[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Server 2003 Domain Controller upgrade to Server 2008 Domain Controller

Posted on 2010-04-05
37
Medium Priority
?
726 Views
Last Modified: 2012-05-09
In the process of upgrading domain controllers from 2003 to 2008.  I have added the 2008 and I am up to the point of transferring roles.  Can I transfer roles at anytime, or do I have to have users out of the system?
When I am done with the upgrade can I shut everything down and change IP address and Server name?
Thanks,
Jeremy
0
Comment
Question by:jbarton221
  • 15
  • 9
  • 7
  • +3
37 Comments
 
LVL 5

Expert Comment

by:fbcbloodcenter
ID: 29803602
as for transferring roles it can be done anytime. you dont need users out of the system. Not sure I understand the second question.
0
 
LVL 5

Expert Comment

by:Aj8787
ID: 29803755
If you change your server name your fqdn name and name records in DNS will be affected and you will have to restart everything from scratch.

Its prefferable you dont change them.
0
 

Expert Comment

by:Tjones76031
ID: 29805620
Are you trying to replace a domain controller with one that is 2008 and keep the same name and IP address?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 1

Author Comment

by:jbarton221
ID: 29806102
Yes.  I am trying to replace the 2003 domain controller with 2008 domain controller and keep the same name and IP
0
 

Expert Comment

by:Tjones76031
ID: 29806497
Is this a single domain cotroller enviroment or are there multiple DC's.  Also, what is the reason of keeping that name\IP?
0
 
LVL 5

Expert Comment

by:Aj8787
ID: 29806546
Well you can change IP address for sure and run commands for registering it to your own DNS like NSlookup to set IP against your domain name.

I am not really sure about changing server name as it will affect entire AD forest and services and probably lead you to BSD at restart.

0
 
LVL 1

Author Comment

by:jbarton221
ID: 29807041
OK let me see if a little more detail helps.  Current Domain Controller is named DC and we run DNS, DHCP, and have some shared files.  I will no longer use DC for any of the above after the upgrade is complete.  The last thing I plan to do is transfer all shared files using robocopy.  My concern is different shortcuts and hyperlinks that have been created to DC will no longer work.  I don't want to change the domain name, just the name of the server.  Any ideas if that will work?  Would I be better just to use DNS and forward all DC requests to the Domain Controller?
0
 

Accepted Solution

by:
Tjones76031 earned 668 total points
ID: 29807520
Here is the best thing to do.  Install the new 2008 Server, promote it as a DC and verify that DNS is installed and functioning.  Change your DHCP settings to point to the new DC as primary.  Wait the DHCP lease time, default is 8 days but you may have shortened it up.  After that time is up, shut down the old DC.  Dont demote or change anything, just turn it off.  Wait another couple of days and see if there are any issues.  Some things may be specifically pointing to that old DC for DNS or other LDAP integrated applications.  If you can go for a couple days with it off or even better a full week, then power it back up and demote it properly.

I dont know what services you have running on what servers so there may be a few more issues if you are a single server shop.
0
 
LVL 1

Author Comment

by:jbarton221
ID: 29807804
So are you saying don't change the name and use DNS to forward requests?
0
 

Expert Comment

by:Tjones76031
ID: 29808529
If you can get all of the clients to look to the new server for DNS, and DNS is functioning properly, they will automagically move to the new DC for authentication. DNS is the backbone for all things Active Directory.  When a user logs into a workstation, the computer looks to its settings for DNS, it then querys that DNS server and says, "hey, Joe.Blow@thisdomain.com wants to log in.  What DC do I use"  The DNS Server will say, "These are the DC I show for that domain name, try one of them".  Then the PC goes to that DC for authentication.  
0
 
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 668 total points
ID: 29808684
Before you do anything you need to run dcdiag on the new server check for any errors. Once you see that the errors are clear you then transfer the FSMO roles to the new server you would then demote the old server you don't just shutdown the system you will cause tons of problems.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_23665224.html

Once you demote delete all DNS records for the old DC before changing the name and IP address. Once you have made the change you need to run ipconfig /flushdns, ipconfig /registerdns, and dcdiag /fix.
0
 
LVL 1

Author Comment

by:jbarton221
ID: 29810353
Tjones - I am not worried about the user authentication and worried about the shortcuts and hyperlinks that exist to the current shared files on that domain controller.  A lot of them are mapped using UNC to the server name of the existing DC.  That is why I would like to change the name of the new DC (NOT THE DOMAIN NAME) so all shortcuts and hyperlinks will work.

Dariusg - Thanks for your response and that is what I would like to do.  Have you done this before?  I will start transferring roles.  Would you suggest transferring DNS and DHCP before the roles, or does it matter?
0
 
LVL 3

Expert Comment

by:tray_jones
ID: 29811565
Gotcha, that adds a little but more fun...
0
 
LVL 5

Assisted Solution

by:Aj8787
Aj8787 earned 664 total points
ID: 29811686
You should first configure server as DNS and DHCP and then transfer roles.

