Problems adding 2008 server to 2000 DC

I have a new 2008 Standard server.  
I have an old 2000 Server that is the only domain controller.
I've added the 2008 server.  I get part way through the processing of setting up the FMSO services on the 2008 server and then start getting errors.  The errors indicate it can no longer communicate with the domain controller.
Example: If I go into AD Domains and Trusts, right-click and select Change AD Server, the Look In this Domain is blank.  I click the down arrow to display the list and I get "The list of Domain Controllers for domain ABC.com is unavailable because: The server is not operational."

The only DNS server I have specified on the 2008 server is the IP for the 2000 server.

10 minutes I was able to go into AD Domain and Trusts on the 2008 server.  I also went into AD Users and Computers and could see all the users and computers that had replicated.

The 2000 Server has the following event IDs & Source in the System Log (in this order from oldest to most recent):
5723 NETLOGON The session setup from the computer W2008 failed because there is no trust account in the security database for this computer.  
5790 NETLOGON (description cannot be found)
36872 SCHANNEL No suitable default server credential exists on this system...
5722 NETLOGON The session setup from the computer W2008 failed to authenticate.

Any suggestions?
rickmillsPresidentAsked:
Who is Participating?
 
Rich WeisslerConnect With a Mentor Professional Troublemaker^h^h^h^h^hshooterCommented:
@Greg - You are correct.  However the 2008 server was not receiving a replicated copy of the DNS.  I believe it was also not receiving ANY replication data from the 2000 DC.  I'm not certain if that was because the 2008 DC was promoted to be a domain controller in a completely separate domain with the same name as the first, or if something else occurred.  The fact that, when the 2008 DC was pointed to the 2000 DC it reported that there was no SOA record for it's domain strengthens that belief.

A domain controller does not HAVE to use its own copy of DNS.  I agree it is certainly preferable, and I far prefer to use AD Replication for DNS servers rather the alternatives, but AD _can_ use many versions of BIND on a Unix server.

I believe DNS information when using AD Integrated Zones are stored in the AD datastore, not in the registry.

DNS using AD Integrated Zones do replicate via AD replication, and there is some evidence in this instance that the AD replication may not be occurring correctly.  AD resolves it's DNS queries by talking to the DNS service... but it needs to be one good and consistent version of the DNS database... and given the potential differences between the zones and the idea that there is a replication problem, it seems like a good idea to have the two DC using a single, sane DNS zone.
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
Did you do the adpreps ?
0
 
Greg HejlPrincipal ConsultantCommented:
Sorry - but 2000 doesn't support server 2008 - you have to be at a server 2003 R2 domain level.  also it's almost 2011 - to get up to 2008 domain level you'll have to step up to 2003 anyway.  you can't go from 2000 to 2008

good luck!
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
rickmillsPresidentAuthor Commented:
Yes.  I ran:
adprep64 /forestprep
adprep64 /domainprep /gpprep

As I mentioned, the AD info replicated.  I was able to see all the users, groups, computers, etc. on the 2008 server.  Then, it started giving me errors.
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
Yes, you can have a windows 2008 server in a windows 2000 domain.  
You can have a windows 2008 domain controller in a windows 2000 domain.
You need to run adprep (http://www.petri.co.il/windows-server-2008-adprep.htm) to prepare the domain to accept the schema for windows 2008... but that only alters the schema... it does not upgrade the domain or forest functional levels.

What you would not be able to do is raise the functional level above windows 2000 while you still had a windows 2000 domain controller.
0
 
rickmillsPresidentAuthor Commented:
Greg,
I'm afraid that is a difficult statement for me to accept.
There are numerous articles from Microsoft about prepping a 2000 DC to join a 2008 server to the domain.  There are also numerous Experts Exchange articles about accomplishing the task.  If you can provide me some solid MS documentation that says this is not supported, I would appreciate it, because there is a lot of information out there about to accomplish it.
0
 
rickmillsPresidentAuthor Commented:
I am also getting repeated errors on the 2008 Server.
Event ID 1202
Source ADWS
This computer is now hosting the specified directory instance, but Active Directory Web Services could not service it.  Active Directory Web Services will retry this operation periodically.
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
Okay... so "I get part way through the processing of setting up the FMSO services on the 2008 server and then start getting errors"... in that case, which FSMOs were successfully transferred?  During which transfer did you start getting errors?

