Solved

Problems adding 2008 server to 2000 DC

Posted on 2010-09-13
42
727 Views
Last Modified: 2012-05-10
I have a new 2008 Standard server.  
I have an old 2000 Server that is the only domain controller.
I've added the 2008 server.  I get part way through the processing of setting up the FMSO services on the 2008 server and then start getting errors.  The errors indicate it can no longer communicate with the domain controller.
Example: If I go into AD Domains and Trusts, right-click and select Change AD Server, the Look In this Domain is blank.  I click the down arrow to display the list and I get "The list of Domain Controllers for domain ABC.com is unavailable because: The server is not operational."

The only DNS server I have specified on the 2008 server is the IP for the 2000 server.

10 minutes I was able to go into AD Domain and Trusts on the 2008 server.  I also went into AD Users and Computers and could see all the users and computers that had replicated.

The 2000 Server has the following event IDs & Source in the System Log (in this order from oldest to most recent):
5723 NETLOGON The session setup from the computer W2008 failed because there is no trust account in the security database for this computer.  
5790 NETLOGON (description cannot be found)
36872 SCHANNEL No suitable default server credential exists on this system...
5722 NETLOGON The session setup from the computer W2008 failed to authenticate.

Any suggestions?
0
Comment
Question by:rickmills
  • 21
  • 17
  • 4
42 Comments
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 33667430
Did you do the adpreps ?
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 33667479
Sorry - but 2000 doesn't support server 2008 - you have to be at a server 2003 R2 domain level.  also it's almost 2011 - to get up to 2008 domain level you'll have to step up to 2003 anyway.  you can't go from 2000 to 2008

good luck!
0
 

Author Comment

by:rickmills
ID: 33667495
Yes.  I ran:
adprep64 /forestprep
adprep64 /domainprep /gpprep

As I mentioned, the AD info replicated.  I was able to see all the users, groups, computers, etc. on the 2008 server.  Then, it started giving me errors.
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 33667506
Yes, you can have a windows 2008 server in a windows 2000 domain.  
You can have a windows 2008 domain controller in a windows 2000 domain.
You need to run adprep (http://www.petri.co.il/windows-server-2008-adprep.htm) to prepare the domain to accept the schema for windows 2008... but that only alters the schema... it does not upgrade the domain or forest functional levels.

What you would not be able to do is raise the functional level above windows 2000 while you still had a windows 2000 domain controller.
0
 

Author Comment

by:rickmills
ID: 33667510
Greg,
I'm afraid that is a difficult statement for me to accept.
There are numerous articles from Microsoft about prepping a 2000 DC to join a 2008 server to the domain.  There are also numerous Experts Exchange articles about accomplishing the task.  If you can provide me some solid MS documentation that says this is not supported, I would appreciate it, because there is a lot of information out there about to accomplish it.
0
 

Author Comment

by:rickmills
ID: 33667522
I am also getting repeated errors on the 2008 Server.
Event ID 1202
Source ADWS
This computer is now hosting the specified directory instance, but Active Directory Web Services could not service it.  Active Directory Web Services will retry this operation periodically.
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 33667530
Okay... so "I get part way through the processing of setting up the FMSO services on the 2008 server and then start getting errors"... in that case, which FSMOs were successfully transferred?  During which transfer did you start getting errors?

If the 2008 server is now a DC too... I assume it has DNS as well?  Or do you still only have the single DNS server?  (Confirm your DNS configuration?  Make certain the 2008 server didn't do something you didn't expect during it's promotion?)
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 33667548
Interesting... that last error might fix itself:
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/62a3f70f-d326-4d52-aee8-42b59a0298b9

Are both DCs currently configured as global catalogs?
0
 

Author Comment

by:rickmills
ID: 33667572
I was only beginning the process of going through the steps in http://support.microsoft.com/kb/324801
I registered the DLL and when I opened MMC and added the AD Schema snap-in and tried to select the option "Change Domain controller", it started telling me it couldn't contact the current schema master server.
As for DNS, there does appear to be something strange.
the DNS Server service is running.  However, when I select DNS from Administrative Tools, I get the message "the server W2008 could not be contacted.  The error was: Access Denied.  Would you like to add it anyway?"
I responded with Yes, so it opened DNS, but there is a red circle with a white line through it, indicating it is not functioning.
0
 

Author Comment

by:rickmills
ID: 33667593
On the 2008 server, both servers are identified as Global Catalog servers.
Not sure if this means anything, but when I look on the 2000 server, the 2000 Server is listed under Domain Controllers, but the 2008 server is listed under Computers.
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 33667601
Okay, is your DNS AD Integrated?  
Check the DNS Log in event viewer on the W2k8 server.  I promoted a server last thursday, and it took a few minutes after the DC was up before DNS started.  (I think it needed to finish replicating the zone partitions.)
(And I couldn't use the older versions of the DNS MMC snapin... it's incompatible with the version I had on my XP machine which I'd been using on my 2003 DNS Servers... so make certain to use the version on the server itself... but like I said, it might take a few minutes.)

Is the 2008 server using itself for DNS, or is it still pointed at the 2000 instance?
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 33667611
> Not sure if this means anything, but when I look on the 2000 server, the 2000 Server is listed under Domain Controllers, but the 2008 server is listed under Computers.

I hope it means that everything hasn't replicated yet.... in ADUC, try pointing at the other DC and see if IT's copy of the active directory knows the 2008 server has been promoted.
0
 

Author Comment

by:rickmills
ID: 33667667
Guess it just needed a refresh.
From the 2000 server, I ran ADUC and connected to W2008.  It connected just fine and I can view the AD info.  I connected back to the 2000 server and both servers are listed under Domain Controllers.
The 2008 server has no DNS Name, though.  It is blank.
It does appear that I can change the RID, PDC and Infrastructure operation masters from the 2000 server.  I connect to the 2008 server and it provides the 2008 as an option to change those.  Should I change them all to the 2008 server?
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 33667785
> Guess it just needed a refresh.
I assume to finish replicating and a refresh.  :-)

> The 2008 server has no DNS Name, though.  It is blank.
*worry*  Okay, that still has me worried... where is it blank?  Just to be safe, run dnslint against the domain.  http://support.microsoft.com/kb/321045/en-us

> Should I change them all to the 2008 server?
If you put the new DC in place because you are planning to immediately replace the 2000 server, or because you expect that old hardware to fail soon -- yeah, I'd move them all over.  If it were me, I'd give the new hardware a little burn-in time... to make certain it isn't going to fail catastrophically.  Seizing all the roles is possible, but I wouldn't want to do it.  (If you do a 'netdom query fsmo' (I think that's the right syntax), make certain the roles are where you think they are.)  I'd leave them split 2 and 3 until you are ready to do something else.
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 33667885
Hmmm - sry - my bad,  i'll turn away now....
0
 

Author Comment

by:rickmills
ID: 33668081
I feel like I'm in an endless loop.
DNSLINT reports DNS problems, but I can't get the DNS server to run on the 2008 server.
I keep getting "The server W2008 could not be contacted.  The error was: Access Denied."
But, how do I fix DNS errors when I can't get DNS to run?

FYI, the query reported that the 2000 server is still the master for all 5 FSMO roles.

As for timing, I agree with your philosophy.  Unfortunately, we are in a tight time crunch to deal with some other issues and all these changes must be completed by Friday.  The reason for starting now was to get a little burn-in time before Friday.

I am now too tired to continue this process tonight.  Thanks for all your help and I'll continue to troubleshoot it remotely tomorrow.

Do you think I should just set the 2008 server back to a workgroup and then join it to the domain again?
I'm up for anything that gets me where I need to be by Friday and this server can be restarted without impacting users at this point.
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 33668126
> Do you think I should just set the 2008 server back to a workgroup and then join it to the domain again?
I don't think so... I think it would compound the problem.  I wouldn't try making any changes until you get DNS stable.

Get some sleep.  
Point both your servers to use DNS from the windows 2000 DC.  I'd reboot the Windows 2008 server at that point.
Run DNSLint again.

Hopefully DNS on the old server is still stable, healthy, etc.

If you already answered the question, I apologize... but is DNS on the windows 2000 DC AD Integrated?
If yes, everything could still be fine -- see if you can manage the Windows 2008 DNS server after the reboot.
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 33691060
I apologize for prodding, but I keep thinking back to this issue, and I'm curious if it sorted itself out, or if you are still encountering troubles?
0
 

Author Comment

by:rickmills
ID: 33692703
Razmus,
Sorry for not getting back to you.  I'm scheduled to work on this tomorrow (Friday).  I'm hoping to find a little time to remotely work on it today.  
I will point both servers to only the 2000 server for DNS and try the DNSLint again.
I will also check if DNS is AD integrated on the 2000 server.
I'm hoping you'll be around tomorrow morning when I start working on this.
Thanks, Rick
0
 

Author Comment

by:rickmills
ID: 33700562
The Windows2000 DNS is AD integrated.
I've restarted both servers.  I've got both pointing only to the 2000 Server for DNS.
I continue to get the exact same problems.
I ran DNSLint again.
On the 2000 Server, it reports all is well except it is missing 1 CNAME on the server, which is related to the 2008 Server.

Here's what it reported when run on the 2008 server:
DNS server: User Specified DNS Server
IP Address: 172.20.1.3
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: NO

SOA record data from server:
Authoritative name server: Unknown
Hostmaster: Unknown
Zone serial number: Unknown
Zone expires in: Unknown
Refresh period: Unknown
Retry delay: Unknown
Default (minimum) TTL: Unknown
--------------------------------------------------------------------------------
Notes:
One or more DNS servers is not authoritative for the domain
One or more zone files may have expired
SOA record data was unavailable and/or missing on one or more DNS servers
0
 

Author Comment

by:rickmills
ID: 33700579
At this point, I am ready to remove the 2000 server from the network.  We have to move forward this morning with getting this 2008 server functional as a DC, so please keep that in mind with any suggestions.
0
Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

 
LVL 29

Expert Comment

by:Rich Weissler
ID: 33700850
If I'm interpreting correctly, I'm concerned that the 2008 machine is reporting that the 2000 machine isn't answering as Authoritative for the domain.  The 2008 machine was added to the existing (2000) domain, right?  (I assume there wasn't a typo in the domain name?)

Lets also look at that CNAME entry.  I think that CNAME address is likely needed for replication between the systems.  Looking at "http://support.microsoft.com/kb/275278/en-us"... did you reboot the 2008 server after you redirected the DNS?  
0
 

Author Comment

by:rickmills
ID: 33700959
That KB article sounds like it applies to me.  However, I've already done method 1 (pointing 2008 to only the 2000 server as primary DNS with no secondary and restarted).  Method 2 discusses installing DNS.  Should I remove DNS from the 2008 server, restart and install it again?
0
 

Author Comment

by:rickmills
ID: 33701122
For that matter, mabye I should remove the AD role from the 2008 server and reinstall it.  This server is not yet playing a role in the network, so I won't lose a thing.  Thoughts?
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 33701299
Yea, if from the 2000 server, 'netdom query fsmo' shows that it still believes it has all the roles, I can't see a downside to demoting the 2008 server at this point, then re-promoting it.
0
 

Author Comment

by:rickmills
ID: 33701421
Another endless loop.
I can't remove AD because another DC can't be contacted.
If I disconnect it from the network and try to remove AD and check this is the last DC, it tells me this isn't the last DC and the server refuses to delete the domain.
It also will not let me just change it to a workgroup.
Where do I go from here?
0
 

Author Comment

by:rickmills
ID: 33701578
I'm doing a dcpromo /forceremoval now.  Will let you know in a few minutes.
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 33701953
Back and forth from the computer.  
If you get the 2008 machine demoted, before re-promoting it... confirm all network functions before promoting again.  Join the 2008 machine to the domain and make certain it works as a member server before promotion.
0
 

Author Comment

by:rickmills
ID: 33702288
OK.  I have succesfully removed Active Directory from the 2008 server and it is no longer a role.
I cleaned up the AD on the 2000 server to remove W2008 as a DC, following Microsoft's KB using ADSI Edit.  
I have joined W2008 to the domain as a member server and logged in.  I can browse the 2000 server.  I see the computer listed in AD on the 2000 server and can ping from one to the other using computer names.  
I'll promote it now.
0
 

Author Comment

by:rickmills
ID: 33702532
Wonderful!
I have installed the AD role and all appears well.
Do you have any suggestions or warnings before I install DNS?  
After DNS is installed and working, I'll change W2008 to point to itself for DNS.  I'll then make sure to move the FMSO roles to W2008.  I should then be able to demote the old Windows 2000 server, correct?
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 33703152
When I did my 2008 promotions, it automatically installed DNS too.
If you've already done a dnslint, go ahead and install DNS on the 2008 server if it didn't autoinstall.  Your plan sounds good at this point.  Move things over one at a time, and confirm from both servers that they see the same results.  And yes, once you've moved everything over, you should be able to demote the 2000 server.

