• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 938
  • Last Modified:

FSMO from W2003 to W2008 R2

I have transferred (with some of your help) FSMO from windows server 2003 to Windows server 2008 R2.

The status of my domain is as follow:

From: Start/Administrative Tools/Active Directory Users and Computers

DC1 (Windows 2003)

[ ] Active Directory Users and Computers
   [+] Saved Queries
   [-] domain.ds
       [+] Builtin
       [ -] Computers
               Computer 1
               Computer 2
               Computer n
       [ -] Domain Controllers
               DC1 (W2003)
               DC2 (W2008R2)
    [+] ForeignSecurityPrincipals
    [+] Managed Service Accounts
    [ -] Users
               User 1
               User 2
               User n

DC2 (Windows 2008R2)

[ ] Active Directory Users and Computers
   [+] Saved Queries
   [-] domain.ds
       [+] Builtin
       [ -] Computers
               <<EMPTY>>

       [ -] Domain Controllers
               <<EMPTY>>

    [+] ForeignSecurityPrincipals
    [+] Managed Service Accounts
    [ -] Users
               User 1
               User 2
               User n

Because I would like to bring down DC1 I was expecting to see all “Computers” and “Domain Controllers” on DC2 folders reflecting the “image” of DC1

Please guide me on how to proceed with this and also which other considerations shall I take in order to accomplish this task.

Many thanks

Duke001
0
Duke001
Asked:
Duke001
  • 37
  • 23
  • 9
  • +1
2 Solutions
 
Miguel Angel Perez MuñozCommented:
Replication is working fine??? content on both DC´s must be same, because has continuous replication. How many time has passed since promotion of DC2?
0
 
Duke001Author Commented:
between 3 and four months as I have been told.
0
 
Duke001Author Commented:
Does this information helps?

Thanks


Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          12/09/2012 06:35:28
Event ID:      2087
Task Category: DS RPC Client
Level:         Error
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      DC2.company.ds
Description:
Active Directory Domain Services could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory Domain Services from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.
------------------------------------------------------------------------------------------------------------------------------------------
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Miguel Angel Perez MuñozCommented:
Take a look to this article: http://technet.microsoft.com/en-us/library/cc755349(WS.10).aspx
I think initial replication is not complete because DC accounts has not replicated in both DC.
0
 
Duke001Author Commented:
I should have said that I am relative "novice" to the subject AD and I would appreciate if you could help me to solve this taking that in consideration. Many thanks.

After running dcdiag /test:replications

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = DC2
   * Identified AD Forest.
   Done gathering initial info.
Doing initial required tests
   
   Testing server: MyCompany\DC2
      Starting test: Connectivity
         ......................... DC2 passed test Connectivity

Doing primary tests
   
   Testing server: MyCompany\DC2
      Starting test: Replications
         [Replications Check,DC2] DsReplicaGetInfo(PENDING_OPS, NULL) failed, error 0x2105
         "Replication access was denied."

         ......................... DC2 failed test Replications
   
   Running partition tests on : Schema
   Running partition tests on : Configuration
   Running partition tests on : milkyway
   Running enterprise tests on : milkyway.ds
0
 
Dale HarrisProfessional Services EngineerCommented:
Have you tried to demote and re-promote your DC2 so it syncs up with 1?

http://technet.microsoft.com/en-us/library/cc732887(v=ws.10).aspx
0
 
Duke001Author Commented:
I was about to ask you how danger is to proceed with this - demote and promote but before that I would like to say that I have notice that from DC2 / Server Manager /Roles/Active Directory Domain Services tree I can see both containers, Computers and Domain Controllers populated with computers and DC1/DC2 respectively. Do you have thoughts about this?
Thanks
0
 
Dale HarrisProfessional Services EngineerCommented:
If DC2 is not getting the info from DC1 and you don't think any data will be lost, I think you should do a demote/re-promo.  When you ran the promo in the first place, you should've seen it do it's thing where it writes and syncs every single item from DC1.