If the 2008 server is now a DC too... I assume it has DNS as well?  Or do you still only have the single DNS server?  (Confirm your DNS configuration?  Make certain the 2008 server didn't do something you didn't expect during it's promotion?)
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
Interesting... that last error might fix itself:
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/62a3f70f-d326-4d52-aee8-42b59a0298b9

Are both DCs currently configured as global catalogs?
0
 
rickmillsPresidentAuthor Commented:
I was only beginning the process of going through the steps in http://support.microsoft.com/kb/324801
I registered the DLL and when I opened MMC and added the AD Schema snap-in and tried to select the option "Change Domain controller", it started telling me it couldn't contact the current schema master server.
As for DNS, there does appear to be something strange.
the DNS Server service is running.  However, when I select DNS from Administrative Tools, I get the message "the server W2008 could not be contacted.  The error was: Access Denied.  Would you like to add it anyway?"
I responded with Yes, so it opened DNS, but there is a red circle with a white line through it, indicating it is not functioning.
0
 
rickmillsPresidentAuthor Commented:
On the 2008 server, both servers are identified as Global Catalog servers.
Not sure if this means anything, but when I look on the 2000 server, the 2000 Server is listed under Domain Controllers, but the 2008 server is listed under Computers.
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
Okay, is your DNS AD Integrated?  
Check the DNS Log in event viewer on the W2k8 server.  I promoted a server last thursday, and it took a few minutes after the DC was up before DNS started.  (I think it needed to finish replicating the zone partitions.)
(And I couldn't use the older versions of the DNS MMC snapin... it's incompatible with the version I had on my XP machine which I'd been using on my 2003 DNS Servers... so make certain to use the version on the server itself... but like I said, it might take a few minutes.)

Is the 2008 server using itself for DNS, or is it still pointed at the 2000 instance?
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
> Not sure if this means anything, but when I look on the 2000 server, the 2000 Server is listed under Domain Controllers, but the 2008 server is listed under Computers.

I hope it means that everything hasn't replicated yet.... in ADUC, try pointing at the other DC and see if IT's copy of the active directory knows the 2008 server has been promoted.
0
 
rickmillsPresidentAuthor Commented:
Guess it just needed a refresh.
From the 2000 server, I ran ADUC and connected to W2008.  It connected just fine and I can view the AD info.  I connected back to the 2000 server and both servers are listed under Domain Controllers.
The 2008 server has no DNS Name, though.  It is blank.
It does appear that I can change the RID, PDC and Infrastructure operation masters from the 2000 server.  I connect to the 2008 server and it provides the 2008 as an option to change those.  Should I change them all to the 2008 server?
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
> Guess it just needed a refresh.
I assume to finish replicating and a refresh.  :-)

> The 2008 server has no DNS Name, though.  It is blank.
*worry*  Okay, that still has me worried... where is it blank?  Just to be safe, run dnslint against the domain.  http://support.microsoft.com/kb/321045/en-us

> Should I change them all to the 2008 server?
If you put the new DC in place because you are planning to immediately replace the 2000 server, or because you expect that old hardware to fail soon -- yeah, I'd move them all over.  If it were me, I'd give the new hardware a little burn-in time... to make certain it isn't going to fail catastrophically.  Seizing all the roles is possible, but I wouldn't want to do it.  (If you do a 'netdom query fsmo' (I think that's the right syntax), make certain the roles are where you think they are.)  I'd leave them split 2 and 3 until you are ready to do something else.
0
 
Greg HejlPrincipal ConsultantCommented:
Hmmm - sry - my bad,  i'll turn away now....
0
 
rickmillsPresidentAuthor Commented:
I feel like I'm in an endless loop.
DNSLINT reports DNS problems, but I can't get the DNS server to run on the 2008 server.
I keep getting "The server W2008 could not be contacted.  The error was: Access Denied."
But, how do I fix DNS errors when I can't get DNS to run?

FYI, the query reported that the 2000 server is still the master for all 5 FSMO roles.

As for timing, I agree with your philosophy.  Unfortunately, we are in a tight time crunch to deal with some other issues and all these changes must be completed by Friday.  The reason for starting now was to get a little burn-in time before Friday.

I am now too tired to continue this process tonight.  Thanks for all your help and I'll continue to troubleshoot it remotely tomorrow.

