Moving Roles from Server 2003 to Server 2008
We currently have two domain controllers....
Box 1: Server 2003 Primary Domain Controller (Backup DNS, Global Catalog)
Box 2: Server 2008 Backup Domain Controller (Primary DNS, Global Catalog)
I have setup the roles for DHCP, DNS, and Global Catalog (when I promoted the server) on the new Server 2008 server. Is there such a thing as a primary and a backup domain controller? I would like Box 2 to be the primary domain controller. is there anything else that I should do before demoting Box 1, the Server 2003 machine? The machine needs to be reformatted and reinstalled, there is a lot of junk on it.
Any help would be appreciated!
Box 1: Server 2003 Primary Domain Controller (Backup DNS, Global Catalog)
Box 2: Server 2008 Backup Domain Controller (Primary DNS, Global Catalog)
I have setup the roles for DHCP, DNS, and Global Catalog (when I promoted the server) on the new Server 2008 server. Is there such a thing as a primary and a backup domain controller? I would like Box 2 to be the primary domain controller. is there anything else that I should do before demoting Box 1, the Server 2003 machine? The machine needs to be reformatted and reinstalled, there is a lot of junk on it.
Any help would be appreciated!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ChiefIT,
As of now, we have a total of 4 domain controllers acting as domain controllers and global catalog servers. One of the domains is the Server 2003 box that I mentioned that I would like to demote.
I just transferred all the FSMO roles, wondering what else needs to happen?
As of now, we have a total of 4 domain controllers acting as domain controllers and global catalog servers. One of the domains is the Server 2003 box that I mentioned that I would like to demote.
I just transferred all the FSMO roles, wondering what else needs to happen?
Load support tools on the new server.
Run netdom query fsmo to make sure all roles are ok.
Run dcdiag an look for errors.
Make sure DNS is set up on the new server and everything is pointed to it (not the old server).
That should be it...
Run netdom query fsmo to make sure all roles are ok.
Run dcdiag an look for errors.
Make sure DNS is set up on the new server and everything is pointed to it (not the old server).
That should be it...
ASKER
Adam1115,
Thanks for the tip. After querying fsmo, they are all pointing correctly. However, here is what the diagnostics said. Is there anything that I should be concerned about?
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = SERVER08
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SE
Starting test: Connectivity
......................... SERVER08 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SE
Starting test: Advertising
......................... SERVER08 passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... SERVER08 passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... SERVER08 failed test DFSREvent
Starting test: SysVolCheck
......................... SERVER08 passed test SysVolCheck
Starting test: KccEvent
......................... SERVER08 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... SERVER08 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... SERVER08 passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=fbclu
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=fbclu
......................... SERVER08 failed test NCSecDesc
Starting test: NetLogons
......................... SERVER08 passed test NetLogons
Starting test: ObjectsReplicated
......................... SERVER08 passed test ObjectsReplicated
Starting test: Replications
......................... SERVER08 passed test Replications
Starting test: RidManager
......................... SERVER08 passed test RidManager
Starting test: Services
......................... SERVER08 passed test Services
Starting test: SystemLog
An Warning Event occurred. EventID: 0x825A000C
Time Generated: 10/25/2009 09:46:25
Event String:
Time Provider NtpClient: This machine is configured to use the domai
n hierarchy to determine its time source, but it is the AD PDC emulator for the
domain at the root of the forest, so there is no machine above it in the domain
hierarchy to use as a time source. It is recommended that you either configure a
reliable time service in the root domain, or manually configure the AD PDC to s
ynchronize with an external time source. Otherwise, this machine will function a
s the authoritative time source in the domain hierarchy. If an external time sou
rce is not configured or used for this computer, you may choose to disable the N
tpClient.
An Warning Event occurred. EventID: 0x8000001D
Time Generated: 10/25/2009 09:55:46
Event String:
The Key Distribution Center (KDC) cannot find a suitable certificate
to use for smart card logons, or the KDC certificate could not be verified. Sma
rt card logon may not function correctly if this problem is not resolved. To cor
rect this problem, either verify the existing KDC certificate using certutil.exe
or enroll for a new KDC certificate.
......................... SERVER08 passed test SystemLog
Starting test: VerifyReferences
......................... SERVER08 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : fbclubbock
Starting test: CheckSDRefDom
......................... fbclubbock passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... fbclubbock passed test CrossRefValidation
Running enterprise tests on : fbclubbock.org
Starting test: LocatorCheck
......................... fbclubbock.org passed test LocatorCheck
Starting test: Intersite
......................... fbclubbock.org passed test Intersite
Thanks for the tip. After querying fsmo, they are all pointing correctly. However, here is what the diagnostics said. Is there anything that I should be concerned about?
