We help IT Professionals succeed at work.

trouble removing SBS 2003 from domain

Ware-Admin
Ware-Admin asked
on
Medium Priority
613 Views
Last Modified: 2012-05-12
I am having trouble removing SBS 2003 from my existing domain. I started with an old server running Windows SBS 2003 (lets call it server1). It was the main server and did all the AD DS / DNS / Domian control.  I have added two new machines; 1 configured with Exchange 2010 (i removed Exchange 2003 from the SBS machine) on Server 2008 R2 (call it server4). it is configured to run AD DS and DNS/domain control.  The second server is Server 2008 R2 (call it server3) which acts as user data and would liek it to be a 2nd Domain controller.
I am having great difficulty removing the existing SBS 2003 server )(Server1). It appears that although it shows that I have 2 DNS / Domain controller (Server1 & Server4), the old server (Server1) seems to be the only one doing login verification. When I try to remove Server1 (SBS) my domain crashes. When I try to promote Server3 to a AD DS & DNS/Domain it fails.
My goal is to retire the old server (SBS) and reformat / repurpose it. I need to get a clean domain with the other 2 servers running Server 2008 R2. I plan to keep the domain / forest level at 2003. What am I missing here, or did not think of???
Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Using the AD sites and services snap-in, make your new AD server a global catalog server, then retest.

As an aside, running exchange on a DC is a nightmare to maintain.i'd recommend reconsidering that layout.

-Cliff
Did you move all the roles to the other domain controller?
If you didn't, look at the instructions here and transfer them.
http://support.microsoft.com/kb/255504

Author

Commented:
Please see the attached screenshot. I was running DCPROMO wizard on Server03 (Server 2008 R2), which is currently our data server. My existing AD DS / Domain Controllers are on Server01 (SBS 2003) and Server04 (Server 2008 R2, Exchange 2010). I am trying to add another domain controller so that I can retire Server01 (SBS 2003). However, all attempts have not gone well. The text about not finding any domain controllers with Server 2008 concerns me since, clearly Server04 as such. I cancelled out of the dcpromo wizard. I wanted to make sure that I was doing this correclty. result of dcpromo wizard
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
This is often caused by improper DNS settings. Each server should ONLY use active functioning AD servers for DNS, and DNS should be AD integrated for DCs. Misconfiguring these will cause location issues.

-Cliff

Author

Commented:
How / where can I look to see if my settings are correct. SBS 2003 was installed before I started work here. I installed the new servers (03 & 04). Server04 took over Exchange from SBS 2003 when I installed it. I added the AD DS / DNS / Domain control functionality to Server04 at the time of install as we only had the single SBS 2003 server doing those functions. I wanted backup / redundancy in case Server01 crashed.
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Your NIC settings and the DNS server snap-in, respectively.

-Cliff

Author

Commented:
Server01 (SBS 2003) has primary DNS pointing to Server04, secondary to itself.
Server04 (Server 2008) has primary DNS pointing to Server01, secondary to itself
Server03 (Server 2008) has primary DNS pointing to Server04, secondary to Server01

DNS snap-in screenshot below:
 dns snapin
Also, I looked at the properties for the individual servers and they all have Server01 as the primary. see below:
 server3 properties
Keep in mind that my goal is to make Server03 AD DS / DNS / DC before I remove Server01 from the domain.
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Your DNS server settings are utterly and completely wrong. You should not have a zone per server. Honestly, as messed up as that is, it is clear to me now that you should call in paid help. THS s well beyond the scope of an EE issue.

-Cliff

Author

Commented:
I am sorry you feel that this is all messed up. I KNOW IT IS!
I did not set this up, I am just the poor fool who has to try to fix it!
You say that the settings are "utterly and completely wrong"....care to elaborate?
and BTW...this is a paid service... so I dont know what you are suggesting...
I can research the zone per server issue and make the appropriate changes...
Which servers currently have the DNS service running on? I would start with the following changes immediately.
Which ones are DCs? Yoru DNS zones should be AD integrated.

The SBS server should have DNS running and it's NIC configured with itself as the primary and if you have another DNS server running on the domain, make that the secondary. (server04?)
All other servers should have the same configuration, I mean, pointing to the SBS server for the primary and any others as a secondary.

Then you should delete those zones you have called SERVER01, 02, etc... those should not exist.

Please keep in mind it's possible we're making things worse as we don't have a complete view of your environment, I am just trying to help based on what I see here. Also I recommend making one change at a time and testing things to make sure you keep track of what could be breaking what.