Do you think I should just set the 2008 server back to a workgroup and then join it to the domain again?
I'm up for anything that gets me where I need to be by Friday and this server can be restarted without impacting users at this point.
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
> Do you think I should just set the 2008 server back to a workgroup and then join it to the domain again?
I don't think so... I think it would compound the problem.  I wouldn't try making any changes until you get DNS stable.

Get some sleep.  
Point both your servers to use DNS from the windows 2000 DC.  I'd reboot the Windows 2008 server at that point.
Run DNSLint again.

Hopefully DNS on the old server is still stable, healthy, etc.

If you already answered the question, I apologize... but is DNS on the windows 2000 DC AD Integrated?
If yes, everything could still be fine -- see if you can manage the Windows 2008 DNS server after the reboot.
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
I apologize for prodding, but I keep thinking back to this issue, and I'm curious if it sorted itself out, or if you are still encountering troubles?
0
 
rickmillsPresidentAuthor Commented:
Razmus,
Sorry for not getting back to you.  I'm scheduled to work on this tomorrow (Friday).  I'm hoping to find a little time to remotely work on it today.  
I will point both servers to only the 2000 server for DNS and try the DNSLint again.
I will also check if DNS is AD integrated on the 2000 server.
I'm hoping you'll be around tomorrow morning when I start working on this.
Thanks, Rick
0
 
rickmillsPresidentAuthor Commented:
The Windows2000 DNS is AD integrated.
I've restarted both servers.  I've got both pointing only to the 2000 Server for DNS.
I continue to get the exact same problems.
I ran DNSLint again.
On the 2000 Server, it reports all is well except it is missing 1 CNAME on the server, which is related to the 2008 Server.

Here's what it reported when run on the 2008 server:
DNS server: User Specified DNS Server
IP Address: 172.20.1.3
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: NO

SOA record data from server:
Authoritative name server: Unknown
Hostmaster: Unknown
Zone serial number: Unknown
Zone expires in: Unknown
Refresh period: Unknown
Retry delay: Unknown
Default (minimum) TTL: Unknown
--------------------------------------------------------------------------------
Notes:
One or more DNS servers is not authoritative for the domain
One or more zone files may have expired
SOA record data was unavailable and/or missing on one or more DNS servers
0
 
rickmillsPresidentAuthor Commented:
At this point, I am ready to remove the 2000 server from the network.  We have to move forward this morning with getting this 2008 server functional as a DC, so please keep that in mind with any suggestions.
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
If I'm interpreting correctly, I'm concerned that the 2008 machine is reporting that the 2000 machine isn't answering as Authoritative for the domain.  The 2008 machine was added to the existing (2000) domain, right?  (I assume there wasn't a typo in the domain name?)

Lets also look at that CNAME entry.  I think that CNAME address is likely needed for replication between the systems.  Looking at "http://support.microsoft.com/kb/275278/en-us"... did you reboot the 2008 server after you redirected the DNS?  
0
 
rickmillsPresidentAuthor Commented:
That KB article sounds like it applies to me.  However, I've already done method 1 (pointing 2008 to only the 2000 server as primary DNS with no secondary and restarted).  Method 2 discusses installing DNS.  Should I remove DNS from the 2008 server, restart and install it again?
0
 
rickmillsPresidentAuthor Commented:
For that matter, mabye I should remove the AD role from the 2008 server and reinstall it.  This server is not yet playing a role in the network, so I won't lose a thing.  Thoughts?
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
Yea, if from the 2000 server, 'netdom query fsmo' shows that it still believes it has all the roles, I can't see a downside to demoting the 2008 server at this point, then re-promoting it.
0
 
rickmillsPresidentAuthor Commented:
Another endless loop.
I can't remove AD because another DC can't be contacted.
If I disconnect it from the network and try to remove AD and check this is the last DC, it tells me this isn't the last DC and the server refuses to delete the domain.
It also will not let me just change it to a workgroup.
Where do I go from here?
0
 
rickmillsPresidentAuthor Commented:
I'm doing a dcpromo /forceremoval now.  Will let you know in a few minutes.
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
Back and forth from the computer.  
If you get the 2008 machine demoted, before re-promoting it... confirm all network functions before promoting again.  Join the 2008 machine to the domain and make certain it works as a member server before promotion.
0
 
