Solved

how to set up new domain controller after original failed attempt

Posted on 2011-03-17
28
761 Views
Last Modified: 2013-12-23
I only have 1 domain controller 2003sp2 in my domain. While attempting to transition to a new 2008 ad domain, it failed terribly but after the old AD was demoted. So I had to virtualize the old AD from a backup and totally reformat the new 2008 AD and start over. Not sure how to proceed from there as I can't seem to delete the failed server from my AD. I tried ntdSUTIL.
I am assuming I don't need to do the adprep stuff again. I was thinking I could set the server up again under a new name and ip and transfer everything over from the virtualized backup AD thenwork again on removing the original new ad server?  I know I need to have more than one DC in the network. I am working on it.  Does this plan look like it would work and once I have the new ad server running okay make everything point to the new dns and then devirtualize the old PDC.
0
Comment
Question by:jtano
  • 12
  • 7
  • 6
  • +1
28 Comments
 
LVL 6

Assisted Solution

by:robbe
robbe earned 100 total points
Comment Utility
You could seize the fsmo roles. there are some great articles around:

http://support.microsoft.com/kb/255504
http://www.tek-tips.com/faqs.cfm?fid=4733 < this one gives you some more info to delete the old DC
http://www.petri.co.il/seizing_fsmo_roles.htm

If you did the apprep before you indeed don't need to do this again as the schema extenstensions will be made already. But Running it again will not hurt anything.

If you have some issues let me know what is going wrong when you try to delete it. Did you seize all the roles first ?
0
 

Author Comment

by:jtano
Comment Utility
I had originally transferred all the fsmo roles over to the new ad server then demoted the original pdc. All was working well until I rebooted the new ad server for a 2nd time then for some reason it changed its name to the original old pc then nothing worked after that prompting me to virtualize the old server from backup and redoing the new 2008 server. So I am about to dcpromo this new ( reformatted) 2008 server and will give it a new name transfer the fsmo roles from the virtualized server then go from there in moving dns over and pointing everything to the new dns then work on trying to delete the domain controller that had failed and I could dcpromo it I just had to unplug it and shut it down so as not to cause anynore problems on the network. Just wanted to make sure I was going in the right direction. Will keep you posted.
0
 
LVL 17

Expert Comment

by:John Gates
Comment Utility
I would say give this a whirl after you seize the roles: http://support.microsoft.com/?kbid=216498
0
 
LVL 6

Expert Comment

by:robbe
Comment Utility
ok gluck
0
 

Author Comment

by:jtano
Comment Utility
I tried that dimante but it didnt seem to work, but I will try again after I get another AD up and running. Here is the problem I am facing now. My Dept doesn't want me to change the DNS because then we would need to change a lot of static printers at several locations not to mention all the other eqiupment that is static. Can I set up eveything and then this weekend change the now virtualized AD ip address and then take that IP and give it to the new AD server?
Also if I transfer the fsmo roles over right now during working hours will it mess anything up?
0
 
LVL 17

Expert Comment

by:John Gates
Comment Utility
Transferring the roles will not affect your operations during the day.  Just make sure that you leave adequate time for replication.  You can switch the IP address to the new AD server but the server will have a different name, yes?  If so make sure that the DNS reflects the name.  If the name will be the same then there is no issue.

-D-
0
 

Author Comment

by:jtano
Comment Utility
Yes different name. The name seems to have gotten me into trouble before. When I set the new AD up and tried to change the name it wouldn't becasue it was a dc. but when I rebooted it changed the name anyway but also kept the old name and you could ping both names with the same IP and it never worked after that. Netlogon woudln't start.
0
 
LVL 4

Expert Comment

by:needleboy
Comment Utility
Hi jtano,

You have a lot of mistakes in your procedure.
If you have working backup (before you installed new DC) you can try this steps bellow.
Here is the procedure:
1. Install server that you want to promote to DC, and set different IP and computer Name  and be sure that primary DNS on tcp/ip v4 properties is old ip address of old DC
2. Join new server to existing domain
3. Add active directory domain services role and run dcpromo to add this server to existing server. (during setup check global catalog check box and DNS server if asked)
4. When computer is restarted add DNS server role (if is not installed during dcpromo) and wait 30 minutes for initial replication.
5. After 30 minutes seize all fsmo roles to new DC
6. On old DC change primary DNS server to new DC IP address
7. Restart servers (one at a time) and check for system logs in event viewer.
8. Run dcdiag on both DCs and watch for errors.

You can paste DCDIAG results here, and get further instructions.

Best Regards,
Marko Stanojevic
0
 
LVL 4

Expert Comment

by:needleboy
Comment Utility
3. Add active directory domain services role and run dcpromo to add this server to existing DOMAIN (not server)

0
 

Author Comment

by:jtano
Comment Utility
I was trying to keep the current ip address for dns the same so we don't have to change a ton of printers that are static. plus a bunch of other equipment, so I need to make the new server the same ip address as the old server.
0
 
LVL 4

Expert Comment

by:needleboy
Comment Utility
Thats ok.

When both DCs are fine, you can demote the old one and change IP address of new DC.
 You can't skip any of this steps to complete this migration.
0
 

Author Comment

by:jtano
Comment Utility
everything is still pointing to the old AD for DNS will they be fine until I dcpromo it and change the ip.
0
 
LVL 6

Expert Comment

by:robbe
Comment Utility
as long as you end up with a dc with dns on the old ip everything will be just fine.

Grtz,
Robin
0
 

Author Comment

by:jtano
Comment Utility
Why do I have to dcpromo it before changing the ip?
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 4

Expert Comment

by:needleboy
Comment Utility
You must have two DCs with different IPs and computer names at least one hour for replication to take effect.
0
 

Author Comment

by:jtano
Comment Utility
So if I transfer all the fsmo roles over and wait a hour or so and all seems to be working okay on the new dc. what is replicating that I can't take the ip from the old DC. just nervous about the dcpromo and the ip since it failed terribly the last time.
0
 

Author Comment

by:jtano
Comment Utility
  I transferred all the roles and I ran dcdiag and got these errors. I will start looking them up but thought I would throw them out there to see if there is any suggestions on how to fix.

Testing server: Cabot\CABOTMAIN
    Starting test: Advertising
       Warning: DsGetDcName returned information for
       \\cabotas.ACME.local, when we were trying to reach CABOTMAIN.
       SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
       ......................... CABOTMAIN failed test Advertising
    Starting test: FrsEvent
       There are warning or error events within the last 24 hours after the
       SYSVOL has been shared.  Failing SYSVOL replication problems may cause
       Group Policy problems.

 Starting test: NCSecDesc
    Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
       Replicating Directory Changes In Filtered Set
    access rights for the naming context:
    DC=ForestDnsZones,DC=ACME,DC=local
    Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
       Replicating Directory Changes In Filtered Set
    access rights for the naming context:
    DC=DomainDnsZones,DC=ACME,DC=local
    ......................... CABOTMAIN failed test NCSecDesc
 Starting test: NetLogons
    Unable to connect to the NETLOGON share! (\\CABOTMAIN\netlogon)
    [CABOTMAIN] An net use or LsaPolicy operation failed with error 67,
    The network name cannot be found..
    ......................... CABOTMAIN failed test NetLogons
 Starting test: ObjectsReplicated

      Starting test: SystemLog
         A warning event occurred.  EventID: 0x00000086
            Time Generated: 03/18/2011   14:41:15
            Event String:
            NtpClient was unable to set a manual peer to use as a time source be
cause of DNS resolution error on ''. NtpClient will try again in 3473457 minutes
 and double the reattempt interval thereafter. The error was: The requested name
 is valid, but no data of the requested type was found. (0x80072AFC)
         A warning event occurred.  EventID: 0x00000086
            Time Generated: 03/18/2011   14:41:19
            Event String:
            NtpClient was unable to set a manual peer to use as a time source be
cause of DNS resolution error on ''. NtpClient will try again in 3473457 minutes
 and double the reattempt interval thereafter. The error was: The requested name
 is valid, but no data of the requested type was found. (0x80072AFC)
         A warning event occurred.  EventID: 0x0000000C
            Time Generated: 03/18/2011   14:49:45
            Event String:
            Time Provider NtpClient: This machine is configured to use the domai
n hierarchy to determine its time source, but it is the AD PDC emulator for the
domain at the root of the forest, so there is no machine above it in the domain
hierarchy to use as a time source. It is recommended that you either configure a
 reliable time service in the root domain, or manually configure the AD PDC to s
ynchronize with an external time source. Otherwise, this machine will function a
s the authoritative time source in the domain hierarchy. If an external time sou
rce is not configured or used for this computer, you may choose to disable the N
0
 
LVL 4

Accepted Solution

by:
needleboy earned 200 total points
Comment Utility
Looks like Windows firewall issue or 3rd party firewall software. Check both.
DC must pass "advertising" test to start serving the clients.