If you're hesitant to do the demotion, you might want to look into the replication issue:
http://support.microsoft.com/kb/824449
0
 
Duke001Author Commented:
This a scenario that I've been passed on and because I am "novice" to the subject I am very nervous about to risk doing something irreversible such as "data lost" mentioned.

I do appreciate your help but let me underline the fact that I need some kind of "step-by-step" guidance otherwise I think is to risky for me.

In order to save your time please let me know if you are able to deliver this kind of help.

Many thanks
0
 
Miguel Angel Perez MuñozCommented:
Don´t worry, on DC2 use command dcpromo /forceremoval to remove all DC functions on DC2. Then, make a clean of Active directory metadata (http://support.microsoft.com/kb/216498) and re run dcpromo to install DC function on DC2.
0
 
Duke001Author Commented:
Hi Drashiel

Before I take your advice I would like to let you know about the following information I have found.

All FSMO in DC2

    Schema Master
    Domain Naming Master
    Infrastructure Master
    Relative ID (RID) Master
    Primary Domain Controller (PDC) Emulator

Is this changes anything said?

Thanks
0
 
Miguel Angel Perez MuñozCommented:
Try transfer this roles to DC1. If you can not do this, you must seize this roles on DC1 http://support.microsoft.com/kb/255504
0
 
Duke001Author Commented:
Drashiel,

From the article sent I am inclined to try the "transfer" but before doing this please advise me based on the following information:

1) DC1 - Windows Server 2003 SP2
    DC2 - Windows Server 2008 R2 SP1

2) If the "transfer" process runs successfully do I need to restart the server(s)?

3) Where the commands should be run from, DC1 or DC2?

I apologize for being so cautious but I have to beware of all possibilities.

Thanks
0
 
Miguel Angel Perez MuñozCommented:
Try transfer, FSMO roles not depens of OS installed and not requires reboot when you transfer from DC2 to DC1.
Do this:

-Try transfer roles. If you can, check using ntdsutil transfer is correcly. Run dcpromo /forceremoval on DC2
-If you can not transfer roles successfully, run dcpromo /forceremoval on DC2.

-Clean metadata (this must be done on DC1)
-Reize FSMO roles if you can not transfer, on DC1 (skip this if you can transfer FSMO roles successfully).
-Recreate DC2 using dcpromo command.
0
 
Miguel Angel Perez MuñozCommented:
Last thing, roles can be transfered from any DC, you can run those commands on DC1 or DC2, but I suggest you run on DC1.
0
 
Duke001Author Commented:
ok, thanks
I am going to proceed with this and keep informed.
0
 
Dale HarrisProfessional Services EngineerCommented:
I want to add that if you do Seize the roles from DC2, you'll need to make sure you are aware of the risks:

http://serverfault.com/questions/317080/why-after-i-seize-a-fsmo-role-i-cant-transfer-it-back-to-its-original-dc

DH
0
 
Duke001Author Commented:
Hi,
thanks both.

Here is my progress:

Using ntdsutil I managed to transfer all 5 roles from DC2 into DC1

I have checked with "netdom query fsmo" and every thing seems to be fine.
Shall my next move be;
- Run dcpromo /forceremoval on DC2?
0
 
Dale HarrisProfessional Services EngineerCommented:
Yes.
0
 
Duke001Author Commented:
Ok, thanks. Because this requires a server's reboot I will do it later after office time (17:00 BST) and I will keep you informed.

Do you have any advice about parameters that I will be asked to select during the procedure? I have read the article and there are several decisions to make which makes me very nervous about choosing the wrong ones.

I am appealing to your patience as this is something that I am doing for the first time.

Many thanks.
0
 
Miguel Angel Perez MuñozCommented:
Could you tell us about this decisions? Define your trouble and we answer. Make a full backup previously of your DC1
0
 
Duke001Author Commented:
From the wizard "Backup or Restore" I can see:

[ ] Local C:
[ ] Local D:
[ ] Local E:
[ ] System State

Do you mean "System State" backup or shall I backup C: as well?

