Solved

Migrating / Transitioning to Windows Server 2008 R2 Problems

Posted on 2011-09-26
31
410 Views
Last Modified: 2012-06-27
Am transitioning AD network from two DCs running Windows Server 2003 to a new box running Windows Server 2008 R2.  Have run Adprep32 on both current DCs, ran DCPromo on new box, successfully (?) transferred all 5 FSMO roles to new box using ntdsutil, moved GC to new box.  Ran DCDIAG to determine status, and am getting errors such as "Warning: DsGetDcName returned information for \\1stserver.mydomain.LOCAL, when we were trying to reach NEWSERVER.  SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE."  (servers & domain shown with generic names)
0
Comment
Question by:rsmcomputer
  • 12
  • 10
  • 9
31 Comments
 
LVL 10

Expert Comment

by:abhijitwaikar
ID: 36601189
Did you checkt the SYSVOL and NETLOGON shares are available on new 2008 server?  

Also check the policies and scripts folder are present on 2008 with the data(policies and scripts).

0
 

Author Comment

by:rsmcomputer
ID: 36601230
SYSVOL AND NETLOGON shares are non-existent on the new server.  I've tried restarting NETLOGON  service, but it doesn't appear to resolve this.
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 250 total points
ID: 36601231
Post the whole dcdiag

Check to make sure you have netlogon and SYSVOL like other expert stated.

Go to Run \\localhost to see if you have these folders shared.

Make sure you have the proper DNS setup as well
0
 

Author Comment

by:rsmcomputer
ID: 36601265
DNS looks to be functioning well, setup per Mark Minasi's guidelines.  

Here is DCDIAG output:


Directory Server Diagnosis
Performing initial setup:    Trying to find home server...    Home Server = STRITASVR    * Identified AD Forest.
   Done gathering initial info.
Doing initial required tests    
   Testing server: Default-First-Site-Name\STRITASVR       Starting test: Connectivity          ......................... STRITASVR passed test Connectivity  Doing primary tests    
   Testing server: Default-First-Site-Name\STRITASVR       Starting test: Advertising          Warning: DsGetDcName returned information for          \\saintw2k3.CASCIA.LOCAL, when we were trying to reach STRITASVR.          SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.          ......................... STRITASVR failed test Advertising       Starting test: FrsEvent          There are warning or error events within the last 24 hours after the          SYSVOL has been shared.  Failing SYSVOL replication problems may cause          Group Policy problems.
         ......................... STRITASVR passed test FrsEvent       Starting test: DFSREvent          ......................... STRITASVR passed test DFSREvent       Starting test: SysVolCheck          ......................... STRITASVR passed test SysVolCheck       Starting test: KccEvent          ......................... STRITASVR passed test KccEvent       Starting test: KnowsOfRoleHolders          ......................... STRITASVR passed test KnowsOfRoleHolders       Starting test: MachineAccount          ......................... STRITASVR passed test MachineAccount       Starting test: NCSecDesc          Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have              Replicating Directory Changes In Filtered Set
         access rights for the naming context:          DC=ForestDnsZones,DC=CASCIA,DC=LOCAL
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have              Replicating Directory Changes In Filtered Set
         access rights for the naming context:          DC=DomainDnsZones,DC=CASCIA,DC=LOCAL
         ......................... STRITASVR failed test NCSecDesc       Starting test: NetLogons          Unable to connect to the NETLOGON share! (\\STRITASVR\netlogon)          [STRITASVR] An net use or LsaPolicy operation failed with error 67,          The network name cannot be found..          ......................... STRITASVR failed test NetLogons       Starting test: ObjectsReplicated          ......................... STRITASVR passed test ObjectsReplicated       Starting test: Replications          ......................... STRITASVR passed test Replications       Starting test: RidManager          ......................... STRITASVR passed test RidManager       Starting test: Services          ......................... STRITASVR passed test Services       Starting test: SystemLog          ......................... STRITASVR passed test SystemLog       Starting test: VerifyReferences          ......................... STRITASVR passed test VerifyReferences    
   
   Running partition tests on : ForestDnsZones       Starting test: CheckSDRefDom          ......................... ForestDnsZones passed test CheckSDRefDom       Starting test: CrossRefValidation          ......................... ForestDnsZones passed test          CrossRefValidation    
   Running partition tests on : DomainDnsZones       Starting test: CheckSDRefDom          ......................... DomainDnsZones passed test CheckSDRefDom       Starting test: CrossRefValidation          ......................... DomainDnsZones passed test          CrossRefValidation    
   Running partition tests on : Schema       Starting test: CheckSDRefDom          ......................... Schema passed test CheckSDRefDom       Starting test: CrossRefValidation          ......................... Schema passed test CrossRefValidation    
   Running partition tests on : Configuration       Starting test: CheckSDRefDom          ......................... Configuration passed test CheckSDRefDom       Starting test: CrossRefValidation          ......................... Configuration passed test CrossRefValidation    
   Running partition tests on : CASCIA       Starting test: CheckSDRefDom          ......................... CASCIA passed test CheckSDRefDom       Starting test: CrossRefValidation          ......................... CASCIA passed test CrossRefValidation    
   Running enterprise tests on : CASCIA.LOCAL       Starting test: LocatorCheck          ......................... CASCIA.LOCAL passed test LocatorCheck       Starting test: Intersite          ......................... CASCIA.LOCAL passed test Intersite
0
 
LVL 10

Assisted Solution

by:abhijitwaikar
abhijitwaikar earned 250 total points
ID: 36601273
restarting NETLOGON service does not resolve the issue, you need to perform burflag steps to recover SYSVOL.

Follow this: http://support.microsoft.com/kb/290762

D4, also known as an authoritative mode restore on windows 2003 server first

Then D2, also known as a nonauthoritative mode restore on 2008 server.

Let me know if you have queries.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 36601278
Go through this link and reboot afterwards

http://support.microsoft.com/kb/947022/en-us
0
 
LVL 10

Expert Comment

by:abhijitwaikar
ID: 36601285
Also I forgot, Please do take system state backup or SYSVOL folder backup and make sure the DNS pointing is correct to local DNS server or itself on all DC.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 36601287
Don't have to burflags yet since SYSVOL is shared you should be able to go through the link I posted first see if that words should fix the problem
0
 

Author Comment

by:rsmcomputer
ID: 36601302
I am not following the last post:  Do not know what you mean by D4 and D2.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 36601332
Those are burflags but I don't think you need to jump into that right now look at the link I posted this points to exactly what your current issue is
0
 
LVL 10

Expert Comment

by:abhijitwaikar
ID: 36601357
@dariusg : Author says that SYSVOL AND NETLOGON shares are non-existent on the new server and article which you provided does not apply if both NETLOGON and SYSVOL shares are missing.

@rsmcomputer: Just go through the KB article you will get idea about the burflag process.  Also read the below kb for more info about How to rebuild the SYSVOL tree and its content in a domain
http://support.microsoft.com/kb/315457
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 36601369
SYSVOL is present

 SYSVOL has been shared in the dcdiag
0
 

Author Comment

by:rsmcomputer
ID: 36601376
Here is what we have on all DCs:
1st current DC (SAINTW2K3): IP of 172.16.2.1, DNS points to STRITASVR (new server) as primary and self as secondary.  
2nd current DC (ISIDORE): IP of 172.16.1.1, DNS points to STRITASVR as primary and self as secondary
New server (STRITASVR) IP is 172.16.1.2, DNS points only to self.
GC is on all three DCs.
ntdsutil shows proper FSMO assignments on all three boxes.
NET SHARE on new server:
Share name   Resource                        Remark

-------------------------------------------------------------------------------
ADMIN$       C:\Windows                      Remote Admin                      
C$           C:\                             Default share                    
profiles$    D:\Profiles                    
IPC$                                         Remote IPC                        
IdentData$   D:\Data\Common\Identipass Data  
Common$      D:\Data\Common                  
E$           E:\                             Default share                    
D$           D:\                             Default share                    
Users$       D:\Data\Common\Users            
Cardaccess   D:\Data\Common\Cardaccess      
Church       D:\Data\Common\Church          
ChurchUsers  D:\Data\Common\Users\Church    
Completed_Homework
             D:\Data\Common\Users\Completed_Homework
                                             
Scans        D:\Data\Common\Users\SchoolScans
                                             
Teachers     D:\Data\Common\Users\Teachers  
Teachers_Shared
             D:\Data\Common\Users\Teachers\Shared
                                             
The command completed successfully.
0
 
LVL 10

Expert Comment

by:abhijitwaikar
ID: 36601394
As per the net share result SYSVOL is not present and BURFLAG is the only option.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 36601412
Point the new server to one of the old servers for primary DNS until replication has fully taken place
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 36601418
Still the Dcdiag states the SYSVOL share is present which in the past has been fixed with the link above.
0
 

Author Comment

by:rsmcomputer
ID: 36601442
These two KB articles are a lot to digest, since I'm not familiar with Burflags.  I will get back to you all when I am done with these steps.  

Thank you, thank you, thank you all!!!
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 36601447
Just let us know.
0
 
LVL 10

Expert Comment

by:abhijitwaikar
ID: 36601454
@dariusg: How replication takes place even we change the DNS pointing on new server?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 36601471
??? What I was saying was that the new server should be pointed to one of the old servers until replication has fully taken place. The problem could be partially that replication wasn't fully finished before changing the DNS IP address which can cause the issue.

If the netlogon link doesn't work then burflag will need to be able to find the other DCs if DNS didn't fully replicate that can cause problems with the burflag as well
0
 
LVL 10

Expert Comment

by:abhijitwaikar
ID: 36601486
Yes, that is true.
0
 

Author Comment

by:rsmcomputer
ID: 36601790
Well, folks, we have progress -- both SYSVOL and NETLOGON are now present in the NET SHARE command result.  Replication seems to be functioning now.  DCDIAG is still not perfectly free from errors, but further replication may result in a few minutes.
Turns out the problem was on SAINTW2K3: File Replication Service Event log indicated "The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR."  Following the steps down in the event message seems to resolve this root cause.  
Will followup with another post after a few minutes of further replication.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 36601848
Well that would do it.
0
 

Author Comment

by:rsmcomputer
ID: 36601863
Progress has not seemingly continued as further DCDIAG runs are looking identical.  Here is what I am not seeing:
Directory Server Diagnosis
Performing initial setup:    Trying to find home server...    Home Server = STRITASVR    * Identified AD Forest.
   Done gathering initial info.
Doing initial required tests    
   Testing server: Default-First-Site-Name\STRITASVR       Starting test: Connectivity          ......................... STRITASVR passed test Connectivity  Doing primary tests    
   Testing server: Default-First-Site-Name\STRITASVR       Starting test: Advertising          ......................... STRITASVR passed test Advertising       Starting test: FrsEvent          There are warning or error events within the last 24 hours after the          SYSVOL has been shared.  Failing SYSVOL replication problems may cause          Group Policy problems.
         ......................... STRITASVR passed test FrsEvent       Starting test: DFSREvent          ......................... STRITASVR passed test DFSREvent       Starting test: SysVolCheck          ......................... STRITASVR passed test SysVolCheck       Starting test: KccEvent          ......................... STRITASVR passed test KccEvent       Starting test: KnowsOfRoleHolders          ......................... STRITASVR passed test KnowsOfRoleHolders       Starting test: MachineAccount          ......................... STRITASVR passed test MachineAccount       Starting test: NCSecDesc          Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have              Replicating Directory Changes In Filtered Set
         access rights for the naming context:          DC=ForestDnsZones,DC=CASCIA,DC=LOCAL
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have              Replicating Directory Changes In Filtered Set
         access rights for the naming context:          DC=DomainDnsZones,DC=CASCIA,DC=LOCAL
         ......................... STRITASVR failed test NCSecDesc       Starting test: NetLogons          ......................... STRITASVR passed test NetLogons       Starting test: ObjectsReplicated          ......................... STRITASVR passed test ObjectsReplicated       Starting test: Replications          ......................... STRITASVR passed test Replications       Starting test: RidManager          ......................... STRITASVR passed test RidManager       Starting test: Services          ......................... STRITASVR passed test Services       Starting test: SystemLog          An error event occurred.  EventID: 0x00000406             Time Generated: 09/26/2011   14:58:36             Event String:             The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.          An error event occurred.  EventID: 0x00000422             Time Generated: 09/26/2011   15:13:39             Event String:             The processing of Group Policy failed. Windows attempted to read the file \\CASCIA.LOCAL\SysVol\CASCIA.LOCAL\Policies\{440CFA9B-AC64-4C6E-8316-2D0E878DEE7D}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
          ......................... STRITASVR failed test SystemLog       Starting test: VerifyReferences          ......................... STRITASVR passed test VerifyReferences    
   