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = SERVER08
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SE
Starting test: Connectivity
......................... SERVER08 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SE
Starting test: Advertising
......................... SERVER08 passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... SERVER08 passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... SERVER08 failed test DFSREvent
Starting test: SysVolCheck
......................... SERVER08 passed test SysVolCheck
Starting test: KccEvent
......................... SERVER08 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... SERVER08 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... SERVER08 passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=fbclu
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=fbclu
......................... SERVER08 failed test NCSecDesc
Starting test: NetLogons
......................... SERVER08 passed test NetLogons
Starting test: ObjectsReplicated
......................... SERVER08 passed test ObjectsReplicated
Starting test: Replications
......................... SERVER08 passed test Replications
Starting test: RidManager
......................... SERVER08 passed test RidManager
Starting test: Services
......................... SERVER08 passed test Services
Starting test: SystemLog
An Warning Event occurred. EventID: 0x825A000C
Time Generated: 10/25/2009 09:46:25
Event String:
Time Provider NtpClient: This machine is configured to use the domai
n hierarchy to determine its time source, but it is the AD PDC emulator for the
domain at the root of the forest, so there is no machine above it in the domain
hierarchy to use as a time source. It is recommended that you either configure a
reliable time service in the root domain, or manually configure the AD PDC to s
ynchronize with an external time source. Otherwise, this machine will function a
s the authoritative time source in the domain hierarchy. If an external time sou
rce is not configured or used for this computer, you may choose to disable the N
tpClient.
An Warning Event occurred. EventID: 0x8000001D
Time Generated: 10/25/2009 09:55:46
Event String:
The Key Distribution Center (KDC) cannot find a suitable certificate
to use for smart card logons, or the KDC certificate could not be verified. Sma
rt card logon may not function correctly if this problem is not resolved. To cor
rect this problem, either verify the existing KDC certificate using certutil.exe
or enroll for a new KDC certificate.
......................... SERVER08 passed test SystemLog
Starting test: VerifyReferences
......................... SERVER08 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : fbclubbock
Starting test: CheckSDRefDom
......................... fbclubbock passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... fbclubbock passed test CrossRefValidation
Running enterprise tests on : fbclubbock.org
Starting test: LocatorCheck
......................... fbclubbock.org passed test LocatorCheck
Starting test: Intersite
......................... fbclubbock.org passed test Intersite
Time can also cause your KCC events. Effectively, you have to configure an outside time source for your 2008 PDCe, (meaning the holder of the PDCe role).
Tell me a bit about your remaining servers. If they are all 2008 servers, you can go from Mixed mode to Native Mode after the demotion of your 2003 DC. You transfered the FIVE FSMO roles, count them off. Don't forget about the schema master where you have to register that DLL in order to see the Schema master role to change it.
I can understand your desire to make this a member server or remove it from the domain. 2003 servers are EXCELLENT WSUS servers for updates or security servers to help you with updates as well as scanining the domain for vulnerabilities, (like with Harris Stat Scanner).. I believe if it is not a DC, it can't hold Exchange. Even using it as a print or storage server allows you to utilize what you OWN to your benifit.
At this point, all you have to do is demote the 2003 server to a member server, using DCpromo. It's like pressing the start button to turn off the machine I guess. (OK, enough of the dry humor.)
Tell me a bit about your remaining servers. If they are all 2008 servers, you can go from Mixed mode to Native Mode after the demotion of your 2003 DC. You transfered the FIVE FSMO roles, count them off. Don't forget about the schema master where you have to register that DLL in order to see the Schema master role to change it.
I can understand your desire to make this a member server or remove it from the domain. 2003 servers are EXCELLENT WSUS servers for updates or security servers to help you with updates as well as scanining the domain for vulnerabilities, (like with Harris Stat Scanner).. I believe if it is not a DC, it can't hold Exchange. Even using it as a print or storage server allows you to utilize what you OWN to your benifit.
At this point, all you have to do is demote the 2003 server to a member server, using DCpromo. It's like pressing the start button to turn off the machine I guess. (OK, enough of the dry humor.)
I think you are good.
I would browse to the server \\server\netlogon and \\server\sysvol and make sure that replicated.
Otherwise you're good to go...
I would browse to the server \\server\netlogon and \\server\sysvol and make sure that replicated.
Otherwise you're good to go...
ASKER
Thanks for all the help! Can't wait to demote this last 2003 server.
Seems that you SYSVOL isn't replicating. Please post ipconfig /all.
ASKER