Replace Windows 2000 server (backup domain controller) with Windows 2003 R2 server

I have a windows 2003 server(non R2)  that is the primary domain controller and has the FSMO roles.  I also have a windows 2000 server that is the backup domain controller.  I am wanting to replace the windows 2000 server with a new box running windows 2003 R2.  I need to keep the server name the same.  Here is the steps I believe I need to take and just want everyone to point out if I missed something that will cause me any problems.

1)  Load new server with OS and all updates.
2)  run dcpromo on old windows 2000 server and demote it
3)  shut down windows 2000 server and then remove from AD
4)  rename new server to correct name(old windows 2000 server name) and join domain
5)  run dcpromo and promote, then make it a global catalog server
6)  load dns and allow it to pull from other AD server
7) done
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Darius GhassemCommented:
Here are the steps on the migration. 

Since you are going to R2 you will need to upgrade your schema for R2 which means you need to run adprep from the R2 disk on your current FSMO role holder.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Assuming the 2000 DC demotes cleanly, that should work ok.
Darius GhassemCommented:
Now keeping the same DC name once you demote the old server you need to delete all DNS records then go through the domain controller rename process in this link.
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Make sure after you demote that all AD Srv records for that DC are gone from DNS.  Also remember to check AD Sites and Services to make sure DC object is gone.
durrence71Author Commented:

Since I am going to demote the old windows server 2000 (let's say it's name is bdcsvr) and then remove it from the dns and then rename the new windows server 2003 to bcdsvr and add it to the domain and then promote it and load dns, would I need to do the link you mention?  At the time I load the dns software on it it will have already had the old server name(bcdsvr), so I'm not renaming it at that point.
durrence71Author Commented:
Also, since this is only a backup domain controller, I see no reason why I can't do this during business hours.  I have already ran adprep to get the AD ready for the new server installation.
You can certainly do this during the day.
durrence71Author Commented:
I have one additional question related to this task.  I turned off the backup domain controller for the day to just be sure it would cause no problems.  Last night I was rebooting all the servers from MS patch Tuesday and the primary server would hang at preparing network connections for alot longer than usual.  When it finally came up and I logged in, I couldn't run any AD type management tools.  AD users and computers would give me "Naming Information Cannot Be Located  be sure the domain is up and running"  I checked everything and found that when running the DNS management module, that it thought that the primary domain controller's DNS was not working because it could not load the zone.  In services, the DNS server was indeed running and my sysvol was normal.  I turned on the backup domain controller and then rebooted the primary domain controller and everything was 100% normal then.  Why did this occur since the DNS zone should also be on my primary domain controller?  The DNS is on both the primary and backup domain controller, but it is almost like the back domain controller DNS is the master or something.
Can you verify the zone is active directory-integrated.
Darius GhassemCommented:
If you are going to demote the server before using the name the you should be good the link is not needed.

You can do this during business hours without issues.

Check your DNS configuration in your TCP\IP properties make sure the DCs point to themselves then to the other DC as secondary. The problems you were having seem to  be a DNS issue.
durrence71Author Commented:
I thought that the zone was active directory integrated, but apparently it isn't.  I went to AD users and computers and clicked on advanced features and there isn't a dns container listed.  So this would mean that the zone isn't AD integrated?  Is there another way to be sure it is or isn't AD integrated?  I have 5 servers (3 at other locations) and all are DNS servers in addition to being domain controllers, so they must be getting their updates through other means.

Is there a way to 1) change the backup domain controller to not being the main dns server, or 2) integrate the dns into AD?
In DNS Manager, right-click on the zone for your AD domain and choose Properties...  Choices will be Primary, Secondary, AD-integrated.  If it is not AD-integrated, you can change the zone. Do this on both DNS servers.
Change DNS to AD-integrated:
durrence71Author Commented:
I went to properties and it is active directory integrated and it is set to replicate to all domain controllers in AD.  So any idea why when the backup domain controller was turned off, that the primary domain controller couldn't use DNS and therefore AD was not working properly?  In my TCP/IP settings on the network card, the primary dns is the primary domain controller (itself) and the secondary dns was the backup domain controller (which was turned off).  Shouldn't that have worked, or should I have changed the secondary dns server to be one of the domain controllers at another location?
Double check to make sure the "primary" domain controller is the holder of all the FSMO roles and that it is also a global catalog server.
Darius GhassemCommented:
Could be that the secondary holds all FSMO roles.