PS: I have daily backup of D: and E:
0
 
Miguel Angel Perez MuñozCommented:
I suggest you make a Full backup, but C: and system state is enough.
0
 
Duke001Author Commented:
Backup done: Backup_System_State_01.bkf

I have noticed that on the DC2 the role DNS is not installed. Shall I install it?
0
 
Miguel Angel Perez MuñozCommented:
Are you reinstalling DC function on DC2? or you are removing DC function on DC2?
0
 
Duke001Author Commented:
As you have suggested I am going to do:

- Run dcpromo /forceremoval on DC2
0
 
Miguel Angel Perez MuñozCommented:
DNS function is not required at this point, but is recommendable install it when you run dcpromo again to promote as DC. On this way, you have redundancy on DNS.
0
 
Duke001Author Commented:
another important point for me is this:
- are you be able to help me as i am going through the process after 17:00 BST just in case I need assistance?

Thanks
0
 
Miguel Angel Perez MuñozCommented:
Sorry, but until next day at 9:00AM GMT+1 can not help you :(
0
 
Duke001Author Commented:
Ok in that case I prefer to wait for tomorrow. Thanks anyway.
0
 
Sarang TinguriaSr EngineerCommented:
make sure to run adprep on windows 2003 X64 bit Domain Conltroller or adprep32 on Windows 2003 32 bit domain Controller as you will be installing windows 2008 and you will need to upgrade the schema of existing 2003 DC
0
 
Miguel Angel Perez MuñozCommented:
Probably adprep is not needed because there was a 2008 R2 DC on domain.
0
 
Duke001Author Commented:
Good morning all,

Thanks for your advise. As you understand before I embark in this procedure I would like to be sure that things are going to be fine, so here is the actual status:

DC1 - Windows Server 2003 SP2
DC2 - Windows Server 2008 R2 SP1

1) Transferred (using ntdsutil) the 5 roles from DC2 into DC1
2) Checked  using "netdom query fsmo" and all 5 roles were in DC1
3) Backup of DC1 --> C: partition + System_State resulting in Backup_System_State_01.bkf

I am thinking about to do the next move around 12:30 (BST) for which I would like to hear from you if you have more considerations.

- Run dcpromo /forceremoval on DC2 (Next move)

Many thanks
0
 
Miguel Angel Perez MuñozCommented:
Duke001 one question. Did you do DC2 DC promotion on past or was made by another person?
0
 
Duke001Author Commented:
I'm sorry, I don't know as I start here a couple of weeks ago.
Is there any test I can run?
0
 
Miguel Angel Perez MuñozCommented:
Don´t worry, run dcpromo on W2008R2 machine and good luck.
0
 
Duke001Author Commented:
Do you mean dcpromo /forceremoval on DC2?
0
 
Miguel Angel Perez MuñozCommented:
Sorry understand dcpromo /forceremoval was done yesterday. Do dcpromo /forceremoval to erase DC function on DC2 and raise as server. Then run dcpromo "only" to promote as DC.
0
 
Duke001Author Commented:
Ok. thanks.
0
 
Duke001Author Commented:
Good morning!

Because I was way from the office I've just try to carry on with dcpromo /forceremoval today on DC2 and I got a message (see attached file). Please advise.
Thanks
dcpromo-forceremoval.jpg
0
 
Miguel Angel Perez MuñozCommented:
This is a normal advertisement. Ensure DC1 is global catalog (if DC1 was the first DC must be GC) and continue with procedure.
0
 
Sarang TinguriaSr EngineerCommented:
After force removal perform below thing

Metadata cleanup:
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
0
 
Duke001Author Commented:
Hi experts,

Finally I managed to comeback to this running Run dcpromo /forceremoval on DC2

Bellow is the message from when the wizard finished
-------------------------------------------------------------------------------------------------------------------
Active Directory Domain Services was removed from this computer.