As far as server name is concerned use a new name to transfer all roles and DNS and DHCP then perform following steps:

Open Command Prompt.


Type:

netdom computername CurrentComputerName/add:NewComputerName

This command will update the service principal name (SPN) attributes in Active Directory for this computer account and register DNS resource records for the new computer name. The SPN value of the computer account must be replicated to all domain controllers for the domain and the DNS resource records for the new computer name must be distributed to all the authoritative DNS servers for the domain name. If the updates and registrations have not occurred prior to removing the old computer name, then some clients may be unable to locate this computer using the new or old name.


Ensure the computer account updates and DNS registrations are completed, then type:

netdom computername CurrentComputerName /makeprimary:NewComputerName


Restart the computer.


From the command prompt, type:

netdom computername NewComputerName /remove:OldComputerName

It shoudl work just fine
0
 
LVL 5

Expert Comment

by:Aj8787
ID: 29811749
Be sure that the old server is shut down while performing following steps and you connot turn it back ON else it will clash with your new server.

Just finish everything with old server then rename the new DC
0
 
LVL 1

Author Comment

by:jbarton221
ID: 29811757
DCDIAG ERRORS
1.  FRSEvent (Passed)
There are warning error events withing the last 24 hours after the sysvol has been shared. Failing sysvol replication problems may cause group policy problems.

2. NCSecDesc
Error NT Authority\Enterprise Domain Controllers doesn't have Replicating Directory Changes in Filtered Set.  access rights for the naming context DC=ForestDNSZones, DC=domain, DC=Services, DC=com

Error NT Authority\Enterprise Domain Controllers doesn't have Replicating Directory Changes in Filtered Set. DC=DomainDNSZones, DC=domain, DC=Services, DC=com

I used some fill in names after the DC=
Any help would be appreciated.
Thanks
0
 
LVL 5

Expert Comment

by:Aj8787
ID: 29812538
It seems the new server couldnt replicate AD services on old server properly to its own.

Actually whole forestDNSzone and domainDNSzone is left out.

You can try deleting the primary zone you created for older server in new server.

Remake it, restart netlogon and command netdiag/fix

I hope it will fix these errors

0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 29817160
Correct looks like you have a problem with replication but the NCSecDesc error is fine that is a normal error. Can you post ipconfig /all.

When did you promote?
0
 
LVL 1

Author Comment

by:jbarton221
ID: 29817669
IP Config
indows IP Configuration

  Host Name . . . . . . . . . . . . : NYEDC
  Primary Dns Suffix  . . . . . . . : nyefremont.nyeseniorservices.com
  Node Type . . . . . . . . . . . . : Hybrid
  IP Routing Enabled. . . . . . . . : No
  WINS Proxy Enabled. . . . . . . . : No
  DNS Suffix Search List. . . . . . : nyefremont.nyeseniorservices.com
                                      nyeseniorservices.com

thernet adapter Local Area Connection 2:

  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
VBD Client) #2
  Physical Address. . . . . . . . . : 00-22-19-02-2F-3B
  DHCP Enabled. . . . . . . . . . . : Yes
  Autoconfiguration Enabled . . . . : Yes

thernet adapter Local Area Connection:

  Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
VBD Client)
  Physical Address. . . . . . . . . : 00-22-19-02-2F-39
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes
  Link-local IPv6 Address . . . . . : fe80::495:c917:3349:e236%10(Preferred)
  IPv4 Address. . . . . . . . . . . : 192.168.0.3(Preferred)
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . : 192.168.0.1
  DNS Servers . . . . . . . . . . . : ::1
                                      192.168.0.4
                                      192.168.0.3
  NetBIOS over Tcpip. . . . . . . . : Enabled
0
 
LVL 1

Author Comment

by:jbarton221
ID: 29817703
Ran DCPROMO early last week
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 29817790
Disable IPv6 unless you have Exchange or going to install Exchange on this server. Run ipconfig /flushdns, ipconfig /registerdns, and dcdiag /fix.
0
 
LVL 1

Author Comment

by:jbarton221
ID: 29817948
Should I have both DNS servers setup under TCP/IP properties?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 29820589
Yes, you want it pointing to itself for DNS now.
0
 
