?
Solved

SBS MIGRATION 2003 2011 source server still a Global Catalog after migration

Posted on 2011-10-11
5
Medium Priority
?
1,851 Views
Last Modified: 2012-05-12
Hello,

We followed microsoft migration SBS 2003 to 2011 step by step. It is not our first migration, but this one brings us with different result from other migrations.

First of all the source server SBS2003 was in french and the destination server SBS2011 was (is) in english (may be this impacted the migration?, we received the new server with OEM english SBS2011 and we were not able to change it. We decided to go ahaed).

The whole migration went easily through (at least we thought, all steps being OK during the migration) and we decided to finalize and demote the source server. It is running like that now for some months.

In the log book we found messages saying "This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role. ..."

We saw as well that the source server is still present as GC in domain controllers section of the active directory users and computers console. So both the source and destination servers are present at that place as GC.

Because the source server is not available anymore, we followed the recommendation #3 from the logbook event and we forced/seized the FSMO roles on the destination server thinking that this will solve the problem:
"3. In the rare event that all replication partners being down is an expected occurance, perhaps because of maintenance or a disaster recovery, you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com."

But still the message comes up (with some other copied bellow)

How can we remove manualy/completely references to source server in the AD and keep our SBS2011 Healthy and running?

Thanks for any help, we are afraid that this could have some consequences in a near future and we would like to recover our SBS2011 to be totaly on its own.

Regards,
phm

More info
-----------------------------------------------------
Repadmin: running command /showrepl against full DC localhost
Premier-Site-par-defaut\SRVDESTINATION
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: d2da245c-efb8-4fc8-b8be-8d38759f7a36
DSA invocationID: e98ecbd1-c576-4051-ba87-77760ac36829

==== INBOUND NEIGHBORS ======================================

DC=domainsbs,DC=local
    Premier-Site-par-defaut\SRVSOURCE via RPC
        DSA object GUID: 76281c5a-ee29-42f3-a77d-25b5d3beb9bc
        Last attempt @ 2011-10-11 21:57:46 failed, result 1722 (0x6ba):
            The RPC server is unavailable.
        2863 consecutive failure(s).
        Last success @ 2011-06-14 09:25:58.

CN=Configuration,DC=domainsbs,DC=local
    Premier-Site-par-defaut\SRVSOURCE via RPC
        DSA object GUID: 76281c5a-ee29-42f3-a77d-25b5d3beb9bc
        Last attempt @ 2011-10-11 21:57:04 failed, result 1722 (0x6ba):
            The RPC server is unavailable.
        2863 consecutive failure(s).
        Last success @ 2011-06-14 09:03:05.

CN=Schema,CN=Configuration,DC=domainsbs,DC=local
    Premier-Site-par-defaut\SRVSOURCE via RPC
        DSA object GUID: 76281c5a-ee29-42f3-a77d-25b5d3beb9bc
        Last attempt @ 2011-10-11 21:57:25 failed, result 1722 (0x6ba):
            The RPC server is unavailable.
        2863 consecutive failure(s).
        Last success @ 2011-06-14 08:58:12.

DC=DomainDnsZones,DC=domainsbs,DC=local
    Premier-Site-par-defaut\SRVSOURCE via RPC
        DSA object GUID: 76281c5a-ee29-42f3-a77d-25b5d3beb9bc
        Last attempt @ 2011-10-11 21:57:04 failed, result 1256 (0x4e8):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
        2870 consecutive failure(s).
        Last success @ 2011-06-14 08:58:15.

DC=ForestDnsZones,DC=domainsbs,DC=local
    Premier-Site-par-defaut\SRVSOURCE via RPC
        DSA object GUID: 76281c5a-ee29-42f3-a77d-25b5d3beb9bc
        Last attempt @ 2011-10-11 21:57:04 failed, result 1256 (0x4e8):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
        2869 consecutive failure(s).
        Last success @ 2011-06-14 08:48:14.
DsReplicaGetInfo() failed with status 8453 (0x2105):
    Replication access was denied.
DsReplicaGetInfo() failed with status 8453 (0x2105):
    Replication access was denied.
-----------------------------------------------------
Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          11/10/2011 07:41:41
Event ID:      2092
Task Category: Replication
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      SRVDESTINATION.domainsbs.local
Description:

This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.
 
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
 
FSMO Role: CN=Infrastructure,DC=domainsbs,DC=local (actually all roles)
 
User Action:
 
1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors.  Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.
3. In the rare event that all replication partners being down is an expected occurance, perhaps because of maintenance or a disaster recovery, you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.
 
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

-------------------------------------------------------------------------

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          11/10/2011 07:41:41
Event ID:      1864
Task Category: Replication
Level:         Error
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      SRVDESTINATION.domainsbs.local
Description:
This is the replication status for the following directory partition on this directory server.
 
Directory partition: (actually all partitions)
DC=domainsbs,DC=local
 
This directory server has not recently received replication information from a number of directory servers.  The count of directory servers is shown, divided into the following intervals.
 
More than 24 hours:
1
More than a week:
1
More than one month:
1
More than two months:
1
More than a tombstone lifetime:
0
Tombstone lifetime (days):
180
 
Directory servers that do not replicate in a timely manner may encounter errors. They may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled.
 
To identify the directory servers by name, use the dcdiag.exe tool.
You can also use the support tool repadmin.exe to display the replication latencies of the directory servers.   The command is "repadmin /showvector /latency <partition-dn>".



0
Comment
Question by:CAMTEC_SPRL
  • 3
5 Comments
 
LVL 18

Expert Comment

by:Andrej Pirman
ID: 36952296
I googled a little and found few articles pointing to the same solutions, which involve seizing FSMO roles and recreating them after disaster recovery. To be honest, I did not read them all, but you might be interested:
1.) Seize FSMO roles: http://support.microsoft.com/kb/255504
2.) Reasign FSMO: http://support.microsoft.com/kb/324801

As for any AD operations, I suggest you wait at least 20 minutes between steps.
Also, I suggest you browse AD database with ADSIEdit, and find old server occurences. Maybe you'll get a clue where old server still kicks-in.

A workaround might also be to connect some PC, install Server 2008R2 on it, and DCPROMO it to domain as additional DC. Assign FSMO roles to it, wait 20 minutes to replicate and check Event logs, replication statuses etc.
If you cuceed, you might transfer FSMO roles back to SBS, wait 20 minutes, check logs etc...and after everything is fine, demote temporary PC-controller from domain.  
0
 
LVL 13

Accepted Solution

by:
murgroup earned 375 total points
ID: 36953012
Please confirm you have a good backup of the server before making any changes. Also using ntdsutil check the status of all FSMO roles.

http://www.petri.co.il/determining_fsmo_role_holders.htm

Here is the KB for removing the old DC using ntdsutil first then adsiedit.

http://support.microsoft.com/kb/216498
http://support.microsoft.com/kb/555846

0
 

Author Comment

by:CAMTEC_SPRL
ID: 36957139
Hi Labsby

Thanks for the answer, but that's what I did as per microsoft proposal
"3. In the rare event that all replication partners being down is an expected occurance, perhaps because of maintenance or a disaster recovery, you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com. "

But did not improve
Regards
0
 

Author Comment

by:CAMTEC_SPRL
ID: 36957167
hi murgroup
It will take some time for me to through all KB referenced in the two KB you sent me.
I will let you know but I need some time for that
Regards
0
 

Author Closing Comment

by:CAMTEC_SPRL
ID: 37085486
hard job
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction At 19:33 (UST) on Tuesday 21st September the long awaited email arrived with the subject title of “ANNOUNCING THE AVAILABILITY OF WINDOWS SBS 7 PREVIEW”.  It was time to drop whatever I was doing and dedicate as much bandwidth as possi…
I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
Integration Management Part 2
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question