (the DC with the Schema Master FSMO role -- if you have more than one).  Run the DCpromo with the administrator account, and make sure that is has the Schema admins, Domains admins and Enterprise Admins group memberships.  (Check -- "Administrator" does by default, but it could have been changed).  Then run your Adprep /forestprep from that folder.  Then run the Adprep  /domainprep /gpprep on the DC that has the Infrastrusture Master Role (The same DC usually -- check).  If you have more than one DC, you have to wait for the schema to replicate before running the DCpromo.  That is usually 15 minutes, sometimes longer.
0
 

Author Comment

by:dadd0012
ID: 22632905
That's frustrating.  You rebooted the server?YES  Hmmm.  You ran the Windows 2009 32-bit ADprep on the older 32-bit DC. "YES"  YOu ran Adprep /forestprep and Adprep /domainprep both? "YES"YOu say there is nothing in the log file? NO other than what i stated  Your 2003 DC has SP2 on it? "YES"That existing DC is your only DC? "YES"So it has the Schema master on it? "YES"Are there any other DC's?  "NO"Do we have good communication between the new server and the old server? "YES" Both have good IP addresses -- on the same subnet -- -- no IP conflicts -- can ping one another? "YES"

were now on a 3 day long weekend so i prolly wont be able to do anythin more till tues although i might need to go in tomoz morning if so ill check the rest
0
 
LVL 8

Accepted Solution

by:
sstone55423 earned 500 total points
ID: 22634074
We will whip it.  If nothing else, by exhausting all possibilities.
0
 

Author Comment

by:dadd0012
ID: 22655939
hmm done all the above no problems or errors recorded. the only thing i saw which i dont believe is related was a warning about the messenger service wins name is missing but that test passed fine.

i did have some probs with the default gateway as it had been moved onto a private subnet off the main network i fixed that up but still made no change im not sure why the 2008 server cannot detect that the adprep changes have been completed
0
 

Author Comment

by:dadd0012
ID: 22706701
ok i went back to the beginning and found the problem the filedate on the adprep i was using didtn look right i was positive it came from a 32 bit 2008 cd but i have a few so maybe the mixup was there. anyway i grabbed the adprep of the 64bit dvd that the new server was installed from and it updated something else that the earlier one missed and its all fine now.

existing server migrated to 2008 successfully will give it a day or so to bed in so to speak before decommissioning the old server.

thanks for the help sstone
0
 

Author Closing Comment

by:dadd0012
ID: 31501423
thx for the help after going though everything it really only left it with something that id done wrong hence the backtrack and verify of eevry step from the beginning again lol sry for wasting your time but thanks
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Problem Description: Actually I found the below issue with some customers after migration from SMS 2003 to SCCM 2007 and epically if they change site code, some clients may appear in the console with old site code, plus old sites still appearing …
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found listed in my profile here: http:…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now