Ware-Admin
asked on
trouble removing SBS 2003 from domain
I am having trouble removing SBS 2003 from my existing domain. I started with an old server running Windows SBS 2003 (lets call it server1). It was the main server and did all the AD DS / DNS / Domian control. I have added two new machines; 1 configured with Exchange 2010 (i removed Exchange 2003 from the SBS machine) on Server 2008 R2 (call it server4). it is configured to run AD DS and DNS/domain control. The second server is Server 2008 R2 (call it server3) which acts as user data and would liek it to be a 2nd Domain controller.
I am having great difficulty removing the existing SBS 2003 server )(Server1). It appears that although it shows that I have 2 DNS / Domain controller (Server1 & Server4), the old server (Server1) seems to be the only one doing login verification. When I try to remove Server1 (SBS) my domain crashes. When I try to promote Server3 to a AD DS & DNS/Domain it fails.
My goal is to retire the old server (SBS) and reformat / repurpose it. I need to get a clean domain with the other 2 servers running Server 2008 R2. I plan to keep the domain / forest level at 2003. What am I missing here, or did not think of???
I am having great difficulty removing the existing SBS 2003 server )(Server1). It appears that although it shows that I have 2 DNS / Domain controller (Server1 & Server4), the old server (Server1) seems to be the only one doing login verification. When I try to remove Server1 (SBS) my domain crashes. When I try to promote Server3 to a AD DS & DNS/Domain it fails.
My goal is to retire the old server (SBS) and reformat / repurpose it. I need to get a clean domain with the other 2 servers running Server 2008 R2. I plan to keep the domain / forest level at 2003. What am I missing here, or did not think of???
Did you move all the roles to the other domain controller?
If you didn't, look at the instructions here and transfer them.
http://support.microsoft.com/kb/255504
If you didn't, look at the instructions here and transfer them.
http://support.microsoft.com/kb/255504
ASKER
Please see the attached screenshot. I was running DCPROMO wizard on Server03 (Server 2008 R2), which is currently our data server. My existing AD DS / Domain Controllers are on Server01 (SBS 2003) and Server04 (Server 2008 R2, Exchange 2010). I am trying to add another domain controller so that I can retire Server01 (SBS 2003). However, all attempts have not gone well. The text about not finding any domain controllers with Server 2008 concerns me since, clearly Server04 as such. I cancelled out of the dcpromo wizard. I wanted to make sure that I was doing this correclty. 
This is often caused by improper DNS settings. Each server should ONLY use active functioning AD servers for DNS, and DNS should be AD integrated for DCs. Misconfiguring these will cause location issues.
-Cliff
-Cliff
ASKER
How / where can I look to see if my settings are correct. SBS 2003 was installed before I started work here. I installed the new servers (03 & 04). Server04 took over Exchange from SBS 2003 when I installed it. I added the AD DS / DNS / Domain control functionality to Server04 at the time of install as we only had the single SBS 2003 server doing those functions. I wanted backup / redundancy in case Server01 crashed.
Your NIC settings and the DNS server snap-in, respectively.
-Cliff
-Cliff
ASKER
Server01 (SBS 2003) has primary DNS pointing to Server04, secondary to itself.
Server04 (Server 2008) has primary DNS pointing to Server01, secondary to itself
Server03 (Server 2008) has primary DNS pointing to Server04, secondary to Server01
DNS snap-in screenshot below:
Also, I looked at the properties for the individual servers and they all have Server01 as the primary. see below:
Keep in mind that my goal is to make Server03 AD DS / DNS / DC before I remove Server01 from the domain.
Server04 (Server 2008) has primary DNS pointing to Server01, secondary to itself
Server03 (Server 2008) has primary DNS pointing to Server04, secondary to Server01
DNS snap-in screenshot below:
Also, I looked at the properties for the individual servers and they all have Server01 as the primary. see below:
Keep in mind that my goal is to make Server03 AD DS / DNS / DC before I remove Server01 from the domain.
Your DNS server settings are utterly and completely wrong. You should not have a zone per server. Honestly, as messed up as that is, it is clear to me now that you should call in paid help. THS s well beyond the scope of an EE issue.
-Cliff
-Cliff
ASKER
I am sorry you feel that this is all messed up. I KNOW IT IS!
I did not set this up, I am just the poor fool who has to try to fix it!
You say that the settings are "utterly and completely wrong"....care to elaborate?
and BTW...this is a paid service... so I dont know what you are suggesting...
