Solved

how to set up new domain controller after original failed attempt

Posted on 2011-03-17
28
797 Views
Last Modified: 2013-12-23
I only have 1 domain controller 2003sp2 in my domain. While attempting to transition to a new 2008 ad domain, it failed terribly but after the old AD was demoted. So I had to virtualize the old AD from a backup and totally reformat the new 2008 AD and start over. Not sure how to proceed from there as I can't seem to delete the failed server from my AD. I tried ntdSUTIL.
I am assuming I don't need to do the adprep stuff again. I was thinking I could set the server up again under a new name and ip and transfer everything over from the virtualized backup AD thenwork again on removing the original new ad server?  I know I need to have more than one DC in the network. I am working on it.  Does this plan look like it would work and once I have the new ad server running okay make everything point to the new dns and then devirtualize the old PDC.
0
Comment
Question by:jtano
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 7
  • 6
  • +1
28 Comments
 
LVL 6

Assisted Solution

by:robbe
robbe earned 100 total points
ID: 35157731
You could seize the fsmo roles. there are some great articles around:

http://support.microsoft.com/kb/255504
http://www.tek-tips.com/faqs.cfm?fid=4733 < this one gives you some more info to delete the old DC
http://www.petri.co.il/seizing_fsmo_roles.htm

If you did the apprep before you indeed don't need to do this again as the schema extenstensions will be made already. But Running it again will not hurt anything.

If you have some issues let me know what is going wrong when you try to delete it. Did you seize all the roles first ?
0
 

Author Comment

by:jtano
ID: 35157934
I had originally transferred all the fsmo roles over to the new ad server then demoted the original pdc. All was working well until I rebooted the new ad server for a 2nd time then for some reason it changed its name to the original old pc then nothing worked after that prompting me to virtualize the old server from backup and redoing the new 2008 server. So I am about to dcpromo this new ( reformatted) 2008 server and will give it a new name transfer the fsmo roles from the virtualized server then go from there in moving dns over and pointing everything to the new dns then work on trying to delete the domain controller that had failed and I could dcpromo it I just had to unplug it and shut it down so as not to cause anynore problems on the network. Just wanted to make sure I was going in the right direction. Will keep you posted.
0
 
LVL 17

Expert Comment

by:John Gates
ID: 35161319
I would say give this a whirl after you seize the roles: http://support.microsoft.com/?kbid=216498
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 6

Expert Comment

by:robbe
ID: 35163549
ok gluck
0
 

Author Comment

by:jtano
ID: 35165143
I tried that dimante but it didnt seem to work, but I will try again after I get another AD up and running. Here is the problem I am facing now. My Dept doesn't want me to change the DNS because then we would need to change a lot of static printers at several locations not to mention all the other eqiupment that is static. Can I set up eveything and then this weekend change the now virtualized AD ip address and then take that IP and give it to the new AD server?
Also if I transfer the fsmo roles over right now during working hours will it mess anything up?
0
 
LVL 17

Expert Comment

by:John Gates
ID: 35165172
Transferring the roles will not affect your operations during the day.  Just make sure that you leave adequate time for replication.  You can switch the IP address to the new AD server but the server will have a different name, yes?  If so make sure that the DNS reflects the name.  If the name will be the same then there is no issue.

-D-
0
 

Author Comment

by:jtano
ID: 35165309
Yes different name. The name seems to have gotten me into trouble before. When I set the new AD up and tried to change the name it wouldn't becasue it was a dc. but when I rebooted it changed the name anyway but also kept the old name and you could ping both names with the same IP and it never worked after that. Netlogon woudln't start.
0
 
LVL 4

Expert Comment

by:needleboy
ID: 35165734
Hi jtano,

You have a lot of mistakes in your procedure.
If you have working backup (before you installed new DC) you can try this steps bellow.
Here is the procedure:
1. Install server that you want to promote to DC, and set different IP and computer Name  and be sure that primary DNS on tcp/ip v4 properties is old ip address of old DC
2. Join new server to existing domain
3. Add active directory domain services role and run dcpromo to add this server to existing server. (during setup check global catalog check box and DNS server if asked)
4. When computer is restarted add DNS server role (if is not installed during dcpromo) and wait 30 minutes for initial replication.
5. After 30 minutes seize all fsmo roles to new DC
6. On old DC change primary DNS server to new DC IP address
7. Restart servers (one at a time) and check for system logs in event viewer.
8. Run dcdiag on both DCs and watch for errors.