If you turn the system off again then run dcdiag on the server you think is primary you can look over the logs which will tell you the errors.
durrence71Author Commented:
I ran dcdiag /v on both the primary and backup domain controllers.  Under the KnowsOfRoleHolders, both machines say that the primary domain controller holds all FSMO roles.  Last night when I had the backup dc off, I ran dcdiag to see what was going on.  The part that had all the errors and finally failed was the systemlog.  it had 27 errors.  Out of those 27 there were really only like 4 that were different.

1)  The Security Account Manager failed a KDC request
2)  The WinRM service is unable to start because of a
3)  An Error Event occured.  EventID: 0xC0000021 (Lots of this one)
4)  Event String: The dynamic registration of the DNS record

I may be too cautious, but I really would like the primary dc to be able to boot and run all by itself while the backup dc is off before I try and replace the backup dc with a new backup dc.
You're not being too cautious as it should be able to run without the other DC.

Try doing the solution from this article:
Darius GhassemCommented:
First thing you should do is make sure your Primary DC is a GC.

Run dcdiag /test:dns to check for DNS issues on Primary DC.
durrence71Author Commented:
I looked at the other article and did ipconfig /registerdns on both servers.  I hesitate to run netdiag /fix and dcdiag /fix since when I run both of those cmds without the /fix swtich, everything passes.  I ran dcdiag /test:dns and it passed.  When I go to AD Sites and services, NTDS settings for both the dc servers, they have global catalog checked.  I'm going thru the dcdiag results from last night when it didn't work and researching those errors.  I still believe it is all a DNS issue somehow.
On your next maintenance window, stop the DNS service on the secondary server and run some AD utils, internet browsing.  If you are not seeing any issues, restart the primary DC and test.  If you still have no issues, shutdown the secondary server and repeat the tests.  This should narrow down where the problem lies.
Darius GhassemCommented:
If the DNS tests pass then you are good on DNS but to get a true test you will have to shutdown the server run dcdiag /test:dns
durrence71Author Commented:
Sounds good.  I will get this done tonight or tomorrow to see what the results are.
durrence71Author Commented:
Here are the weekend results.  I stopped the DNS server on the backup pdc.  I rebooted the primary server and it worked fine.  I shutdown the backup pdc and rebooted the primary server and it did not work.  I pointed the secondary dns from the backup pdc (it was still shutdown) to another pdc at a different location.  Then after a reboot, the primary server worked fine.  While the primary pdc was not working, I ran dcdiag /test:dns on it.  It passed everything, but RReg and here is that error message:

TEST: Records registration (RReg)
                  Network Adapter [00000009] 3Com EtherLink XL 10/100 PCI For Complete PC Management NIC (3C905C-TX):
                     Warning: Missing GC SRV record at DNS server XXX.XX.X.X :
               Error: Record registrations cannot be found for all the network adapters

When I look in the DNS zone, there is in fact a record for the primary server called  I also looked again in AD sites and services and the primary pdc is checked as a global catalog server.  I did not use nslookup to query for the GC records, but can if it would be helpful.  So does it not find the GC SRV records because DNS isn't working right when I don't have a working secondary DNS server listed in TCP/IP properties or is it because it doesn't know that the primary pdc is a globabl catalog?
There is something wrong with the AD zone on the primary server DNS.
Try the following on the primary server:
  Skip #7
  For #8 select AD-integrated

May need to do this after hours as it will disrupt DNS lookups for a bit.
Darius GhassemCommented:
Make sure that you disable all NICs except for one.

Check your DNS to make sure you have a zone on all DNS servers if your current zone has a msdcs folder that is grayed out.
durrence71Author Commented:
Ok, I got this all figured out and also have got the old backup pdc demoted and removed and the new backup pdc up and running and everything went perfectly smooth.  Here was the resolution on the issue with the primary server not coming up correctly when it was the only domain controller available.

On start up, "An Active Directory domain controller tries to replicate inbound changes for each locally held directory partition (also known as a naming context) every time the domain controller starts."  So until this attempted replication timed out, AD and DNS would not start.  Sort of a catch 22, since AD is slow to start since it is trying to replicate, my DNS can't start since it can't load my AD integrated zones.  Microsoft recommends always point to DNS on another server that is up and running and not rebooting them at the same time. Thanks for everyone's help.
Darius GhassemCommented:
Actually MS recommends both ways and leans toward the pointing to itself since if the other DC goes down you have an issue with DNS. What you should do is delay the start of AD.
Good ol' Microsoft...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.