I can research the zone per server issue and make the appropriate changes...
I did not set this up, I am just the poor fool who has to try to fix it!
You say that the settings are "utterly and completely wrong"....care to elaborate?
and BTW...this is a paid service... so I dont know what you are suggesting...
I can research the zone per server issue and make the appropriate changes...
Which servers currently have the DNS service running on? I would start with the following changes immediately.
Which ones are DCs? Yoru DNS zones should be AD integrated.
The SBS server should have DNS running and it's NIC configured with itself as the primary and if you have another DNS server running on the domain, make that the secondary. (server04?)
All other servers should have the same configuration, I mean, pointing to the SBS server for the primary and any others as a secondary.
Then you should delete those zones you have called SERVER01, 02, etc... those should not exist.
Please keep in mind it's possible we're making things worse as we don't have a complete view of your environment, I am just trying to help based on what I see here. Also I recommend making one change at a time and testing things to make sure you keep track of what could be breaking what.
Which ones are DCs? Yoru DNS zones should be AD integrated.
The SBS server should have DNS running and it's NIC configured with itself as the primary and if you have another DNS server running on the domain, make that the secondary. (server04?)
All other servers should have the same configuration, I mean, pointing to the SBS server for the primary and any others as a secondary.
Then you should delete those zones you have called SERVER01, 02, etc... those should not exist.
Please keep in mind it's possible we're making things worse as we don't have a complete view of your environment, I am just trying to help based on what I see here. Also I recommend making one change at a time and testing things to make sure you keep track of what could be breaking what.
ASKER
Thank You! I will begin this immediately and keep you apprised...
ASKER
I have verified that we are running Active-Directory Integrated!
You mention that the SBS server should be the primary. My goal is to remove the SBS server. So should I make my other DNS / DC the primary? I have Server01 (SBS 2003) and Server04 (Server 2008 R2) as my domain controllers. FMSO roles are transferred to Server04.
Or are you suggesting that we get things configured properly first with what I have, then work on removing the SBS server?
Once I know which way you want me to go, I will then configure the NICs on the Servers accordingly. Then I will delete the "Server" zones.
You mention that the SBS server should be the primary. My goal is to remove the SBS server. So should I make my other DNS / DC the primary? I have Server01 (SBS 2003) and Server04 (Server 2008 R2) as my domain controllers. FMSO roles are transferred to Server04.
Or are you suggesting that we get things configured properly first with what I have, then work on removing the SBS server?
Once I know which way you want me to go, I will then configure the NICs on the Servers accordingly. Then I will delete the "Server" zones.
Yes, I would suggest making things work the way they should first. Then removing SBS.
But I am always more cautious... you can just make server04 the primary for all servers, and don't forget DHCP scope for your client machines.
But I am always more cautious... you can just make server04 the primary for all servers, and don't forget DHCP scope for your client machines.
ASKER
Only our Servers and the network printers are static. All other machines are DHCP and get their IP via our SonicWall Firewall appliance.
I removed all the servers from the zones. I set primary DNS to Server04 on all servers here at this location.
Below is a screen shot of the DNS Manager now. I did notice that the "Start of Authority (SOA)" for the zones is set to Server01. I am going to assume that I should start to change that on the zones themselves. (townofware.com, townofware.local, _msdcs.townofware.local)
Also, the properties for Server01 have the interfaces tab looking only at it's own IP address. Server04 is set to look at all IP addresses. I will also assume that I should change that setting for Server01 to also look at all IP addresses. Can you please confirm??
I removed all the servers from the zones. I set primary DNS to Server04 on all servers here at this location.
Below is a screen shot of the DNS Manager now. I did notice that the "Start of Authority (SOA)" for the zones is set to Server01. I am going to assume that I should start to change that on the zones themselves. (townofware.com, townofware.local, _msdcs.townofware.local)
Also, the properties for Server01 have the interfaces tab looking only at it's own IP address. Server04 is set to look at all IP addresses. I will also assume that I should change that setting for Server01 to also look at all IP addresses. Can you please confirm??
OK, so on the DHCP scope, make sure you set the DNS server being handed out to the server04 as a primary.
In your internal zone, townofware.local, you have A records for all your servers, right? I can't see it in this pic.
I don't think you need to change the SOA, it should update itself when you remove the DNS role from the SBS server.