You can paste DCDIAG results here, and get further instructions.

Best Regards,
Marko Stanojevic
0
 
LVL 4

Expert Comment

by:needleboy
ID: 35165762
3. Add active directory domain services role and run dcpromo to add this server to existing DOMAIN (not server)

0
 

Author Comment

by:jtano
ID: 35165834
I was trying to keep the current ip address for dns the same so we don't have to change a ton of printers that are static. plus a bunch of other equipment, so I need to make the new server the same ip address as the old server.
0
 
LVL 4

Expert Comment

by:needleboy
ID: 35165884
Thats ok.

When both DCs are fine, you can demote the old one and change IP address of new DC.
 You can't skip any of this steps to complete this migration.
0
 

Author Comment

by:jtano
ID: 35166075
everything is still pointing to the old AD for DNS will they be fine until I dcpromo it and change the ip.
0
 
LVL 6

Expert Comment

by:robbe
ID: 35166089
as long as you end up with a dc with dns on the old ip everything will be just fine.

Grtz,
Robin
0
 

Author Comment

by:jtano
ID: 35166140
Why do I have to dcpromo it before changing the ip?
0
 
LVL 4

Expert Comment

by:needleboy
ID: 35166175
You must have two DCs with different IPs and computer names at least one hour for replication to take effect.
0
 

Author Comment

by:jtano
ID: 35166210
So if I transfer all the fsmo roles over and wait a hour or so and all seems to be working okay on the new dc. what is replicating that I can't take the ip from the old DC. just nervous about the dcpromo and the ip since it failed terribly the last time.
0
 

Author Comment

by:jtano
ID: 35168623
  I transferred all the roles and I ran dcdiag and got these errors. I will start looking them up but thought I would throw them out there to see if there is any suggestions on how to fix.

Testing server: Cabot\CABOTMAIN
    Starting test: Advertising
       Warning: DsGetDcName returned information for
       \\cabotas.ACME.local, when we were trying to reach CABOTMAIN.
       SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
       ......................... CABOTMAIN failed test Advertising
    Starting test: FrsEvent
       There are warning or error events within the last 24 hours after the
       SYSVOL has been shared.  Failing SYSVOL replication problems may cause
       Group Policy problems.

 Starting test: NCSecDesc
    Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
       Replicating Directory Changes In Filtered Set
    access rights for the naming context:
    DC=ForestDnsZones,DC=ACME,DC=local
    Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
       Replicating Directory Changes In Filtered Set
    access rights for the naming context:
    DC=DomainDnsZones,DC=ACME,DC=local
    ......................... CABOTMAIN failed test NCSecDesc
 Starting test: NetLogons
    Unable to connect to the NETLOGON share! (\\CABOTMAIN\netlogon)
    [CABOTMAIN] An net use or LsaPolicy operation failed with error 67,
    The network name cannot be found..
    ......................... CABOTMAIN failed test NetLogons
 Starting test: ObjectsReplicated

      Starting test: SystemLog
         A warning event occurred.  EventID: 0x00000086
            Time Generated: 03/18/2011   14:41:15
            Event String:
            NtpClient was unable to set a manual peer to use as a time source be
cause of DNS resolution error on ''. NtpClient will try again in 3473457 minutes
 and double the reattempt interval thereafter. The error was: The requested name
 is valid, but no data of the requested type was found. (0x80072AFC)
         A warning event occurred.  EventID: 0x00000086
            Time Generated: 03/18/2011   14:41:19
            Event String:
            NtpClient was unable to set a manual peer to use as a time source be
cause of DNS resolution error on ''. NtpClient will try again in 3473457 minutes
 and double the reattempt interval thereafter. The error was: The requested name
 is valid, but no data of the requested type was found. (0x80072AFC)
         A warning event occurred.  EventID: 0x0000000C
            Time Generated: 03/18/2011   14:49:45
            Event String:
            Time Provider NtpClient: This machine is configured to use the domai
n hierarchy to determine its time source, but it is the AD PDC emulator for the
domain at the root of the forest, so there is no machine above it in the domain
hierarchy to use as a time source. It is recommended that you either configure a
 reliable time service in the root domain, or manually configure the AD PDC to s
ynchronize with an external time source. Otherwise, this machine will function a
s the authoritative time source in the domain hierarchy. If an external time sou
rce is not configured or used for this computer, you may choose to disable the N
0
 
LVL 4

Accepted Solution

by:
needleboy earned 200 total points
ID: 35169273
Looks like Windows firewall issue or 3rd party firewall software. Check both.
DC must pass "advertising" test to start serving the clients.