Author

Commented:
Thank You! I will begin this immediately and keep you apprised...

Author

Commented:
I have verified that we are running Active-Directory Integrated!

You mention that the SBS server should be the primary. My goal is to remove the SBS server. So should I make my other DNS / DC the primary? I have Server01 (SBS 2003) and Server04 (Server 2008 R2) as my domain controllers. FMSO roles are transferred to Server04.
Or are you suggesting that we get things configured properly first with what I have, then work on removing the SBS server?

Once I know which way you want me to go, I will then configure the NICs on the Servers accordingly. Then I will delete the "Server" zones.
Yes, I would suggest making things work the way they should first. Then removing SBS.
But I am always more cautious... you can just make server04 the primary for all servers, and don't forget DHCP scope for your client machines.

Author

Commented:
Only our Servers and the network printers are static. All other machines are DHCP and get their IP via our SonicWall Firewall appliance.

I removed all the servers from the zones. I set primary DNS to Server04 on all servers here at this location.

Below is a screen shot of the DNS Manager now. I did notice that the "Start of Authority (SOA)" for the zones is set to Server01. I am going to assume that I should start to change that on the zones themselves. (townofware.com, townofware.local, _msdcs.townofware.local)

Also, the properties for Server01 have the interfaces tab looking only at it's own IP address. Server04 is set to look at all IP addresses. I will also assume that I should change that setting for Server01 to also look at all IP addresses. Can you please confirm??
 New DNS Manager settings
OK, so on the DHCP scope, make sure you set the DNS server being handed out to the server04 as a primary.
In your internal zone, townofware.local, you have A records for all your servers, right? I can't see it in this pic.
I don't think you need to change the SOA, it should update itself when you remove the DNS role from the SBS server.

I don't really understand your last statement, can you send a screen shot? Not sure what "all IP addresses" server04 is looking at.

Author

Commented:
Server04 is set to primary.
the internal zones, townofware.local, has A records for all the servers.
see screen shots below:
 This is Server01 properties:
 svr1prop
This is server04 properties:
 svr4prop
keep in mind that Server01 IP is 10.6.1.254 and Server04 IP is 10.6.1.251
Oh, that doesn't matter since you're not using IPv6, I imagine...

Author

Commented:
Next step?

Try to remove SBS Server OR add another DNS Server on Server03? That is my eventual goal here is to add DNS onto Server03 and then remove SBS Server (Server01) from domain...

If I remove SBS Server, could break domain, correct? Just dont want to dig a hole I cant get out of...
You might want to try DCPromo on another server, so in the end of it all you still have 2 DC/DNS servers. That's the goal, right?
So make sure the server you want to DCPromo can resolve DNS properly, check the NIC settings.
Make sure they point to server04 as a primary. Then try it out.

Author

Commented:
OK will do!

Author

Commented:
I ran DCPROMO on Server03 and got the following:
 dcpromo result
My concern is that both Server04 and Server03 are running Windows Server 2008 R2. I am leery of continuing with the DCPROMO wizard until I can get a resolution on this....
Is Server03 running the DNS role? You should remove that role and run DCPromo again. It will install that role during the DCPromo process...
In your DNS management console, which one is the SOA?
You can also run a dcdiag and netdiag and see the results, they might also tell you something.

Author

Commented:
I removed DNS from Server03, but cannot complete until after hours. Needs to be restarted. TownHall closes at 4PM EST.

I checked the SOA on townofware.local and it is pointing to server01. Assume that it should now be pointing to Server04, correct??

I will need to download the DCDIAG and NETDIAG tools. They don't appear to be on the server atm...
If you only have one SOA and it's pointing to server01 it should change on it's own when you demote Server01. I wouldn't change it manually.
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
I would like to clarify my previous answer, as I am still seeing quite a bit above that concerns me. I was traveling yesterday or I would have responded more quickly.

First, regarding the "paid service." While experts exchange does offer a subscription, experts that offer answers are all volunteers. No payment or compensation occurs.

This means that experts exchange is a great resource for the "I'm stuck with this error" type issues, but both the nature of the from format and the inability to truly accurately judge the accuracy of any individual expert's answer makes it less well suited for large issues or rebuilds.

True I.T. consultants spend much time and money acquiring their skills and knowledge. It is both morally acceptable to compensate them for it by hiring them. I'd rather see you hire a consultant local to you for 1 hour (which is about how long fixing your problem would take for an AD expert) vs. spend a week on here, sifting through good advice vs bad, risking your network, and potentially still getting nowhere. Even amanesez said above to keep in mind that you may be making things worse..not at all a comment on his talent, but .a testament to the limitations of working through EE.

