Moving Roles from Server 2003 to Server 2008

fbclubbock
fbclubbock used Ask the Experts™
on
We currently have two domain controllers....

Box 1: Server 2003 Primary Domain Controller (Backup DNS, Global Catalog)
Box 2: Server 2008 Backup Domain Controller (Primary DNS, Global Catalog)

I have setup the roles for DHCP, DNS, and Global Catalog (when I promoted the server) on the new Server 2008 server.  Is there such a thing as a primary and a backup domain controller?  I would like Box 2 to be the primary domain controller.  is there anything else that I should do before demoting Box 1, the Server 2003 machine?  The machine needs to be reformatted and reinstalled, there is a lot of junk on it.

Any help would be appreciated!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
There is no such thing as primary and backup domain controllers.

We now call them PDCe (which stands for Primary domain controller emulator, and  means the FSMO role holder), and other Domain controllers. It is recommended that you have global catalogs on all servers now. And there is nothing wrong with having DHCP and DNS on both servers, except with DHCP you can not provide IP addresses out of the same scope as one another.

So, with that said, why not keep your second domain controller?

another thing I wanted to ask is if you ran sysprep/domain prep to prepare your 2003 server for mixed mode by adding a 2008 server. If not, do not transfer the FSMO roles until you demote the 2008 server and promote it correctly.
Commented:
Yes  You need to move-

RIS Master, PDC Emulator, Schema Master, Domain Naming master, and Infrastructure master roles.

http://support.microsoft.com/kb/324801

Author

Commented:
All FSMO roles were transferred successfully.  Anything else before demoting the old server?
Build an E-Commerce Site with Angular 5

Learn how to build an E-Commerce site with Angular 5, a JavaScript framework used by developers to build web, desktop, and mobile applications.

Author

Commented:
ChiefIT,

As of now, we have a total of 4 domain controllers acting as domain controllers and global catalog servers.  One of the domains is the Server 2003 box that I mentioned that I would like to demote.

I just transferred all the FSMO roles, wondering what else needs to happen?

Commented:
Load support tools on the new server.
Run netdom query fsmo to make sure all roles are ok.

Run dcdiag an look for errors.

Make sure DNS is set up on the new server and everything is pointed to it (not the old server).

That should be it...

Author

Commented:
Adam1115,

Thanks for the tip. After querying fsmo, they are all pointing correctly.  However, here is what the diagnostics said.  Is there anything that I should be concerned about?

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = SERVER08
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\SERVER08
      Starting test: Connectivity
         ......................... SERVER08 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\SERVER08
      Starting test: Advertising
         ......................... SERVER08 passed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... SERVER08 passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... SERVER08 failed test DFSREvent
      Starting test: SysVolCheck
         ......................... SERVER08 passed test SysVolCheck
      Starting test: KccEvent
         ......................... SERVER08 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... SERVER08 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... SERVER08 passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=fbclubbock,DC=org
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=fbclubbock,DC=org
         ......................... SERVER08 failed test NCSecDesc
      Starting test: NetLogons
         ......................... SERVER08 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... SERVER08 passed test ObjectsReplicated
      Starting test: Replications
         ......................... SERVER08 passed test Replications
      Starting test: RidManager
         ......................... SERVER08 passed test RidManager
      Starting test: Services
         ......................... SERVER08 passed test Services
      Starting test: SystemLog
         An Warning Event occurred.  EventID: 0x825A000C
            Time Generated: 10/25/2009   09:46:25
            Event String:
            Time Provider NtpClient: This machine is configured to use the domai
n hierarchy to determine its time source, but it is the AD PDC emulator for the
domain at the root of the forest, so there is no machine above it in the domain
hierarchy to use as a time source. It is recommended that you either configure a
 reliable time service in the root domain, or manually configure the AD PDC to s
ynchronize with an external time source. Otherwise, this machine will function a
s the authoritative time source in the domain hierarchy. If an external time sou
rce is not configured or used for this computer, you may choose to disable the N
tpClient.
         An Warning Event occurred.  EventID: 0x8000001D
            Time Generated: 10/25/2009   09:55:46
            Event String:
            The Key Distribution Center (KDC) cannot find a suitable certificate
 to use for smart card logons, or the KDC certificate could not be verified. Sma
rt card logon may not function correctly if this problem is not resolved. To cor
rect this problem, either verify the existing KDC certificate using certutil.exe
 or enroll for a new KDC certificate.
         ......................... SERVER08 passed test SystemLog
      Starting test: VerifyReferences
         ......................... SERVER08 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : fbclubbock
      Starting test: CheckSDRefDom
         ......................... fbclubbock passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... fbclubbock passed test CrossRefValidation

   Running enterprise tests on : fbclubbock.org
      Starting test: LocatorCheck
         ......................... fbclubbock.org passed test LocatorCheck
      Starting test: Intersite
         ......................... fbclubbock.org passed test Intersite

Commented:
Time can also cause your KCC events. Effectively, you have to configure an outside time source for your 2008 PDCe, (meaning the holder of the PDCe role).

Tell me a bit about your remaining servers. If they are all 2008 servers, you can go from Mixed mode to Native Mode after the demotion of your 2003 DC. You transfered the FIVE FSMO roles, count them off. Don't forget about the schema master where you have to register that DLL in order to see the Schema master role to change it.

I can understand your desire to make this a member server or remove it from the domain. 2003 servers are EXCELLENT WSUS servers for updates or security servers to help you with updates as well as scanining the domain for vulnerabilities, (like with Harris Stat Scanner).. I believe if it is not a DC, it can't hold Exchange. Even using it as a print or storage server allows you to utilize what you OWN to your benifit.

At this point, all you have to do is demote the 2003 server to a member server, using DCpromo. It's like pressing the start button to turn off the machine I guess. (OK, enough of the dry humor.)



Commented:
I think you are good.

I would browse to the server \\server\netlogon and \\server\sysvol and make sure that replicated.

Otherwise you're good to go...

Author

Commented:
Thanks for all the help!  Can't wait to demote this last 2003 server.
Top Expert 2012

Commented:
Seems that you SYSVOL isn't replicating. Please post ipconfig /all.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial