elit2007
asked on
Demote old DC
I'm trying to demote an old 2003 master Domain Controller with a new 2008 server.
I have successfully transferred all FSMO roles to the new DC. And temporary the new DC is a secondary DNS server.
My problem is that the SYSVOL and NETLOGON share was not created when promoting the new DC.
I tried to edit the BurFlags but this only helped med create the SYVOL share, not NETLOGON.
The “SYSVOL\domain name” is empty.
I got a third domain controller on the same domain that has worked as a secondary domain controller for the master DC I’m trying to demote. And I discovered that the SYSVOL share was empty on that server to.
I have checked that all 3 servers are registered correctly in DNS. And all servers are listed in “Sites and Services”.
Now I’m stuck!
I have successfully transferred all FSMO roles to the new DC. And temporary the new DC is a secondary DNS server.
My problem is that the SYSVOL and NETLOGON share was not created when promoting the new DC.
I tried to edit the BurFlags but this only helped med create the SYVOL share, not NETLOGON.
The “SYSVOL\domain name” is empty.
I got a third domain controller on the same domain that has worked as a secondary domain controller for the master DC I’m trying to demote. And I discovered that the SYSVOL share was empty on that server to.
I have checked that all 3 servers are registered correctly in DNS. And all servers are listed in “Sites and Services”.
Now I’m stuck!
KenMcF
Can you post the results from DCDIAG and "repadmin /showrepl"
Is the SYSVOL populated on the "master" DC?
Did you set the Burflags to "D2" on the 2008 DC?
If SYSVOL is shared, but not NETLOGON on the 2008 DC, try this:
http://support.microsoft.com/kb/947022/en-us
Did you set the Burflags to "D2" on the 2008 DC?
If SYSVOL is shared, but not NETLOGON on the 2008 DC, try this:
http://support.microsoft.com/kb/947022/en-us
ASKER
I tried to set Burflags to D4 on the new 2008 DC. This created a empty SYSVOL share but not NETLOGON.
Both SYSVOL and NETLOGON is working on the old master DC.
Both SYSVOL and NETLOGON is working on the old master DC.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Here's the output of repadmin /showrepl
DS1: old master DC
x3200: Old secondary DC
DSDC: New 2008 DC
DS1: old master DC
x3200: Old secondary DC
DSDC: New 2008 DC
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\DSDC
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 8d9ee249-49d5-4ab0-b0a1-94aa3934975f
DSA invocationID: f64d8f3c-7231-4c15-aa61-8ea146654539
==== INBOUND NEIGHBORS ======================================
DC=DENTALSOR,DC=LOCAL
Default-First-Site-Name\DS1 via RPC
DSA object GUID: 28fa45b5-4470-46a3-92b8-0fb59c8d6faf
Last attempt @ 2011-02-17 12:45:31 was successful.
Default-First-Site-Name\X3200 via RPC
DSA object GUID: f8e6b626-6cba-4bb2-ad49-88169125acd9
Last attempt @ 2011-02-17 12:45:34 was successful.
CN=Configuration,DC=DENTALSOR,DC=LOCAL
Default-First-Site-Name\DS1 via RPC
DSA object GUID: 28fa45b5-4470-46a3-92b8-0fb59c8d6faf
Last attempt @ 2011-02-17 12:08:08 was successful.
Default-First-Site-Name\X3200 via RPC
DSA object GUID: f8e6b626-6cba-4bb2-ad49-88169125acd9
Last attempt @ 2011-02-17 12:37:22 was successful.
CN=Schema,CN=Configuration,DC=DENTALSOR,DC=LOCAL
Default-First-Site-Name\DS1 via RPC
DSA object GUID: 28fa45b5-4470-46a3-92b8-0fb59c8d6faf
Last attempt @ 2011-02-17 11:47:15 was successful.
Default-First-Site-Name\X3200 via RPC
DSA object GUID: f8e6b626-6cba-4bb2-ad49-88169125acd9
Last attempt @ 2011-02-17 11:47:15 was successful.
DC=DomainDnsZones,DC=DENTALSOR,DC=LOCAL
Default-First-Site-Name\DS1 via RPC
DSA object GUID: 28fa45b5-4470-46a3-92b8-0fb59c8d6faf
Last attempt @ 2011-02-17 11:47:15 was successful.
Default-First-Site-Name\X3200 via RPC
DSA object GUID: f8e6b626-6cba-4bb2-ad49-88169125acd9
Last attempt @ 2011-02-17 11:47:15 was successful.
DC=ForestDnsZones,DC=DENTALSOR,DC=LOCAL
Default-First-Site-Name\DS1 via RPC
DSA object GUID: 28fa45b5-4470-46a3-92b8-0fb59c8d6faf
Last attempt @ 2011-02-17 11:47:15 was successful.
Default-First-Site-Name\X3200 via RPC
DSA object GUID: f8e6b626-6cba-4bb2-ad49-88169125acd9
Last attempt @ 2011-02-17 11:47:15 was successful.ASKER
FRS is running on all three servers
ASKER
Mmm , It looks like there is references to an old offline (failed) domain controller with the name DSX3200.
I don’t know if this is creating trouble ?
See the results of dcdiag
I don’t know if this is creating trouble ?
See the results of dcdiag
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\administrator.DENTALSOR>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DSDC
* Identified AD Forest.
Ldap search capabality attribute search failed on server DSX3200, return
value = 81
Got error while checking if the DC is using FRS or DFSR. Error:
Win32 Error 81The VerifyReferences, FrsEvent and DfsrEvent tests might fail
because of this error.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\DSDC
Starting test: Connectivity
......................... DSDC passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\DSDC
Starting test: Advertising
......................... DSDC passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... DSDC passed test FrsEvent
Starting test: DFSREvent
......................... DSDC passed test DFSREvent
Starting test: SysVolCheck
......................... DSDC passed test SysVolCheck
Starting test: KccEvent
......................... DSDC passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... DSDC passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DSDC passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=DENTALSOR,DC=LOCAL
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=DENTALSOR,DC=LOCAL
......................... DSDC failed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\DSDC\netlogon)
[DSDC] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... DSDC failed test NetLogons
Starting test: ObjectsReplicated
......................... DSDC passed test ObjectsReplicated
Starting test: Replications
REPLICATION-RECEIVED LATENCY WARNING
DSDC: Current time is 2011-02-17 12:59:09.
CN=Schema,CN=Configuration,DC=DENTALSOR,DC=LOCAL
Last replication received from DSX3200 at
2008-06-04 08:59:42
WARNING: This latency is over the Tombstone Lifetime of 60
days!
CN=Configuration,DC=DENTALSOR,DC=LOCAL
Last replication received from DSX3200 at
2008-06-04 09:09:33
WARNING: This latency is over the Tombstone Lifetime of 60
days!
DC=DENTALSOR,DC=LOCAL
Last replication received from DSX3200 at
2008-06-04 09:37:29
WARNING: This latency is over the Tombstone Lifetime of 60
days!
......................... DSDC passed test Replications
Starting test: RidManager
......................... DSDC passed test RidManager
Starting test: Services
......................... DSDC passed test Services
Starting test: SystemLog
......................... DSDC passed test SystemLog
Starting test: VerifyReferences
......................... DSDC passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : DENTALSOR
Starting test: CheckSDRefDom
......................... DENTALSOR passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DENTALSOR passed test CrossRefValidation
Running enterprise tests on : DENTALSOR.LOCAL
Starting test: LocatorCheck
......................... DENTALSOR.LOCAL passed test LocatorCheck
Starting test: Intersite
......................... DENTALSOR.LOCAL passed test Intersite
C:\Users\administrator.DENTALSOR>
Orphan DCs will cause problems. Clean it out: http://www.petri.co.il/delete_failed_dcs_from_ad.htm
You should never set the Burflags to D4 on a DC that has an empty SYSVOL. This tells this DC that its authoritative for the SYSVOL replica. You should have set the flag to D2.
You should never set the Burflags to D4 on a DC that has an empty SYSVOL. This tells this DC that its authoritative for the SYSVOL replica. You should have set the flag to D2.
ASKER
Okey, now I have cleaned up my domain and removed the offline DC. I sat the flag to D2 on the new server and restartet FRS service. But still no netlogon share and sysvol is empty.
Is sysvol and netlogon shared on your other DCs?
Did you check the SysvolReady bit on the Win2008 DC?
Did you check the SysvolReady bit on the Win2008 DC?
ASKER
Yes SYVOL and NETLOGON is shared on the old master DC and reachable from the new 2008 DC.
No, have not checked SysvolReady bit.
No, have not checked SysvolReady bit.
ASKER
Didn't help with the SysvolReady trick.
I got this warning message in event log.
I got this warning message in event log.
File Replication Service is initializing the system volume with data from another domain controller. Computer DSDC cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.
To check for the SYSVOL share, at the command prompt, type:
net share
When File Replication Service completes the initialization process, the SYSVOL share will appear.
The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replication interval between domain controllers.ASKER
This is my DCDIAG status right now.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\administrator.DENTALSOR>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DSDC
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\DSDC
Starting test: Connectivity
......................... DSDC passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\DSDC
Starting test: Advertising
......................... DSDC passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... DSDC passed test FrsEvent
Starting test: DFSREvent
......................... DSDC passed test DFSREvent
Starting test: SysVolCheck
......................... DSDC passed test SysVolCheck
Starting test: KccEvent
......................... DSDC passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... DSDC passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DSDC passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=DENTALSOR,DC=LOCAL
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=DENTALSOR,DC=LOCAL
......................... DSDC failed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\DSDC\netlogon)
[DSDC] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... DSDC failed test NetLogons
Starting test: ObjectsReplicated
......................... DSDC passed test ObjectsReplicated
Starting test: Replications
......................... DSDC passed test Replications
Starting test: RidManager
......................... DSDC passed test RidManager
Starting test: Services
......................... DSDC passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x8000001D
Time Generated: 02/17/2011 13:17:10
Event String:
The Key Distribution Center (KDC) cannot find a suitable certificate
to use for smart card logons, or the KDC certificate could not be verified. Sma
rt card logon may not function correctly if this problem is not resolved. To cor
rect this problem, either verify the existing KDC certificate using certutil.exe
or enroll for a new KDC certificate.
......................... DSDC passed test SystemLog
Starting test: VerifyReferences
......................... DSDC passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : DENTALSOR
Starting test: CheckSDRefDom
......................... DENTALSOR passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DENTALSOR passed test CrossRefValidation
Running enterprise tests on : DENTALSOR.LOCAL
Starting test: LocatorCheck
......................... DENTALSOR.LOCAL passed test LocatorCheck
Starting test: Intersite
......................... DENTALSOR.LOCAL passed test Intersite
C:\Users\administrator.DENTALSOR>
Can you run: dcdiag /v /c /f:dcdiag.txt
attach the logfile
attach the logfile
*run it on the 2008 server
ASKER
Here you go :)
dcdiag.txt
dcdiag.txt
There are three steps in the txt file that is already pointing you in the right direction, Can you try them and let us know the outcome.
[1] FRS can not correctly resolve the DNS name ds1.DENTALSOR.LOCAL from this computer.
[2] FRS is not running on ds1.DENTALSOR.LOCAL.
[3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
[1] FRS can not correctly resolve the DNS name ds1.DENTALSOR.LOCAL from this computer.
[2] FRS is not running on ds1.DENTALSOR.LOCAL.
[3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
Here is an article to clean up the metadata from the old server
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
1. DS1: old master DC -> SYSVOL and NETLOGON shared. Correct? (run "net share" to verify)
2. x3200: Old secondary DC -> If #1 is ok and sysvol/netlogon is not shared? Stop ntfrs > Set Burflags = D2 (hex) > Start ntfrs. cmd -> verify if they are shared
3. DSDC: New 2008 DC: If #2 is ok. Stop ntfrs > Set Burflags = D2 (hex) > Start ntfrs. cmd -> verify if they are shared
You got FRS event:
13508: Indicates RPC connectivity problems, but this is likely due to 13562. (AD replication is working, so RPC connectivity is ok)
13562 is indicating missing FRS attributes/objects
13565 indicates non-authoritative restore in progress. (Burflags = D2)
2. x3200: Old secondary DC -> If #1 is ok and sysvol/netlogon is not shared? Stop ntfrs > Set Burflags = D2 (hex) > Start ntfrs. cmd -> verify if they are shared
3. DSDC: New 2008 DC: If #2 is ok. Stop ntfrs > Set Burflags = D2 (hex) > Start ntfrs. cmd -> verify if they are shared
You got FRS event:
13508: Indicates RPC connectivity problems, but this is likely due to 13562. (AD replication is working, so RPC connectivity is ok)
13562 is indicating missing FRS attributes/objects
13565 indicates non-authoritative restore in progress. (Burflags = D2)
ASKER
[1] When running a ping test from DSCS against DS1.DENTALSOR.LOCAL it resolves the correct IP address.
[2] In DS1 I assume this is the service called "File Replication" on DSDC and x3200 it's called "File Replication Service". "File Replication" is running on DS1.
[3] Don't know how to check this?
Also found this error message on DS1 under File Replication Service log:
[2] In DS1 I assume this is the service called "File Replication" on DSDC and x3200 it's called "File Replication Service". "File Replication" is running on DS1.
[3] Don't know how to check this?
Also found this error message on DS1 under File Replication Service log:
The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.
Replica set name is : "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
Replica root path is : "e:\windows\sysvol\domain"
Replica root volume is : "\\.\E:"
A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found. This can occur because of one of the following reasons.
[1] Volume "\\.\E:" has been formatted.
[2] The NTFS USN journal on volume "\\.\E:" has been deleted.
[3] The NTFS USN journal on volume "\\.\E:" has been truncated. Chkdsk can truncate the journal if it finds corrupt entries at the end of the journal.
[4] File Replication Service was not running on this computer for a long time.
[5] File Replication Service could not keep up with the rate of Disk IO activity on "\\.\E:".
Setting the "Enable Journal Wrap Automatic Restore" registry parameter to 1 will cause the following recovery steps to be taken to automatically recover from this error state.
[1] At the first poll, which will occur in 5 minutes, this computer will be deleted from the replica set. If you do not want to wait 5 minutes, then run "net stop ntfrs" followed by "net start ntfrs" to restart the File Replication Service.
[2] At the poll following the deletion this computer will be re-added to the replica set. The re-addition will trigger a full tree sync for the replica set.
WARNING: During the recovery process data in the replica tree may be unavailable. You should reset the registry parameter described above to 0 to prevent automatic recovery from making the data unexpectedly unavailable if this error condition occurs again.
To change this registry parameter, run regedit.
Click on Start, Run and type regedit.
Expand HKEY_LOCAL_MACHINE.
Click down the key path:
"System\CurrentControlSet\Services\NtFrs\Parameters"
Double click on the value name
"Enable Journal Wrap Automatic Restore"
and update the value.
If the value name is not present you may add it with the New->DWORD Value function under the Edit Menu item. Type the value name exactly as shown above.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
If DS1 is in Journal Wrap, you need to fix that first :)
Is "x3200" sharing netlogon/sysvol?
Is "x3200" sharing netlogon/sysvol?
ASKER
x3200 is not sharing netlogon/syvol. Not after setting the Burflags to D2 either.
How do I fix DS1 Journal Wrap?
How do I fix DS1 Journal Wrap?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Click on Start, Run and type regedit.
Expand HKEY_LOCAL_MACHINE.
Click down the key path:
"System\CurrentControlSet\
Double click on the value name
"Enable Journal Wrap Automatic Restore"
and update the value.
Expand HKEY_LOCAL_MACHINE.
Click down the key path:
"System\CurrentControlSet\
Double click on the value name
"Enable Journal Wrap Automatic Restore"
and update the value.
ASKER
hey hey :) Setting "Enable Journal Wrap Automatic Restore" to value 1 and then restart FRS service solved my problem with SYSVOL share on all three domain servers :) Now only the NETLOGON share is missing on x3200 and DSDC.
Did you try setting the Burflags = "D2" (hex) on x3200 and DSDC after you got out of the Journal wrap?
be sure to re-check snusgubben earlier post to fix this issue
http://support.microsoft.com/kb/947022/en-us
http://support.microsoft.com/kb/947022/en-us
have you made the new domain controller a Global Catalog as well?
ASKER
Thank's :-) Netlogon is now working after trying snusgubbens suggestion after first fixing SYVOL.
Yes the new DC also got the Global Catalaog. So now I think the only remaining thing is to make DSDC the master DNS server. And then demote the old master DC. The x3200 server is also running Exchange server. Do i have to do anything else than changing DNS address on the NIC on that server?
Yes the new DC also got the Global Catalaog. So now I think the only remaining thing is to make DSDC the master DNS server. And then demote the old master DC. The x3200 server is also running Exchange server. Do i have to do anything else than changing DNS address on the NIC on that server?
If you have AD integrated DNS, you don't have a "master" for the DNS zone. All are multi masters.
If x3200 is also hosting DNS, you can either use itself or a partner as primary DNS on the NIC.