I don't really understand your last statement, can you send a screen shot? Not sure what "all IP addresses" server04 is looking at.
In your internal zone, townofware.local, you have A records for all your servers, right? I can't see it in this pic.
I don't think you need to change the SOA, it should update itself when you remove the DNS role from the SBS server.
I don't really understand your last statement, can you send a screen shot? Not sure what "all IP addresses" server04 is looking at.
ASKER
Server04 is set to primary.
the internal zones, townofware.local, has A records for all the servers.
see screen shots below:
This is Server01 properties:
This is server04 properties:
keep in mind that Server01 IP is 10.6.1.254 and Server04 IP is 10.6.1.251
the internal zones, townofware.local, has A records for all the servers.
see screen shots below:
This is Server01 properties:
This is server04 properties:
keep in mind that Server01 IP is 10.6.1.254 and Server04 IP is 10.6.1.251
Oh, that doesn't matter since you're not using IPv6, I imagine...
ASKER
Next step?
Try to remove SBS Server OR add another DNS Server on Server03? That is my eventual goal here is to add DNS onto Server03 and then remove SBS Server (Server01) from domain...
If I remove SBS Server, could break domain, correct? Just dont want to dig a hole I cant get out of...
Try to remove SBS Server OR add another DNS Server on Server03? That is my eventual goal here is to add DNS onto Server03 and then remove SBS Server (Server01) from domain...
If I remove SBS Server, could break domain, correct? Just dont want to dig a hole I cant get out of...
You might want to try DCPromo on another server, so in the end of it all you still have 2 DC/DNS servers. That's the goal, right?
So make sure the server you want to DCPromo can resolve DNS properly, check the NIC settings.
Make sure they point to server04 as a primary. Then try it out.
So make sure the server you want to DCPromo can resolve DNS properly, check the NIC settings.
Make sure they point to server04 as a primary. Then try it out.
ASKER
OK will do!
ASKER
I ran DCPROMO on Server03 and got the following:
My concern is that both Server04 and Server03 are running Windows Server 2008 R2. I am leery of continuing with the DCPROMO wizard until I can get a resolution on this....
My concern is that both Server04 and Server03 are running Windows Server 2008 R2. I am leery of continuing with the DCPROMO wizard until I can get a resolution on this....
Is Server03 running the DNS role? You should remove that role and run DCPromo again. It will install that role during the DCPromo process...
In your DNS management console, which one is the SOA?
In your DNS management console, which one is the SOA?
You can also run a dcdiag and netdiag and see the results, they might also tell you something.
ASKER
I removed DNS from Server03, but cannot complete until after hours. Needs to be restarted. TownHall closes at 4PM EST.
I checked the SOA on townofware.local and it is pointing to server01. Assume that it should now be pointing to Server04, correct??
I will need to download the DCDIAG and NETDIAG tools. They don't appear to be on the server atm...
I checked the SOA on townofware.local and it is pointing to server01. Assume that it should now be pointing to Server04, correct??
I will need to download the DCDIAG and NETDIAG tools. They don't appear to be on the server atm...
If you only have one SOA and it's pointing to server01 it should change on it's own when you demote Server01. I wouldn't change it manually.
I would like to clarify my previous answer, as I am still seeing quite a bit above that concerns me. I was traveling yesterday or I would have responded more quickly.
First, regarding the "paid service." While experts exchange does offer a subscription, experts that offer answers are all volunteers. No payment or compensation occurs.
This means that experts exchange is a great resource for the "I'm stuck with this error" type issues, but both the nature of the from format and the inability to truly accurately judge the accuracy of any individual expert's answer makes it less well suited for large issues or rebuilds.
True I.T. consultants spend much time and money acquiring their skills and knowledge. It is both morally acceptable to compensate them for it by hiring them. I'd rather see you hire a consultant local to you for 1 hour (which is about how long fixing your problem would take for an AD expert) vs. spend a week on here, sifting through good advice vs bad, risking your network, and potentially still getting nowhere. Even amanesez said above to keep in mind that you may be making things worse..not at all a comment on his talent, but .a testament to the limitations of working through EE.
And so as not to sound too preachy, I also believe that the tipping point where a project is large enough that you should hire a consultant is also the tipping point where it becomes better for the business to do so. Yes, a consultant costs money. But so does spending time on EE reading answers, trying them, responding, the extended downtime WHILE that is happening, and the other projects on hold because of it. You could have hired someone, had the work done, and moved on by now that, when considering the value of your time, would have been less expensive and less risk than what you were (and are) doing now.
At any rate, I clearly don't expect this to be the accepted answer. I offer this advice for the same reason I participate on EE. I believe technology, I.T., and business advice has a place and I enjoy contributing back to the community for the improvement of everyone. So take this or leave it as you see fit.
Thanks,
-Cliff
First, regarding the "paid service." While experts exchange does offer a subscription, experts that offer answers are all volunteers. No payment or compensation occurs.
This means that experts exchange is a great resource for the "I'm stuck with this error" type issues, but both the nature of the from format and the inability to truly accurately judge the accuracy of any individual expert's answer makes it less well suited for large issues or rebuilds.
True I.T. consultants spend much time and money acquiring their skills and knowledge. It is both morally acceptable to compensate them for it by hiring them. I'd rather see you hire a consultant local to you for 1 hour (which is about how long fixing your problem would take for an AD expert) vs. spend a week on here, sifting through good advice vs bad, risking your network, and potentially still getting nowhere. Even amanesez said above to keep in mind that you may be making things worse..not at all a comment on his talent, but .a testament to the limitations of working through EE.
And so as not to sound too preachy, I also believe that the tipping point where a project is large enough that you should hire a consultant is also the tipping point where it becomes better for the business to do so. Yes, a consultant costs money. But so does spending time on EE reading answers, trying them, responding, the extended downtime WHILE that is happening, and the other projects on hold because of it. You could have hired someone, had the work done, and moved on by now that, when considering the value of your time, would have been less expensive and less risk than what you were (and are) doing now.
At any rate, I clearly don't expect this to be the accepted answer. I offer this advice for the same reason I participate on EE. I believe technology, I.T., and business advice has a place and I enjoy contributing back to the community for the improvement of everyone. So take this or leave it as you see fit.
Thanks,
-Cliff
Actually I agree with cgaliher. I was a consultant myself, and being in front of the servers I could have probably already resolved the issue. The environment looks pretty messed up and there could be more than we can "see" on here.
I am doing my best to help, but the results may not be to your satisfaction, or come in a timely manner for your organization.
I am doing my best to help, but the results may not be to your satisfaction, or come in a timely manner for your organization.
ASKER
first of all I want to thank you for your help thus far.
I did not realize things were as screwed up as they are. This is a government (small town in central Massachusetts) and as is the case, budgets are extremely tight.
I was originally hired to help maintain their infrastructure, but that role has changed dramatically since then and we have had may issues along the way. I have managed to get thru them all until now.
I did not set up the existing environment here. It was done with a 3rd party years ago with SBS 2003. That company is no longer in business... I am sure that they had no idea about what to plan for as far as growth and infrastructure. Couple that with previous Town Managers who never really got the whole "importance of IT" aspect.
So I am kind of stuck here. I will begin to try to find some consultant if possible and hope that I can get $$ to pay for them. In the mean time, I will still need to ask "more specific" questions to try to resolve my issues. I am getting errors when running DCDIAG and will try to get answers to resolve them.
The results are listed below:
Doing primary tests
Testing server: Default-First-Site-Name\SE
Starting test: Advertising
Warning: DsGetDcName returned information for
\\SERVER01.townofware.loca
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... SERVER04 failed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... SERVER04 passed test FrsEvent
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\SERVER04\netlogon)
[SERVER04] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... SERVER04 failed test NetLogons
Starting test: ObjectsReplicated
......................... SERVER04 passed test ObjectsReplicated
Starting test: Services
......................... SERVER04 passed test Services
Starting test: SystemLog
An error event occurred. EventID: 0xC0002714
Time Generated: 11/08/2011 13:52:17
Event String:
DCOM got error "1326" and was unable to logon .\McAfeeMVSUser in ord
er to run the server:
A warning event occurred. EventID: 0x8000001D
Time Generated: 11/08/2011 14:10:02
Event String:
The Key Distribution Center (KDC) cannot find a suitable certificate
to use for smart card logons, or the KDC certificate could not be verified. Sma
rt card logon may not function correctly if this problem is not resolved. To cor
rect this problem, either verify the existing KDC certificate using certutil.exe
or enroll for a new KDC certificate.
......................... SERVER04 failed test SystemLog
Starting test: VerifyReferences
......................... SERVER04 passed test VerifyReferences
I did not realize things were as screwed up as they are. This is a government (small town in central Massachusetts) and as is the case, budgets are extremely tight.