LVL 1

Author Comment

by:jbarton221
ID: 29822889
Now I have more errors.  Here is what I get when running dcdiag
C:\Users\administrator.NYEFREMONT>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = NYEDC
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\NYEDC
      Starting test: Connectivity
         ......................... NYEDC passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\NYEDC
      Starting test: Advertising
         ......................... NYEDC passed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... NYEDC passed test FrsEvent
      Starting test: DFSREvent
         ......................... NYEDC passed test DFSREvent
      Starting test: SysVolCheck
         ......................... NYEDC passed test SysVolCheck
      Starting test: KccEvent
         An Warning Event occurred.  EventID: 0x80000603
            Time Generated: 04/05/2010   14:04:27
            Event String:
            Active Directory Domain Services could not disable the software-base
d disk write cache on the following hard disk.
         An Warning Event occurred.  EventID: 0x80000B46
            Time Generated: 04/05/2010   14:04:39
            Event String:
            The security of this directory server can be significantly enhanced
by configuring the server to reject SASL (Negotiate,  Kerberos, NTLM, or Digest)
 LDAP binds that do not request signing (integrity verification) and LDAP simple
 binds that  are performed on a cleartext (non-SSL/TLS-encrypted) connection.  E
ven if no clients are using such binds, configuring the server to reject them wi
ll improve the security of this server.
         An Warning Event occurred.  EventID: 0x80000603
            Time Generated: 04/05/2010   14:10:24
            Event String:
            Active Directory Domain Services could not disable the software-base
d disk write cache on the following hard disk.
         An Warning Event occurred.  EventID: 0x80000B46
            Time Generated: 04/05/2010   14:10:36
            Event String:
            The security of this directory server can be significantly enhanced
by configuring the server to reject SASL (Negotiate,  Kerberos, NTLM, or Digest)
 LDAP binds that do not request signing (integrity verification) and LDAP simple
 binds that  are performed on a cleartext (non-SSL/TLS-encrypted) connection.  E
ven if no clients are using such binds, configuring the server to reject them wi
ll improve the security of this server.
         ......................... NYEDC passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... NYEDC passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... NYEDC passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=nyefremont,DC=nyeseniorservices,DC=com
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=nyefremont,DC=nyeseniorservices,DC=com
         ......................... NYEDC failed test NCSecDesc
      Starting test: NetLogons
         ......................... NYEDC passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... NYEDC passed test ObjectsReplicated
      Starting test: Replications
         ......................... NYEDC passed test Replications
      Starting test: RidManager
         ......................... NYEDC passed test RidManager
      Starting test: Services
         ......................... NYEDC passed test Services
      Starting test: SystemLog
         ......................... NYEDC passed test SystemLog
      Starting test: VerifyReferences
         ......................... NYEDC passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : nyefremont
      Starting test: CheckSDRefDom
         ......................... nyefremont passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... nyefremont passed test CrossRefValidation

   Running enterprise tests on : nyefremont.nyeseniorservices.com
      Starting test: LocatorCheck
         ......................... nyefremont.nyeseniorservices.com passed test
         LocatorCheck
      Starting test: Intersite
         ......................... nyefremont.nyeseniorservices.com passed test
         Intersite

C:\Users\administrator.NYEFREMONT>
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 29823835
No, everything is the same.
0
 
LVL 5

Expert Comment

by:Aj8787
ID: 29824265
Yes it seems you still have permission issues to replicate forestDNSzone/
0
 
LVL 1

Author Comment

by:jbarton221
ID: 29825110
http://support.microsoft.com/kb/967482

I found this in KB from Microsoft.

Should be OK then????
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 29825596
That error is fine and it is not required to prepare your domain for RODC.
0
 
LVL 5

Expert Comment

by:Aj8787
ID: 29826418
You can try this:

After running ipconfig /flushDNS and ipconfig /registerDNS

1. dcdiag /fix
2. net stop netlogon
3. net start netlogon or just restart netlogon in services.msc

May fix some errors.
0
 
LVL 1

Author Comment

by:jbarton221
ID: 29830588
Is the consensus I am good to continue?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 29830904
I still don't like the replication errors about the SYSVOL. Check in your Event Viewer what errors do you have for today?
0
 
LVL 1

Author Comment

by:jbarton221
ID: 29836634
I messed up and cleared them from earlier today.  I don't see anything in the normal event viewer logs.  Is there somewhere else I should be looking?  Maybe I can run the dcdiag tomorrow and it won't display since it appears to work on a 24 hour clock.
Do you normally worry about the disk write cache?
0
 
LVL 1

Author Comment

by:jbarton221
ID: 29911857
Here is what is in the log for FRS

The file replication service has detected an enabled disk write cache on the drive containing the directory c:\windows\ntfrs\jet on the computer NYEDC.  The file replication service might not recover when power to the drive is interrrupted and critical updates are lost.

No big deal?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 29924719
No big deal.
0
 
LVL 1

Author Comment

by:jbarton221
ID: 29929064
Transferring FSMO roles.  Everything went well except for the Infrastructure.  I get a popup that states this is a Global Catalog Server and I should not transfer this role to a global catalog server.

Am I OK to proceed?  Any issues with this?

Thanks
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 29929336
Yes, you are able to proceed this error is for a multi domain setup
0
 
LVL 1

Author Comment

by:jbarton221
ID: 32677961
Sorry for the delay.  Everything is good to go.  After transferring all roles and using robocopy to move the shares I demoted the old server and renamed the new.  I did have an issue with renaming at first, but needed to remove the old entry for server name from Active Directory.

Thanks for your help
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

591 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question