Server 2003 Domain Controller upgrade to Server 2008 Domain Controller

In the process of upgrading domain controllers from 2003 to 2008.  I have added the 2008 and I am up to the point of transferring roles.  Can I transfer roles at anytime, or do I have to have users out of the system?
When I am done with the upgrade can I shut everything down and change IP address and Server name?
Thanks,
Jeremy
LVL 1
jbarton221Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

fbcbloodcenterCommented:
as for transferring roles it can be done anytime. you dont need users out of the system. Not sure I understand the second question.
0
Aj8787Commented:
If you change your server name your fqdn name and name records in DNS will be affected and you will have to restart everything from scratch.

Its prefferable you dont change them.
0
Tjones76031Commented:
Are you trying to replace a domain controller with one that is 2008 and keep the same name and IP address?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

jbarton221Author Commented:
Yes.  I am trying to replace the 2003 domain controller with 2008 domain controller and keep the same name and IP
0
Tjones76031Commented:
Is this a single domain cotroller enviroment or are there multiple DC's.  Also, what is the reason of keeping that name\IP?
0
Aj8787Commented:
Well you can change IP address for sure and run commands for registering it to your own DNS like NSlookup to set IP against your domain name.

I am not really sure about changing server name as it will affect entire AD forest and services and probably lead you to BSD at restart.

0
jbarton221Author Commented:
OK let me see if a little more detail helps.  Current Domain Controller is named DC and we run DNS, DHCP, and have some shared files.  I will no longer use DC for any of the above after the upgrade is complete.  The last thing I plan to do is transfer all shared files using robocopy.  My concern is different shortcuts and hyperlinks that have been created to DC will no longer work.  I don't want to change the domain name, just the name of the server.  Any ideas if that will work?  Would I be better just to use DNS and forward all DC requests to the Domain Controller?
0
Tjones76031Commented:
Here is the best thing to do.  Install the new 2008 Server, promote it as a DC and verify that DNS is installed and functioning.  Change your DHCP settings to point to the new DC as primary.  Wait the DHCP lease time, default is 8 days but you may have shortened it up.  After that time is up, shut down the old DC.  Dont demote or change anything, just turn it off.  Wait another couple of days and see if there are any issues.  Some things may be specifically pointing to that old DC for DNS or other LDAP integrated applications.  If you can go for a couple days with it off or even better a full week, then power it back up and demote it properly.

I dont know what services you have running on what servers so there may be a few more issues if you are a single server shop.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jbarton221Author Commented:
So are you saying don't change the name and use DNS to forward requests?
0
Tjones76031Commented:
If you can get all of the clients to look to the new server for DNS, and DNS is functioning properly, they will automagically move to the new DC for authentication. DNS is the backbone for all things Active Directory.  When a user logs into a workstation, the computer looks to its settings for DNS, it then querys that DNS server and says, "hey, Joe.Blow@thisdomain.com wants to log in.  What DC do I use"  The DNS Server will say, "These are the DC I show for that domain name, try one of them".  Then the PC goes to that DC for authentication.  
0
Darius GhassemCommented:
Before you do anything you need to run dcdiag on the new server check for any errors. Once you see that the errors are clear you then transfer the FSMO roles to the new server you would then demote the old server you don't just shutdown the system you will cause tons of problems.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_23665224.html

Once you demote delete all DNS records for the old DC before changing the name and IP address. Once you have made the change you need to run ipconfig /flushdns, ipconfig /registerdns, and dcdiag /fix.
0
jbarton221Author Commented:
Tjones - I am not worried about the user authentication and worried about the shortcuts and hyperlinks that exist to the current shared files on that domain controller.  A lot of them are mapped using UNC to the server name of the existing DC.  That is why I would like to change the name of the new DC (NOT THE DOMAIN NAME) so all shortcuts and hyperlinks will work.

Dariusg - Thanks for your response and that is what I would like to do.  Have you done this before?  I will start transferring roles.  Would you suggest transferring DNS and DHCP before the roles, or does it matter?
0
tray_jonesCommented:
Gotcha, that adds a little but more fun...
0
Aj8787Commented:
You should first configure server as DNS and DHCP and then transfer roles.

As far as server name is concerned use a new name to transfer all roles and DNS and DHCP then perform following steps:

Open Command Prompt.