   Running partition tests on : ForestDnsZones       Starting test: CheckSDRefDom          ......................... ForestDnsZones passed test CheckSDRefDom       Starting test: CrossRefValidation          ......................... ForestDnsZones passed test          CrossRefValidation    
   Running partition tests on : DomainDnsZones       Starting test: CheckSDRefDom          ......................... DomainDnsZones passed test CheckSDRefDom       Starting test: CrossRefValidation          ......................... DomainDnsZones passed test          CrossRefValidation    
   Running partition tests on : Schema       Starting test: CheckSDRefDom          ......................... Schema passed test CheckSDRefDom       Starting test: CrossRefValidation          ......................... Schema passed test CrossRefValidation    
   Running partition tests on : Configuration       Starting test: CheckSDRefDom          ......................... Configuration passed test CheckSDRefDom       Starting test: CrossRefValidation          ......................... Configuration passed test CrossRefValidation    
   Running partition tests on : CASCIA       Starting test: CheckSDRefDom          ......................... CASCIA passed test CheckSDRefDom       Starting test: CrossRefValidation          ......................... CASCIA passed test CrossRefValidation    
   Running enterprise tests on : CASCIA.LOCAL       Starting test: LocatorCheck          ......................... CASCIA.LOCAL passed test LocatorCheck       Starting test: Intersite          ......................... CASCIA.LOCAL passed test Intersite

Event logs indicate Group Policy settings were successfully processed, FRS Event Log indicates STRITASVR's system volume is ready to be shared as SYSVOL, but DNS Event log indicates "The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed."  Could this be due to where DNS is pointing on the new server (to one of the old servers)?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 36601872
Could be part of the problem I would point to one of the old servers for DNS run dcdiag /fix. Then run repadmin /syncalll
0
 
LVL 10

Expert Comment

by:abhijitwaikar
ID: 36601913
"DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR."  
Once you performed the provided steps events, just make the (Enable journal Wrap Automatic Restore) registry value to "0" or delete it else it leads the SYSVOL LOOP.
0
 

Author Comment

by:rsmcomputer
ID: 36601962
Changed the NIC settings to newserver as DNS1, oldserver as DNS2, updated DNS on newserver, restarted DNS service on newserver, ran NSLOOKUP and it came up newserver.mydomain.local.  Ran DCDIAG /fix and repadmin /syncall.
DCDIAG still has errors, with perhaps this one indicating the main issue:
"Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=ForestDnsZones,DC=CASCIA,DC=LOCAL, DC=DomainDnsZones,DC=CASCIA,DC=LOCAL  
......................... STRITASVR failed test NCSecDesc

DariusG: you are on a roll -- suggestions?
0
 
LVL 10

Expert Comment

by:abhijitwaikar
ID: 36602086
If you have not run adprep/rodcprep, Dcdiag.exe will return an error when it runs the NCSecDesc test. If you do not plan to add an RODC to the forest, you can disregard this error. If you plan to add an RODC to the forest, you must run adprep /rodcprep.

http://support.microsoft.com/kb/967482
0
 

Author Closing Comment

by:rsmcomputer
ID: 36602116
Awarding points between two excellent experts is always difficult.  Both experts contributed greatly to the solution and responded very promptly.  Thanks for saving my day!
0
 
LVL 10

Expert Comment

by:abhijitwaikar
ID: 36602197
Thanks and Glad to hear that the issue is resolved.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 36709644
Thanks and I'm glad everything is working
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now