I was originally hired to help maintain their infrastructure, but that role has changed dramatically since then and we have had may issues along the way. I have managed to get thru them all until now.
I did not set up the existing environment here. It was done with a 3rd party years ago with SBS 2003. That company is no longer in business... I am sure that they had no idea about what to plan for as far as growth and infrastructure. Couple that with previous Town Managers who never really got the whole "importance of IT" aspect.
So I am kind of stuck here. I will begin to try to find some consultant if possible and hope that I can get $$ to pay for them. In the mean time, I will still need to ask "more specific" questions to try to resolve my issues. I am getting errors when running DCDIAG and will try to get answers to resolve them.
The results are listed below:
Doing primary tests
Testing server: Default-First-Site-Name\SE
Starting test: Advertising
Warning: DsGetDcName returned information for
\\SERVER01.townofware.loca
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... SERVER04 failed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... SERVER04 passed test FrsEvent
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\SERVER04\netlogon)
[SERVER04] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... SERVER04 failed test NetLogons
Starting test: ObjectsReplicated
......................... SERVER04 passed test ObjectsReplicated
Starting test: Services
......................... SERVER04 passed test Services
Starting test: SystemLog
An error event occurred. EventID: 0xC0002714
Time Generated: 11/08/2011 13:52:17
Event String:
DCOM got error "1326" and was unable to logon .\McAfeeMVSUser in ord
er to run the server:
A warning event occurred. EventID: 0x8000001D
Time Generated: 11/08/2011 14:10:02
Event String:
The Key Distribution Center (KDC) cannot find a suitable certificate
to use for smart card logons, or the KDC certificate could not be verified. Sma
rt card logon may not function correctly if this problem is not resolved. To cor
rect this problem, either verify the existing KDC certificate using certutil.exe
or enroll for a new KDC certificate.
......................... SERVER04 failed test SystemLog
Starting test: VerifyReferences
......................... SERVER04 passed test VerifyReferences
How many users do you have in your environment? How many mailboxes?
I am just wondering (based on all the errors above) if you're not better off starting with a fresh domain, and move everything over...
I am just wondering (based on all the errors above) if you're not better off starting with a fresh domain, and move everything over...
ASKER
I have approx 70 active users on the domain. Around 100 total mailboxes. Apart form the Town Hall, I have three separate locations that VPN into usl (DPW, Fire and Senior Center). They authenticate to "townofware" and use Exchange. Our Police Dept uses exchange via OWA, but does not log into the domain, they have a separate domain from the "townofware" domain. Eventually they will be connected to us.
Believe me...I would LOVE to start over. Then I know what is what and would not have to peel back the onion and expose more issues as I go...Having to deal with SBS has been a real pain. I found out that when SBS 2003 was installed, we had about 20 users and no connectivity between locations...they did not see / plan for any kind of growth or expansion.
I have the IT manager for the school system coming by later to see if we can work thru the errors above... His organization spans all the local schools and has 100's of users. However, he does not have SBS to deal with, so his infrastructure is alot cleaner...
Believe me...I would LOVE to start over. Then I know what is what and would not have to peel back the onion and expose more issues as I go...Having to deal with SBS has been a real pain. I found out that when SBS 2003 was installed, we had about 20 users and no connectivity between locations...they did not see / plan for any kind of growth or expansion.
I have the IT manager for the school system coming by later to see if we can work thru the errors above... His organization spans all the local schools and has 100's of users. However, he does not have SBS to deal with, so his infrastructure is alot cleaner...
Then my recommendation would be for you to work through all the errors you see on DCDiag, one at a time, when you have that clean, and Netdiag clean, then try again.
This may help:
http://technet.microsoft.com/en-us/library/cc776854%28WS.10%29.aspx
The good news is that when this is all done and clean you will have learned a lot! :-)
This may help:
http://technet.microsoft.com/en-us/library/cc776854%28WS.10%29.aspx
The good news is that when this is all done and clean you will have learned a lot! :-)
ASKER
Thanx!
That is an understatement!
BTW Netdiag does not run on Server 2008
That is an understatement!
BTW Netdiag does not run on Server 2008
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
this was my first post on EE. I was not sure how the points / grading went. therfore I split the points between the two experts that helped me
As an aside, running exchange on a DC is a nightmare to maintain.i'd recommend reconsidering that layout.
-Cliff