Link to home
Start Free TrialLog in
Avatar of jbarton221
jbarton221

asked on

Server 2003 Domain Controller upgrade to Server 2008 Domain Controller

In the process of upgrading domain controllers from 2003 to 2008.  I have added the 2008 and I am up to the point of transferring roles.  Can I transfer roles at anytime, or do I have to have users out of the system?
When I am done with the upgrade can I shut everything down and change IP address and Server name?
Thanks,
Jeremy
Avatar of fbcbloodcenter
fbcbloodcenter
Flag of United States of America image

as for transferring roles it can be done anytime. you dont need users out of the system. Not sure I understand the second question.
Avatar of Aj8787
Aj8787

If you change your server name your fqdn name and name records in DNS will be affected and you will have to restart everything from scratch.

Its prefferable you dont change them.
Are you trying to replace a domain controller with one that is 2008 and keep the same name and IP address?
Avatar of jbarton221

ASKER

Yes.  I am trying to replace the 2003 domain controller with 2008 domain controller and keep the same name and IP
Is this a single domain cotroller enviroment or are there multiple DC's.  Also, what is the reason of keeping that name\IP?
Well you can change IP address for sure and run commands for registering it to your own DNS like NSlookup to set IP against your domain name.

I am not really sure about changing server name as it will affect entire AD forest and services and probably lead you to BSD at restart.

OK let me see if a little more detail helps.  Current Domain Controller is named DC and we run DNS, DHCP, and have some shared files.  I will no longer use DC for any of the above after the upgrade is complete.  The last thing I plan to do is transfer all shared files using robocopy.  My concern is different shortcuts and hyperlinks that have been created to DC will no longer work.  I don't want to change the domain name, just the name of the server.  Any ideas if that will work?  Would I be better just to use DNS and forward all DC requests to the Domain Controller?
ASKER CERTIFIED SOLUTION
Avatar of Tjones76031
Tjones76031

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
So are you saying don't change the name and use DNS to forward requests?
If you can get all of the clients to look to the new server for DNS, and DNS is functioning properly, they will automagically move to the new DC for authentication. DNS is the backbone for all things Active Directory.  When a user logs into a workstation, the computer looks to its settings for DNS, it then querys that DNS server and says, "hey, Joe.Blow@thisdomain.com wants to log in.  What DC do I use"  The DNS Server will say, "These are the DC I show for that domain name, try one of them".  Then the PC goes to that DC for authentication.  
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Tjones - I am not worried about the user authentication and worried about the shortcuts and hyperlinks that exist to the current shared files on that domain controller.  A lot of them are mapped using UNC to the server name of the existing DC.  That is why I would like to change the name of the new DC (NOT THE DOMAIN NAME) so all shortcuts and hyperlinks will work.

Dariusg - Thanks for your response and that is what I would like to do.  Have you done this before?  I will start transferring roles.  Would you suggest transferring DNS and DHCP before the roles, or does it matter?
Gotcha, that adds a little but more fun...
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Be sure that the old server is shut down while performing following steps and you connot turn it back ON else it will clash with your new server.

Just finish everything with old server then rename the new DC
DCDIAG ERRORS
1.  FRSEvent (Passed)
There are warning error events withing the last 24 hours after the sysvol has been shared. Failing sysvol replication problems may cause group policy problems.

2. NCSecDesc
Error NT Authority\Enterprise Domain Controllers doesn't have Replicating Directory Changes in Filtered Set.  access rights for the naming context DC=ForestDNSZones, DC=domain, DC=Services, DC=com

Error NT Authority\Enterprise Domain Controllers doesn't have Replicating Directory Changes in Filtered Set. DC=DomainDNSZones, DC=domain, DC=Services, DC=com

I used some fill in names after the DC=
Any help would be appreciated.
Thanks
It seems the new server couldnt replicate AD services on old server properly to its own.

Actually whole forestDNSzone and domainDNSzone is left out.

You can try deleting the primary zone you created for older server in new server.

Remake it, restart netlogon and command netdiag/fix

I hope it will fix these errors

Correct looks like you have a problem with replication but the NCSecDesc error is fine that is a normal error. Can you post ipconfig /all.

When did you promote?
IP Config
indows IP Configuration

  Host Name . . . . . . . . . . . . : NYEDC
  Primary Dns Suffix  . . . . . . . : nyefremont.nyeseniorservices.com
  Node Type . . . . . . . . . . . . : Hybrid
  IP Routing Enabled. . . . . . . . : No
  WINS Proxy Enabled. . . . . . . . : No
  DNS Suffix Search List. . . . . . : nyefremont.nyeseniorservices.com
                                      nyeseniorservices.com

thernet adapter Local Area Connection 2:

  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
VBD Client) #2
  Physical Address. . . . . . . . . : 00-22-19-02-2F-3B
  DHCP Enabled. . . . . . . . . . . : Yes
  Autoconfiguration Enabled . . . . : Yes

thernet adapter Local Area Connection:

  Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
VBD Client)
  Physical Address. . . . . . . . . : 00-22-19-02-2F-39
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes
  Link-local IPv6 Address . . . . . : fe80::495:c917:3349:e236%10(Preferred)
  IPv4 Address. . . . . . . . . . . : 192.168.0.3(Preferred)
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . : 192.168.0.1
  DNS Servers . . . . . . . . . . . : ::1
                                      192.168.0.4
                                      192.168.0.3
  NetBIOS over Tcpip. . . . . . . . : Enabled
Ran DCPROMO early last week
Disable IPv6 unless you have Exchange or going to install Exchange on this server. Run ipconfig /flushdns, ipconfig /registerdns, and dcdiag /fix.
Should I have both DNS servers setup under TCP/IP properties?
Yes, you want it pointing to itself for DNS now.
Now I have more errors.  Here is what I get when running dcdiag
C:\Users\administrator.NYEFREMONT>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = NYEDC
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\NYEDC
      Starting test: Connectivity
         ......................... NYEDC passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\NYEDC
      Starting test: Advertising
         ......................... NYEDC passed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... NYEDC passed test FrsEvent
      Starting test: DFSREvent
         ......................... NYEDC passed test DFSREvent
      Starting test: SysVolCheck
         ......................... NYEDC passed test SysVolCheck
      Starting test: KccEvent
         An Warning Event occurred.  EventID: 0x80000603
            Time Generated: 04/05/2010   14:04:27
            Event String:
            Active Directory Domain Services could not disable the software-base
d disk write cache on the following hard disk.
         An Warning Event occurred.  EventID: 0x80000B46
            Time Generated: 04/05/2010   14:04:39
            Event String:
            The security of this directory server can be significantly enhanced
by configuring the server to reject SASL (Negotiate,  Kerberos, NTLM, or Digest)
 LDAP binds that do not request signing (integrity verification) and LDAP simple
 binds that  are performed on a cleartext (non-SSL/TLS-encrypted) connection.  E
ven if no clients are using such binds, configuring the server to reject them wi
ll improve the security of this server.
         An Warning Event occurred.  EventID: 0x80000603
            Time Generated: 04/05/2010   14:10:24
            Event String:
            Active Directory Domain Services could not disable the software-base
d disk write cache on the following hard disk.
         An Warning Event occurred.  EventID: 0x80000B46
            Time Generated: 04/05/2010   14:10:36
            Event String:
            The security of this directory server can be significantly enhanced
by configuring the server to reject SASL (Negotiate,  Kerberos, NTLM, or Digest)
 LDAP binds that do not request signing (integrity verification) and LDAP simple
 binds that  are performed on a cleartext (non-SSL/TLS-encrypted) connection.  E
ven if no clients are using such binds, configuring the server to reject them wi
ll improve the security of this server.
         ......................... NYEDC passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... NYEDC passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... NYEDC passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=nyefremont,DC=nyeseniorservices,DC=com
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=nyefremont,DC=nyeseniorservices,DC=com
         ......................... NYEDC failed test NCSecDesc
      Starting test: NetLogons
         ......................... NYEDC passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... NYEDC passed test ObjectsReplicated
      Starting test: Replications
         ......................... NYEDC passed test Replications
      Starting test: RidManager
         ......................... NYEDC passed test RidManager
      Starting test: Services
         ......................... NYEDC passed test Services
      Starting test: SystemLog
         ......................... NYEDC passed test SystemLog
      Starting test: VerifyReferences
         ......................... NYEDC passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : nyefremont
      Starting test: CheckSDRefDom
         ......................... nyefremont passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... nyefremont passed test CrossRefValidation

   Running enterprise tests on : nyefremont.nyeseniorservices.com
      Starting test: LocatorCheck
         ......................... nyefremont.nyeseniorservices.com passed test
         LocatorCheck
      Starting test: Intersite
         ......................... nyefremont.nyeseniorservices.com passed test
         Intersite

C:\Users\administrator.NYEFREMONT>
No, everything is the same.
Yes it seems you still have permission issues to replicate forestDNSzone/
http://support.microsoft.com/kb/967482

I found this in KB from Microsoft.

Should be OK then????
That error is fine and it is not required to prepare your domain for RODC.
You can try this:

After running ipconfig /flushDNS and ipconfig /registerDNS

1. dcdiag /fix
2. net stop netlogon
3. net start netlogon or just restart netlogon in services.msc

May fix some errors.
Is the consensus I am good to continue?
I still don't like the replication errors about the SYSVOL. Check in your Event Viewer what errors do you have for today?
I messed up and cleared them from earlier today.  I don't see anything in the normal event viewer logs.  Is there somewhere else I should be looking?  Maybe I can run the dcdiag tomorrow and it won't display since it appears to work on a 24 hour clock.
Do you normally worry about the disk write cache?
Here is what is in the log for FRS

The file replication service has detected an enabled disk write cache on the drive containing the directory c:\windows\ntfrs\jet on the computer NYEDC.  The file replication service might not recover when power to the drive is interrrupted and critical updates are lost.

No big deal?
No big deal.
Transferring FSMO roles.  Everything went well except for the Infrastructure.  I get a popup that states this is a Global Catalog Server and I should not transfer this role to a global catalog server.

Am I OK to proceed?  Any issues with this?

Thanks
Yes, you are able to proceed this error is for a multi domain setup
Sorry for the delay.  Everything is good to go.  After transferring all roles and using robocopy to move the shares I demoted the old server and renamed the new.  I did have an issue with renaming at first, but needed to remove the old entry for server name from Active Directory.

Thanks for your help