And so as not to sound too preachy, I also believe that the tipping point where a project is large enough that you should hire a consultant is also the tipping point where it becomes better for the business to do so. Yes, a consultant costs money. But so does spending time on EE reading answers, trying them, responding, the extended downtime WHILE that is happening, and the other projects on hold because of it. You could have hired someone, had the work done, and moved on by now that, when considering the value of your time, would have been less expensive and less risk than what you were (and are) doing now.

At any rate, I clearly don't expect this to be the accepted answer. I offer this advice for the same reason I participate on EE. I believe technology, I.T., and business advice has a place and I enjoy contributing back to the community for the improvement of everyone. So take this or leave it as you see fit.

Thanks,

-Cliff
Actually I agree with cgaliher. I was a consultant myself, and being in front of the servers I could have probably already resolved the issue. The environment looks pretty messed up and there could be more than we can "see" on here.

I am doing my best to help, but the results may not be to your satisfaction, or come in a timely manner for your organization.

Author

Commented:
first of all I want to thank you for your help thus far.

I did not realize things were as screwed up as they are. This is a government (small town in central Massachusetts) and as is the case, budgets are extremely tight.

I was originally hired to help maintain their infrastructure, but that role has changed dramatically since then and we have had may issues along the way. I have managed to get thru them all until now.

I did not set up the existing environment here. It was done with a 3rd party years ago with SBS 2003. That company is no longer in business... I am sure that they had no idea about what to plan for as far as growth and infrastructure. Couple that with previous Town Managers who never really got the whole "importance of IT" aspect.

So I am kind of stuck here. I will begin to try to find some consultant if possible and hope that I can get $$ to pay for them. In the mean time, I will still need to ask "more specific" questions to try to resolve my issues. I am getting errors when running DCDIAG and will try to get answers to resolve them.

The results are listed below:
Doing primary tests

   Testing server: Default-First-Site-Name\SERVER04
      Starting test: Advertising
         Warning: DsGetDcName returned information for
         \\SERVER01.townofware.local, when we were trying to reach SERVER04.
         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
         ......................... SERVER04 failed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... SERVER04 passed test FrsEvent

 Starting test: NetLogons
    Unable to connect to the NETLOGON share! (\\SERVER04\netlogon)
    [SERVER04] An net use or LsaPolicy operation failed with error 67,
    The network name cannot be found..
    ......................... SERVER04 failed test NetLogons
 Starting test: ObjectsReplicated
    ......................... SERVER04 passed test ObjectsReplicated

      Starting test: Services
         ......................... SERVER04 passed test Services
      Starting test: SystemLog
         An error event occurred.  EventID: 0xC0002714
            Time Generated: 11/08/2011   13:52:17
            Event String:
            DCOM got error "1326" and was unable to logon .\McAfeeMVSUser in ord
er to run the server:
         A warning event occurred.  EventID: 0x8000001D
            Time Generated: 11/08/2011   14:10:02
            Event String:
            The Key Distribution Center (KDC) cannot find a suitable certificate
 to use for smart card logons, or the KDC certificate could not be verified. Sma
rt card logon may not function correctly if this problem is not resolved. To cor
rect this problem, either verify the existing KDC certificate using certutil.exe
 or enroll for a new KDC certificate.
         ......................... SERVER04 failed test SystemLog
      Starting test: VerifyReferences
         ......................... SERVER04 passed test VerifyReferences


How many users do you have in your environment? How many mailboxes?
I am just wondering (based on all the errors above) if you're not better off starting with a fresh domain, and move everything over...

Author

Commented:
I have approx 70 active users on the domain. Around 100 total mailboxes. Apart form the Town Hall, I have three separate locations that VPN into usl (DPW, Fire and Senior Center). They authenticate to "townofware" and use Exchange. Our Police Dept uses exchange via OWA, but does not log into the domain, they have a separate domain from the "townofware" domain. Eventually they will be connected to us.

Believe me...I would LOVE to start over. Then I know what is what and would not  have to peel back the onion and expose more issues as I go...Having to deal with SBS has been a real pain. I found out that when SBS 2003 was installed, we had about 20 users and no connectivity between locations...they did not see / plan for any kind of growth or expansion.

I have the IT manager for the school system coming by later to see if we can work thru the errors above... His organization spans all the local schools and has 100's of users. However, he does not have SBS to deal with, so his infrastructure is alot cleaner...
Then my recommendation would be for you to work through all the errors you see on DCDiag, one at a time, when you have that clean, and Netdiag clean, then try again.