Active Directory Domain Services (AD DS) binaries will remain installed after demotion of this domain controller. To uninstall the AD DS binaries, use Server Manager to remove the AD DS role.
--------------------------------------------------------------------------------------------------------------------------

Shall I do anything on DC2 before reboot it?

Thanks
0
 
Duke001Author Commented:
I need help because after running dcpromo /forceremoval on DC2 i can't login on DC2
What shall I do?
thanks
0
 
Sarang TinguriaSr EngineerCommented:
What is the error you are getting ..While the wizard of forceremoval it ask you to set local administrator password have you tried that password
0
 
Duke001Author Commented:
I manage to login and now when trying to join the domain get a message:
Account already exists
0
 
Duke001Author Commented:
I am trying to clean metada but the following error:

>dtdsutil
dtdsutil:  metadata cleanup
metadata clenup: connections
server connections:
connect to server DC1

DsBindWithSpnExW error 0x5 <Access is denied>

Please help

I need to join this server to the domain urgently.

Many tanks
0
 
Miguel Angel Perez MuñozCommented:
Are you using administrator account to do this?
0
 
Duke001Author Commented:
Hi experts,

I have manage to do the job over the weekend.
I must confess that I went trough a very nervous time but the most important is that I get the job done.
Before I assign the points here is the last challenge which consists in removing the server DC1 (W2003) from the domain and keep the DC2 (w2008R2) as the only DC.
Please refer all concerns the I must consider in order to do this.

Thanks
0
 
Miguel Angel Perez MuñozCommented:
What DC is running now?
0
 
Duke001Author Commented:
Both;
DC1 - Windows Server 2003 SP2 (FSMO - 5 Roles)
DC2 - Windows Server 2008 R2 SP1
0
 
Miguel Angel Perez MuñozCommented:
Both? did you do dcpromo again to promote DC2? What will be your future scenario? one or both DC´s?
0
 
Sarang TinguriaSr EngineerCommented:
Transfer the roles to DC2Configuere time service on new PDC Role holder
Make sure you remove the entries of OLD DC from client DNS search order
New DC should be GC
Replication should be completed and working before demotion
0
 
Duke001Author Commented:
Drashiel:
1) Yes, I did dcpromo on DC2
2) Scenario: both DC1 and DC2 are DC and 5 roles (FSMO) in DC1

sarang_tinguria:
1) You: Transfer the roles to DC2
    Me: I can do this with no problem
2) You: Configure time service on new PDC Role holder
    Me: I'm not sure how to do this - please help
    I thought that the concept of PDC, were no longer existed
3) You: Make sure you remove the entries of OLD DC from client DNS search order
New DC should be GC
    Me: Would you explain this in detail as I am not sure how to proceed?

Thanks
0
 
Sarang TinguriaSr EngineerCommented:
To configuere Time use below Commands in order
W32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:manual /reliable:yes /update 
W32tm /resync /rediscover 
net stop w32time & net start w32time  

Open in new window


You are about to remove old DC which was obviously a DNS server ..So Clients were using IP of that old DNS server in their TCP/IP properties so just replace that IP with your new DNS/DC server IP
0
 
Miguel Angel Perez MuñozCommented:
How to create a global catalog: http://support.microsoft.com/kb/313994
0
 
Duke001Author Commented:
Hi experts,

I will away from the office until Friday when I am intend to proceed with your advise and I will keep you informed about the progresses.

Many thanks
0
 
Duke001Author Commented:
Hi experts!
I've just comeback to the office and I would like to finish this (old) task and finally assigned the points to you.

Summarizing:

Actual configuration

1) DC1 - Windows Server 2003 SP2
    DC2 - Windows Server 2008 R2 SP1

c:\> netdom query fsmo

    Schema Master                 DC1.domain.ds
    Domain Naming Master    DC1.domain.ds
    Infrastructure Master       DC1.domain.ds
    Relative ID (RID) Master   DC1.domain.ds
    Primary Domain Controller (PDC) Emulator  DC1.domain.ds

c:\> netdom query DC

     DC1
     DC2

From DC2 Active Directory Users and Computers
 - Users - all users from DC1
 - Computers - empty
 - Domain Controllers - empty

Should I see a list of domains and computers as i see from dc1?