FYI if you can host Exchange on a dedicated server you should do that. Exchange on a DC is not recomended (though it will work)
If x3200 is also hosting DNS, you can either use itself or a partner as primary DNS on the NIC.
FYI if you can host Exchange on a dedicated server you should do that. Exchange on a DC is not recomended (though it will work)
ASKER
How will I know if I got AD integrated DNS?
I changed the NIC's DNS on x3200 (Exchange server), DSCS as primary and x3200 as secondary DNS.
Now DS1 is down again (there's a reason why I want to demote this server ;-) ) and the Exchange server now complains about this. Are there any settings in Exchange that points to a preferred domain controller that I have to change?
Or will this relation automatically disappear when i demote (dcpromo) DS1?
I changed the NIC's DNS on x3200 (Exchange server), DSCS as primary and x3200 as secondary DNS.
Now DS1 is down again (there's a reason why I want to demote this server ;-) ) and the Exchange server now complains about this. Are there any settings in Exchange that points to a preferred domain controller that I have to change?
Or will this relation automatically disappear when i demote (dcpromo) DS1?
Event Type: Error
Event Source: MSExchangeAL
Event Category: LDAP Operations
Event ID: 8026
Date: 19.02.2011
Time: 19:02:10
User: N/A
Computer: X3200
Description:
LDAP Bind was unsuccessful on directory ds1.DENTALSOR.LOCAL for distinguished name ''. Directory returned error:[0x51] Server Down.
For more information, click http://www.microsoft.com/contentredirect.asp.
Open the DNS management consol, right click the domain zone and you will see if it's AD integrated.
As long as you have Exchange installed on a DC, it will never use any other global catalog than itself. I would then make x3200 to point to itself as primary DNS, and DSCS as secondary (if both these are hosting DNS)
As long as you have Exchange installed on a DC, it will never use any other global catalog than itself. I would then make x3200 to point to itself as primary DNS, and DSCS as secondary (if both these are hosting DNS)
* right click -> Properties -> General tab
ASKER
Status: zone never loaded
Type: Secondary
"Replication:Not an Active Directory-integrated zone" is greyed out.
Type: Secondary
"Replication:Not an Active Directory-integrated zone" is greyed out.
ASKER
What about the MSExchangeAL error message? Why is it complaining about the communication against DS1 when you say that it will only use it self if x3200 is also a DC?
You should make the domain zone AD integrated.
x3200 will use the DNS server you set on the NIC, but it will only use the "local" GC. (you lose the redundency for that part)
x3200 will use the DNS server you set on the NIC, but it will only use the "local" GC. (you lose the redundency for that part)
ASKER
Now I made DS1 AD integrated. How do I do this for x3200 and DSDC? The alternative is greyed out on teh other two servers.
I waited to see if replacation will do this but the status for both X3200 and DSDC is still "Secondary"
I waited to see if replacation will do this but the status for both X3200 and DSDC is still "Secondary"
You have to set them as Name Servers on the domain zone. Open DNS mng consol on DS1:
- Properties on the forward lookup zone (domain.com)
- Allow Dynamic updates -> Secure only
- Add the two others as NS's in the Name Servers tab
- "Zone Transfers" -> Allow zone transfers
- Properties on the forward lookup zone (domain.com)
- Allow Dynamic updates -> Secure only
- Add the two others as NS's in the Name Servers tab
- "Zone Transfers" -> Allow zone transfers
ASKER
Sorry, doesn't seem to help.
You could try to remove the DNS role from the two other DCs, and re-add DNS.
http://support.microsoft.com/kb/198437
http://support.microsoft.com/kb/198437
Just make sure both points to DS1 as the preferred DNS (on the NIC)
ASKER
You're the man snusgubben! Worked perfectly removing and re-add the DNS roles. Now all servers are AD-integrated.
So I suppose this is the right time for closing this thread. Thanks for exact and learning full answers and for don’t losing you’re patience. :-) Now I will try to demote DS1 and hope I don’t have to reopen this thread :-)
So I suppose this is the right time for closing this thread. Thanks for exact and learning full answers and for don’t losing you’re patience. :-) Now I will try to demote DS1 and hope I don’t have to reopen this thread :-)
If you don't feel to happy about the task of yours, I would remove DNS and the GC from it and turn it off for a week.
If no issues, fire it up and demote it.
If no issues, fire it up and demote it.
ASKER
Okey, I will do that :-)