0
 

Author Comment

by:jtano
ID: 35169288
Okay I will work on that error. I also need to steal the ip address from the server that I took the roles from. Its the domain controller I am transitioning from. It was virtuzlied from a backup when I screwed it up and I don't want to make things worse. Can I change the ip.
0
 
LVL 17

Assisted Solution

by:John Gates
John Gates earned 200 total points
ID: 35169289
Make sure the sysvol is shared and accessible from both servers also:

<servername>\sysvol from a command prompt.
0
 

Author Comment

by:jtano
ID: 35169396
The advertising seems okay now. Do you think I can steal that ip now?

Performing initial setup:
   Trying to find home server...
   Home Server = cabotmain
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Cabot\CABOTMAIN
      Starting test: Connectivity
         ......................... CABOTMAIN passed test Connectivity

Doing primary tests

   Testing server: Cabot\CABOTMAIN
      Starting test: Advertising
         ......................... CABOTMAIN passed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... CABOTMAIN passed test FrsEvent
      Starting test: DFSREvent
         ......................... CABOTMAIN passed test DFSREvent
      Starting test: SysVolCheck
         ......................... CABOTMAIN passed test SysVolCheck
      Starting test: KccEvent
         ......................... CABOTMAIN passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... CABOTMAIN passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... CABOTMAIN passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=ACME,DC=local
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=ACME,DC=local
         ......................... CABOTMAIN failed test NCSecDesc
      Starting test: NetLogons
         ......................... CABOTMAIN passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... CABOTMAIN passed test ObjectsReplicated
      Starting test: Replications
         ......................... CABOTMAIN passed test Replications
      Starting test: RidManager
         ......................... CABOTMAIN passed test RidManager
      Starting test: Services
         ......................... CABOTMAIN passed test Services
      Starting test: SystemLog
         ......................... CABOTMAIN passed test SystemLog
      Starting test: VerifyReferences
         ......................... CABOTMAIN passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : ACME
      Starting test: CheckSDRefDom
         ......................... ACME passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ACME passed test CrossRefValidation

   Running enterprise tests on : ACME.local
      Starting test: LocatorCheck
         ......................... ACME.local passed test LocatorCheck
      Starting test: Intersite
         ......................... ACME.local passed test Intersite

C:\Users\tthom>
0
 
LVL 4

Expert Comment

by:needleboy
ID: 35169407
Thats much better now.
First demote old DC before stealing IP.
After stealing IP, check for Name Server records in forward lockup zone in DNS.
Sometimes IP address for this records won't change.

0
 

Author Comment

by:jtano
ID: 35169416
Do I have to demote the DC. I would rather not in case there is a problem like last week. I was stuck here at work for 17 hours and nobody could work.
0
 
LVL 4

Expert Comment

by:needleboy
ID: 35169431
Point two or three clients to new DC (set as primary and only DNS server on NICs) and you will see if the domain controller is operational.

I never tested the option from your last post.
0
 
LVL 17

Expert Comment

by:John Gates
ID: 35169460
In addition if these clients seem to connect I would also as a testing step shut the old DC off and make sure that the clients are still operational.

-D-
0
 
LVL 17

Expert Comment

by:John Gates
ID: 35169463
If they are then you should be ok with demoting the old one.
0
 

Author Closing Comment

by:jtano
ID: 35169870
Seems to be working well. just a few issues with trusts and dhcp, but I acconplished the main thing I needed to get done and will work on the other issues. Thanks to all of you for your quick responses
0
 
LVL 17

Expert Comment

by:John Gates
ID: 35171656
Thanks and good luck with the rest of your project.

-D-
0

Featured Post

Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows server 2008 exchange 3 20
Problem Loading Chrome 6 34
Export AD group members. 1 22
Visual C# Windows Project - Clone Form 4 17
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question