rickmillsPresidentAuthor Commented:
OK.  I have succesfully removed Active Directory from the 2008 server and it is no longer a role.
I cleaned up the AD on the 2000 server to remove W2008 as a DC, following Microsoft's KB using ADSI Edit.  
I have joined W2008 to the domain as a member server and logged in.  I can browse the 2000 server.  I see the computer listed in AD on the 2000 server and can ping from one to the other using computer names.  
I'll promote it now.
0
 
rickmillsPresidentAuthor Commented:
Wonderful!
I have installed the AD role and all appears well.
Do you have any suggestions or warnings before I install DNS?  
After DNS is installed and working, I'll change W2008 to point to itself for DNS.  I'll then make sure to move the FMSO roles to W2008.  I should then be able to demote the old Windows 2000 server, correct?
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
When I did my 2008 promotions, it automatically installed DNS too.
If you've already done a dnslint, go ahead and install DNS on the 2008 server if it didn't autoinstall.  Your plan sounds good at this point.  Move things over one at a time, and confirm from both servers that they see the same results.  And yes, once you've moved everything over, you should be able to demote the 2000 server.

(Makes me nervous to only have one DC in a domain though...)
0
 
Greg HejlPrincipal ConsultantCommented:
reading through one of your posts you state that the 2008 server is pointed to 2000 dns server.

a dns server needs to point to itself to operate correctly- this may be why the cname did not register correctly
0
 
rickmillsPresidentAuthor Commented:
Greg,
If I understand this correctly, I agree that is the end result you would want.  However, in the process of adding a domain controller, I believe it works best to have the new DC pointing to the current DC for DNS until the AD role has been installed and the server functioning as a DC.
That's what I did this time.  My new 2008 server is still pointing to the 2000 DC for DNS and everything has gone pretty smooth.  It is functioning as a DC and I've installed DNS Server on it.  I'll set it to point to itself for DNS next and move the FSMO roles.
0
 
rickmillsPresidentAuthor Commented:
Oh, so close.
My 2008 server seems to be working fine.  However, when I try to run dcpromo on the old 2000 server, I get the following:
the operation failed because:
Failed finding a suitable domain controller for the domain.

I need to raise the functional level of the domain, so we can install SQL Server 2008.
How can I test properly to make sure the 2008 is fully functional as a DC?
If I can be confident, then I can manually remove the 2000 DC from Active Directory.
0
 
rickmillsPresidentAuthor Commented:
I did try restarting the 2008 server with the 2000 server unplugged.  I had the following in the system log.
Level=Error
Source=GroupPolicy
Event ID=1129  - The processing of GroupPolicy failed because of lack of network connectivity to a domain controller.
I received that twice within about 5 minutes.  After plugging the 2000 server back in, I received

Event ID=1500 - The Group Policy settings for the computer were processed successfully.

Obviously, that is giving me great concern.
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
Sounds like the SYSVOL replication hadn't completed... doing some more reading quick.
(Sorry... I was out sick today... and was away from the computer longer than normal there.)
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
Okay, was confirming that 2000 didn't expect anything special to start the directory replication for SYSVOL, etc.  If you have access to REPLMON, go ahead and fire that up... if not use REPADMIN to monitor replication.

Specifically, (http://support.microsoft.com/kb/257338/en-us)- REPADMIN /SHOWREPS %UPSTREAMCOMPUTER%

At this point, I assume both DC's recognize the 2008 machine as holding all the FSMOs, as well as having DNS, and it passing the DNSLINT tests.
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
Hmm... and if all that also passes... lets step down a level or two.  I assume we have good network connectivity between the two DCs.  Confirm as well that you have good network connectivity from the workstation to the new Server.
0
 
Greg HejlPrincipal ConsultantCommented:
DNS records in an active directory environment is stored in the registry and replicates amongst the dc's through AD replication.  AD resolves it's DNS queries by talking to the DNS service on the DC
0
 
rickmillsPresidentAuthor Commented:
Thanks for the help.  Time pressures got the better of me.  I opened an incident with Microsoft.  The tech found the file replication was not functioning properly on the 2000 server.  He remoted in and cleaned it up.  That had also caused problems with the 2008 server, so he cleaned that up, as well.  I'm not sure of exactly what he did on the servers.  When he was done, I was able to demote the 2000 server and all worked well.  
Razmus, I'll award you the points for the all help you provided and because I don't think you could troubleshoot it well without being remoted in.
Thanks again.
0
 
rickmillsPresidentAuthor Commented:
Great info, but a very difficult issue to troubleshoot with the info I provided.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.