This may help:
http://technet.microsoft.com/en-us/library/cc776854%28WS.10%29.aspx

The good news is that when this is all done and clean you will have learned a lot! :-)

Author

Commented:
Thanx!

That is an understatement!

BTW Netdiag does not run on Server 2008
CERTIFIED EXPERT
Distinguished Expert 2018
Commented:
As an aside, you have made comments a few times now along the lines of "he doesn't have SBS to deal with so his environment is cleaner" and similar. I get the impression that you feel your problems are caused by SBS. I want to be very specific here about what SBS is and what it isn't.

SBS is a collection of standard Microsoft technologies (windows server, DNS, DHCP, Exchange, SharePoint) preconfigured to best practices, and then some SBS-specific technologies added to make management of the entire server easier.

What that means is that with a properly installed server, DNS is exactly as it is on a standard non-SBS server. But managing DNS is easier with the SBS wizards. DHCP is exactly the same as it is on a non-SBS server. But it is configured with best practices already regarding updates and DHCP "options" and requires less manual configuration. And so on and so forth. Your environment is not more screwed up because of SBS, and the SBS wizards did not contribute to this mess. This same mess can occur in a stock-standard non-SBS install if it was installed or managed improperly.

Yes, SBS has limitations and restrictions. Yo uwouldn't want to drag race in an SUB, and you wouldn't want to take 10 kids from soccer to ice cream in a Lamborghini. Both are automobiles. Both operate on combustion. They all have four wheels and share some basic principles, but they are built for different purposes. SBS has a specific use and target market. It is not crippled. It is not broken. It is not inferior. It just shouldn't be used in unintended ways, any more than you'd want to cram kids into a car not built for multiple passengers. And like automobiles, a flat tire is a flat tire, no matter what you drive. And sugar in the gas tank will clog a fuel filter. The analogy is surprisingly accurate.

At any rate, I'm still monitoring this thread, so good luck, and if I see someplace where I can assist, I will do so. But I will also say that it is a good idea to open new questions instead of stringing this one. For example, if you have five dcdiag errors, and five people contribute to fixing them, and then *new* problems surface, you are then spreading your points among all of those experts. Or you may even be missing out on getting expertise from the specific issues you are having. As a problem evolves (or gets bigger) it is best to open new questions as appropriate, instead of asking follow-up questions in an existing thread. It is better for you *and* the experts if you do so.

HTH,

-Cliff


-Cliff
Thanx Cliff for the insight on SBS. I think that when the town started out, SBS was probably a great solution. However, now we have a different animal here and SBS's limitations are causing us issues.

I will also take you advice on starting new threads as this progresses. But before I do that, I wanted to brief you guys on where I am.

With all the errors we were getting, it looked like Server04 never really finished becoming a Domain Controller. So we put things back to the know good state with Sero1 as the only Domain Controller and transferred the FMSO roles back. We retested and we received 0 errors with DCDIAG.

We made sure that all the ADPREP's were run and completed successfully (Domain, Forest, RODC).

Exchange (2010 version on Server04) works fine and no known DNS or AD DS issues.

We then ran DCPROMO on Server04 and tired to create a new Domain Controller (both AD DS and DNS were selected and not RODC). I came in this AM and found that the SYSVOL and NETLOGON shares did not replicate onto Server04. This leads me to believe that the promote of Server04 to Domain Controller did not complete successfully..

I am in the midst of determining what did happen, and will begin a new thread based on my new errors. I will look for any feedback on this thread if you post any and thanx again for the help.

I am also going to run DCPROMO on Server03 as well and see if that completes successfully. In the end, Server03 will be the new Primary DC and Server04 the secondary.
Great! I think you're going about the right way, taking a step back and then a step forward.
Perhaps there's something wrong with server04 that's not allowing it to become a DC.
And I also think you're better off starting a new thread for each new obstacle you encounter, that way you'll get new, fresh eyes.

I just re-read your post and noticed that you're running DCPromo on an Exchange server... you can't DCPromo an exchange server.
Either you make it a DC before you install exchange (not even recommended anyway) or you don't.

So that might be what's causing your problems. You should move forward with AD on server03 and pick another server for secondary...

Author

Commented:
this was my first post on EE. I was not sure how the points / grading went. therfore I split the points between the two experts that helped me

Explore More ContentExplore courses, solutions, and other research materials related to this topic.