0
 

Author Comment

by:jtano
Comment Utility
Okay I will work on that error. I also need to steal the ip address from the server that I took the roles from. Its the domain controller I am transitioning from. It was virtuzlied from a backup when I screwed it up and I don't want to make things worse. Can I change the ip.
0
 
LVL 17

Assisted Solution

by:John Gates
John Gates earned 200 total points
Comment Utility
Make sure the sysvol is shared and accessible from both servers also:

<servername>\sysvol from a command prompt.
0
 

Author Comment

by:jtano
Comment Utility
The advertising seems okay now. Do you think I can steal that ip now?

Performing initial setup:
   Trying to find home server...
   Home Server = cabotmain
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Cabot\CABOTMAIN
      Starting test: Connectivity
         ......................... CABOTMAIN passed test Connectivity

Doing primary tests

   Testing server: Cabot\CABOTMAIN
      Starting test: Advertising
         ......................... CABOTMAIN passed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... CABOTMAIN passed test FrsEvent
      Starting test: DFSREvent
         ......................... CABOTMAIN passed test DFSREvent
      Starting test: SysVolCheck
         ......................... CABOTMAIN passed test SysVolCheck
      Starting test: KccEvent
         ......................... CABOTMAIN passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... CABOTMAIN passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... CABOTMAIN passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=ACME,DC=local
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=ACME,DC=local
         ......................... CABOTMAIN failed test NCSecDesc
      Starting test: NetLogons
         ......................... CABOTMAIN passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... CABOTMAIN passed test ObjectsReplicated
      Starting test: Replications
         ......................... CABOTMAIN passed test Replications
      Starting test: RidManager
         ......................... CABOTMAIN passed test RidManager
      Starting test: Services
         ......................... CABOTMAIN passed test Services
      Starting test: SystemLog
         ......................... CABOTMAIN passed test SystemLog
      Starting test: VerifyReferences
         ......................... CABOTMAIN passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : ACME
      Starting test: CheckSDRefDom
         ......................... ACME passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ACME passed test CrossRefValidation

   Running enterprise tests on : ACME.local
      Starting test: LocatorCheck
         ......................... ACME.local passed test LocatorCheck
      Starting test: Intersite
         ......................... ACME.local passed test Intersite

C:\Users\tthom>
0
 
LVL 4

Expert Comment

by:needleboy
Comment Utility
Thats much better now.
First demote old DC before stealing IP.
After stealing IP, check for Name Server records in forward lockup zone in DNS.
Sometimes IP address for this records won't change.

0
 

Author Comment

by:jtano
Comment Utility
Do I have to demote the DC. I would rather not in case there is a problem like last week. I was stuck here at work for 17 hours and nobody could work.
0
 
LVL 4

Expert Comment

by:needleboy
Comment Utility
Point two or three clients to new DC (set as primary and only DNS server on NICs) and you will see if the domain controller is operational.

I never tested the option from your last post.
0
 
LVL 17

Expert Comment

by:John Gates
Comment Utility
In addition if these clients seem to connect I would also as a testing step shut the old DC off and make sure that the clients are still operational.

-D-
0
 
LVL 17

Expert Comment

by:John Gates
Comment Utility
If they are then you should be ok with demoting the old one.
0
 

Author Closing Comment

by:jtano
Comment Utility
Seems to be working well. just a few issues with trusts and dhcp, but I acconplished the main thing I needed to get done and will work on the other issues. Thanks to all of you for your quick responses
0
 
LVL 17

Expert Comment

by:John Gates
Comment Utility
Thanks and good luck with the rest of your project.

-D-
0

Featured Post

The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

Join & Write a Comment

Suggested Solutions

This is an article about Leadership and accepting and adapting to new challenges. It focuses mostly on upgrading to Windows 10.
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now