• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 466
  • Last Modified:

2003 Server FSMO Transfer

Hello all,

I am sure this will be a simple one for most.

I have two servers, one windows server 2003 as domain controller and second with windows server R2 setup as AD replication and secondary DNS.

I am retiring the main domain controller and will replace it will domain controller 2. I followed the process to transfer the FSMO roles, all 5 of them to the 2nd domain controller. It was successful.

I then turned off the 1st domain controller and removed it from the site.

Now I am getting errors that the global catalog server cannot be contacted. Also, the FMSO was successful, but not yet validated.

I am not sure what I need to do next. Any help would greatly be appreciated.

Thanks in advance!
1
itsupportmd
Asked:
itsupportmd
  • 5
  • 4
  • 3
  • +1
3 Solutions
 
Tony MassaCommented:
Check to see where the FSMO roles are in AD.  From your domain controller, run::
dsquery server -hasfsmo schema
dsquery server -hasfsmo rid
dsquery server -hasfsmo name
dsquery server -hasfsmo infr
dsquery server -hasfsmo pdc

If any are still associated, then you have to seize (not transfer) the roles
http://support.microsoft.com/kb/255504

Make sure the old server object has been deleted from AD Sites and Services.

Then you should perform a metadata cleanup of the old domain controller
http://technet.microsoft.com/en-us/library/cc736378%28WS.10%29.aspx
Script: http://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3
0
 
itsupportmdAuthor Commented:
tmassa90,

Thanks for the quick response. I ran the dsquery commmand and the roles are with the current server, so they transferred successfully.

I looked in AD Site and Services and under Servers, the other domain controller is listed. Should I delete it from there?

Then what?

Thanks,

Bill
0
 
aoakeleyCommented:
Even though you have transferred FSMO roles you still need to make the new server a GC

http://support.microsoft.com/kb/296882
    On the domain controller, click Start, point to Programs, click Administrative Tools, and then click Active Directory Sites and Services.
    In the console tree, double-click Sites, double-click the name of the site, and then double-click Servers.
    Double-click the target domain controller.
    In the details pane, right-click NTDS Settings, and then click Properties.
    On the General tab, click to select the Global catalog check box.
    Restart the domain controller.

Yes delete the Old DC. if you cannot delete it throught the GUI use this http://www.petri.co.il/delete_failed_dcs_from_ad.htm 
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Tony MassaCommented:
Yes, delete the object from AD sites (and ADUC) if it's still there, then perform the Metadata cleanup.  make sure your DC is a global catalog...all of your DCs should be global catalogs.
0
 
AwinishCommented:
First question, did you make the new server as DNS, if yes, did you change DNS on new DC to point itself as a DNS server in the NIC as well as you have to change point on all the clients or server to new DC as DNS server for name resolution else authentication will fail.
http://awinish.wordpress.com/2011/03/08/dns-recommendations-from-microsoft/

Most important point, did you configure new DC as an Authoritative time server post transferring FSMO role, as you new PDC has to be time server in domain as well as others new to follow the domain time hierarchy. Time server is not transferred automatic & you need to make new server as PDC as an authoritative time server to prevent authentication fail.
http://support.microsoft.com/kb/816042

Make sure, you remove all the traces of removed DC from all the sub folder inside _msdcs folder in DNS, name server tab, server object from NTDS in ADSS, host records from DNS.

Configure new DC as GC as well.
0
 
itsupportmdAuthor Commented:
All,

Thanks for your input. I have successully transferred the FSMO roles and make the new domain controller the Global Catalog server. I have also deleted the old domain controller from the AD sites and services.

I also did a metadata cleanup. Is there anything that I need to do? Users are reporting very slow login process.

I did not do anything with the time server. Is this an absolute must or is it optional?

Thanks
0
 
AwinishCommented:
Its a must to configure new DC as time Server holding PDC role else there will be issue.
0
 
itsupportmdAuthor Commented:
Awinish,

Thanks. So according to the link, I should configure the domain controller with an internal time source and not an external one. Is that correct?

Should I follow the steps in the link that you sent?

Thanks,
0
 
aoakeleyCommented:
Sl
0
 
AwinishCommented:
PDC has to sync from external source & all other clients/server/DC's from PDC server.
0
 
AwinishCommented:
I prefer time.windows.com, 0x1 for PDC & others with PDC DC
0
 
aoakeleyCommented:
Slow login is almost always a function of incorrect DNS.

Confirm
A) that dns on the workstations points ONLY to a domain DNS server (no ISP dns)
B) all dns entries for the old DC are removed (including "same as parent" entries
0
 
itsupportmdAuthor Commented:
All,

Thank you very much for you assistance with my server transistion. I appreciate everyone's time and input. It made my transition go nice an smooth and was a great resource to check myself.

Thanks to all.
0
 
itsupportmdAuthor Commented:
Thanks again!
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

  • 5
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now