(Makes me nervous to only have one DC in a domain though...)
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 33703985
reading through one of your posts you state that the 2008 server is pointed to 2000 dns server.

a dns server needs to point to itself to operate correctly- this may be why the cname did not register correctly
0
 

Author Comment

by:rickmills
ID: 33704342
Greg,
If I understand this correctly, I agree that is the end result you would want.  However, in the process of adding a domain controller, I believe it works best to have the new DC pointing to the current DC for DNS until the AD role has been installed and the server functioning as a DC.
That's what I did this time.  My new 2008 server is still pointing to the 2000 DC for DNS and everything has gone pretty smooth.  It is functioning as a DC and I've installed DNS Server on it.  I'll set it to point to itself for DNS next and move the FSMO roles.
0
 

Author Comment

by:rickmills
ID: 33704712
Oh, so close.
My 2008 server seems to be working fine.  However, when I try to run dcpromo on the old 2000 server, I get the following:
the operation failed because:
Failed finding a suitable domain controller for the domain.

I need to raise the functional level of the domain, so we can install SQL Server 2008.
How can I test properly to make sure the 2008 is fully functional as a DC?
If I can be confident, then I can manually remove the 2000 DC from Active Directory.
0
 

Author Comment

by:rickmills
ID: 33704742
I did try restarting the 2008 server with the 2000 server unplugged.  I had the following in the system log.
Level=Error
Source=GroupPolicy
Event ID=1129  - The processing of GroupPolicy failed because of lack of network connectivity to a domain controller.
I received that twice within about 5 minutes.  After plugging the 2000 server back in, I received

Event ID=1500 - The Group Policy settings for the computer were processed successfully.

Obviously, that is giving me great concern.
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 33705540
Sounds like the SYSVOL replication hadn't completed... doing some more reading quick.
(Sorry... I was out sick today... and was away from the computer longer than normal there.)
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 33705587
Okay, was confirming that 2000 didn't expect anything special to start the directory replication for SYSVOL, etc.  If you have access to REPLMON, go ahead and fire that up... if not use REPADMIN to monitor replication.

Specifically, (http://support.microsoft.com/kb/257338/en-us)- REPADMIN /SHOWREPS %UPSTREAMCOMPUTER%

At this point, I assume both DC's recognize the 2008 machine as holding all the FSMOs, as well as having DNS, and it passing the DNSLINT tests.
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 33705667
Hmm... and if all that also passes... lets step down a level or two.  I assume we have good network connectivity between the two DCs.  Confirm as well that you have good network connectivity from the workstation to the new Server.
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 33705931
DNS records in an active directory environment is stored in the registry and replicates amongst the dc's through AD replication.  AD resolves it's DNS queries by talking to the DNS service on the DC
0
 
LVL 29

Accepted Solution

by:
Rich Weissler earned 500 total points
ID: 33705981
@Greg - You are correct.  However the 2008 server was not receiving a replicated copy of the DNS.  I believe it was also not receiving ANY replication data from the 2000 DC.  I'm not certain if that was because the 2008 DC was promoted to be a domain controller in a completely separate domain with the same name as the first, or if something else occurred.  The fact that, when the 2008 DC was pointed to the 2000 DC it reported that there was no SOA record for it's domain strengthens that belief.

A domain controller does not HAVE to use its own copy of DNS.  I agree it is certainly preferable, and I far prefer to use AD Replication for DNS servers rather the alternatives, but AD _can_ use many versions of BIND on a Unix server.

I believe DNS information when using AD Integrated Zones are stored in the AD datastore, not in the registry.

DNS using AD Integrated Zones do replicate via AD replication, and there is some evidence in this instance that the AD replication may not be occurring correctly.  AD resolves it's DNS queries by talking to the DNS service... but it needs to be one good and consistent version of the DNS database... and given the potential differences between the zones and the idea that there is a replication problem, it seems like a good idea to have the two DC using a single, sane DNS zone.
0
 

Author Comment

by:rickmills
ID: 33715722
Thanks for the help.  Time pressures got the better of me.  I opened an incident with Microsoft.  The tech found the file replication was not functioning properly on the 2000 server.  He remoted in and cleaned it up.  That had also caused problems with the 2008 server, so he cleaned that up, as well.  I'm not sure of exactly what he did on the servers.  When he was done, I was able to demote the 2000 server and all worked well.  
Razmus, I'll award you the points for the all help you provided and because I don't think you could troubleshoot it well without being remoted in.
Thanks again.
0
 

Author Closing Comment

by:rickmills
ID: 33715734
Great info, but a very difficult issue to troubleshoot with the info I provided.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
A procedure for exporting installed hotfix details of remote computers using powershell
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now