Type:

netdom computername CurrentComputerName/add:NewComputerName

This command will update the service principal name (SPN) attributes in Active Directory for this computer account and register DNS resource records for the new computer name. The SPN value of the computer account must be replicated to all domain controllers for the domain and the DNS resource records for the new computer name must be distributed to all the authoritative DNS servers for the domain name. If the updates and registrations have not occurred prior to removing the old computer name, then some clients may be unable to locate this computer using the new or old name.


Ensure the computer account updates and DNS registrations are completed, then type:

netdom computername CurrentComputerName /makeprimary:NewComputerName


Restart the computer.


From the command prompt, type:

netdom computername NewComputerName /remove:OldComputerName

It shoudl work just fine
0
Aj8787Commented:
Be sure that the old server is shut down while performing following steps and you connot turn it back ON else it will clash with your new server.

Just finish everything with old server then rename the new DC
0
jbarton221Author Commented:
DCDIAG ERRORS
1.  FRSEvent (Passed)
There are warning error events withing the last 24 hours after the sysvol has been shared. Failing sysvol replication problems may cause group policy problems.

2. NCSecDesc
Error NT Authority\Enterprise Domain Controllers doesn't have Replicating Directory Changes in Filtered Set.  access rights for the naming context DC=ForestDNSZones, DC=domain, DC=Services, DC=com

Error NT Authority\Enterprise Domain Controllers doesn't have Replicating Directory Changes in Filtered Set. DC=DomainDNSZones, DC=domain, DC=Services, DC=com

I used some fill in names after the DC=
Any help would be appreciated.
Thanks
0
Aj8787Commented:
It seems the new server couldnt replicate AD services on old server properly to its own.

Actually whole forestDNSzone and domainDNSzone is left out.

You can try deleting the primary zone you created for older server in new server.

Remake it, restart netlogon and command netdiag/fix

I hope it will fix these errors

0
Darius GhassemCommented:
Correct looks like you have a problem with replication but the NCSecDesc error is fine that is a normal error. Can you post ipconfig /all.

When did you promote?
0
jbarton221Author Commented:
IP Config
indows IP Configuration

  Host Name . . . . . . . . . . . . : NYEDC
  Primary Dns Suffix  . . . . . . . : nyefremont.nyeseniorservices.com
  Node Type . . . . . . . . . . . . : Hybrid
  IP Routing Enabled. . . . . . . . : No
  WINS Proxy Enabled. . . . . . . . : No
  DNS Suffix Search List. . . . . . : nyefremont.nyeseniorservices.com
                                      nyeseniorservices.com

thernet adapter Local Area Connection 2:

  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
VBD Client) #2
  Physical Address. . . . . . . . . : 00-22-19-02-2F-3B
  DHCP Enabled. . . . . . . . . . . : Yes
  Autoconfiguration Enabled . . . . : Yes

thernet adapter Local Area Connection:

  Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
VBD Client)
  Physical Address. . . . . . . . . : 00-22-19-02-2F-39
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes
  Link-local IPv6 Address . . . . . : fe80::495:c917:3349:e236%10(Preferred)
  IPv4 Address. . . . . . . . . . . : 192.168.0.3(Preferred)
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . : 192.168.0.1
  DNS Servers . . . . . . . . . . . : ::1
                                      192.168.0.4
                                      192.168.0.3
  NetBIOS over Tcpip. . . . . . . . : Enabled
0
jbarton221Author Commented:
Ran DCPROMO early last week
0
Darius GhassemCommented:
Disable IPv6 unless you have Exchange or going to install Exchange on this server. Run ipconfig /flushdns, ipconfig /registerdns, and dcdiag /fix.
0
jbarton221Author Commented:
Should I have both DNS servers setup under TCP/IP properties?
0
Darius GhassemCommented:
Yes, you want it pointing to itself for DNS now.
0
jbarton221Author Commented:
Now I have more errors.  Here is what I get when running dcdiag
C:\Users\administrator.NYEFREMONT>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = NYEDC
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\NYEDC
      Starting test: Connectivity
         ......................... NYEDC passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\NYEDC
      Starting test: Advertising
         ......................... NYEDC passed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... NYEDC passed test FrsEvent
      Starting test: DFSREvent
         ......................... NYEDC passed test DFSREvent
      Starting test: SysVolCheck
         ......................... NYEDC passed test SysVolCheck
      Starting test: KccEvent
         An Warning Event occurred.  EventID: 0x80000603
            Time Generated: 04/05/2010   14:04:27
            Event String:
            Active Directory Domain Services could not disable the software-base
d disk write cache on the following hard disk.
         An Warning Event occurred.  EventID: 0x80000B46
            Time Generated: 04/05/2010   14:04:39
            Event String:
            The security of this directory server can be significantly enhanced
by configuring the server to reject SASL (Negotiate,  Kerberos, NTLM, or Digest)
 LDAP binds that do not request signing (integrity verification) and LDAP simple
 binds that  are performed on a cleartext (non-SSL/TLS-encrypted) connection.  E
ven if no clients are using such binds, configuring the server to reject them wi
ll improve the security of this server.
         An Warning Event occurred.  EventID: 0x80000603
            Time Generated: 04/05/2010   14:10:24
            Event String:
            Active Directory Domain Services could not disable the software-base
d disk write cache on the following hard disk.
         An Warning Event occurred.  EventID: 0x80000B46
            Time Generated: 04/05/2010   14:10:36
            Event String:
            The security of this directory server can be significantly enhanced
by configuring the server to reject SASL (Negotiate,  Kerberos, NTLM, or Digest)
 LDAP binds that do not request signing (integrity verification) and LDAP simple
 binds that  are performed on a cleartext (non-SSL/TLS-encrypted) connection.  E
ven if no clients are using such binds, configuring the server to reject them wi
ll improve the security of this server.
         ......................... NYEDC passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... NYEDC passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... NYEDC passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=nyefremont,DC=nyeseniorservices,DC=com
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=nyefremont,DC=nyeseniorservices,DC=com
         ......................... NYEDC failed test NCSecDesc
      Starting test: NetLogons
         ......................... NYEDC passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... NYEDC passed test ObjectsReplicated
      Starting test: Replications
         ......................... NYEDC passed test Replications
      Starting test: RidManager
         ......................... NYEDC passed test RidManager
      Starting test: Services
         ......................... NYEDC passed test Services
      Starting test: SystemLog
         ......................... NYEDC passed test SystemLog
      Starting test: VerifyReferences
         ......................... NYEDC passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : nyefremont
      Starting test: CheckSDRefDom
         ......................... nyefremont passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... nyefremont passed test CrossRefValidation

   Running enterprise tests on : nyefremont.nyeseniorservices.com
      Starting test: LocatorCheck
         ......................... nyefremont.nyeseniorservices.com passed test
         LocatorCheck
      Starting test: Intersite
         ......................... nyefremont.nyeseniorservices.com passed test
         Intersite

C:\Users\administrator.NYEFREMONT>
0
Darius GhassemCommented:
No, everything is the same.
0
Aj8787Commented:
Yes it seems you still have permission issues to replicate forestDNSzone/
0
jbarton221Author Commented:
http://support.microsoft.com/kb/967482

I found this in KB from Microsoft.

Should be OK then????
0
Darius GhassemCommented:
That error is fine and it is not required to prepare your domain for RODC.
0
Aj8787Commented:
You can try this:

After running ipconfig /flushDNS and ipconfig /registerDNS

1. dcdiag /fix
2. net stop netlogon
3. net start netlogon or just restart netlogon in services.msc

May fix some errors.
0
jbarton221Author Commented:
Is the consensus I am good to continue?
0
Darius GhassemCommented:
I still don't like the replication errors about the SYSVOL. Check in your Event Viewer what errors do you have for today?
0
jbarton221Author Commented:
I messed up and cleared them from earlier today.  I don't see anything in the normal event viewer logs.  Is there somewhere else I should be looking?  Maybe I can run the dcdiag tomorrow and it won't display since it appears to work on a 24 hour clock.
Do you normally worry about the disk write cache?
0
jbarton221Author Commented:
Here is what is in the log for FRS

The file replication service has detected an enabled disk write cache on the drive containing the directory c:\windows\ntfrs\jet on the computer NYEDC.  The file replication service might not recover when power to the drive is interrrupted and critical updates are lost.

No big deal?
0
Darius GhassemCommented:
No big deal.
0
jbarton221Author Commented:
Transferring FSMO roles.  Everything went well except for the Infrastructure.  I get a popup that states this is a Global Catalog Server and I should not transfer this role to a global catalog server.

Am I OK to proceed?  Any issues with this?

Thanks
0
Darius GhassemCommented:
Yes, you are able to proceed this error is for a multi domain setup
0
jbarton221Author Commented:
Sorry for the delay.  Everything is good to go.  After transferring all roles and using robocopy to move the shares I demoted the old server and renamed the new.  I did have an issue with renaming at first, but needed to remove the old entry for server name from Active Directory.

Thanks for your help
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.