Also I'v noticed that the Global catalog box is ticked in both DC1 and DC2

Please advise

Thanks
0
 
Miguel Angel Perez MuñozCommented:
Yes, you must to view same content on DC1 or DC2. Remove active directory on DC2 and run dcpromo to reinstall active directory again.
0
 
Duke001Author Commented:
I have done last week what you have suggested and did see from DC2 the list of

 - Computers
 - Domain Controllers

filled with the same content as in DC1 and  today when I opened "Active directory Users and computers" from DC2 I saw the empty list.

I've just opened from DC2  "Active Directory Domain and Trusts" and what I can see is the following:

domain.ds - empty

Should this be populated already with a trust?

Thanks
0
 
Miguel Angel Perez MuñozCommented:
Is possible schema is not ready for 2008R2? First time when 2008R2 was added, did you run adprep?
0
 
Duke001Author Commented:
Run adprep from where, DC1 or DC2?

Also you have wrote the following  comment before:
"Probably adprep is not needed because there was a 2008 R2 DC on domain."
0
 
Miguel Angel Perez MuñozCommented:
On DC1.
Yes, I said this, but you have make two times dcpromo and two times server not replicate as required.
0
 
Duke001Author Commented:
ok.
So, from DC1 where the 5 Roles are I must run adprep. is that correct?
Do I need to use any parameter with adprep?
0
 
Sarang TinguriaSr EngineerCommented:
Yes
0
 
Duke001Author Commented:
i have read this from http://technet.microsoft.com/en-us/library/dd464018%28v=ws.10%29.aspx#BKMK_VerifyForestPrep

<<Adprep.exe is a rollup of all previous versions of this tool. In other words, if you currently have domain controllers that run Windows Server 2003 and you want to add domain controllers that run Windows Server 2008 R2, you only have to run Adprep.exe from the Windows Server 2008 R2 operating system disk. It is not necessary to run the version from Windows Server 2008 because the version in Windows Server 2008 R2 includes all the changes from previous versions.>>

So, if I understood correctly the article above I should run "adprep" from the windows 2008R2 DVD on DC1.
Do you agree?
0
 
Duke001Author Commented:
I have tried to run Adprep32.exe on DC1 (Windows 2003 SP2 - 32-bit) and received a message: "f:\support\adprep\adprep32.exe is not a valid Win32 Application."

I don't understand this. Please help
0
 
Sarang TinguriaSr EngineerCommented:
Are you sure your DC1 is 32 bit version or you are using correct exe
0
 
Duke001Author Commented:
Hi experts!
Yes I'm 100% sure that my DC1 is 32 bit version.
I have solved the problem downloading a new Windows 2008R2 OS from MS and adprep32.exe worked fine.

Now, in order to finish this "saga" I am going to do the following for which I would appreciate your advise.

1) Transfer the 5 roles (FSMO) from DC1 to DC2
2) I have notice that both DC1 and DC2 have the Global Catalog box ticked.
Once I am intended to bring down DC1 in a near future, shall I clear the GC ticked-box   on DC1?
3) is there anything else which I might consider in order to make DC2 the main DC?
4) last but not least can I do these proceeds while people are connected?

Many thanks
0
 
Sarang TinguriaSr EngineerCommented:
1) Transfer the 5 roles (FSMO) from DC1 to DC2
http://www.petri.co.il/transferring_fsmo_roles.htm

2) I have notice that both DC1 and DC2 have the Global Catalog box ticked.
Not required
3) is there anything else which I might consider in order to make DC2 the main DC?
Configure time service using my comment ID: 38429559 above
4) last but not least can I do these proceeds while people are connected?
Yes you can but its not recommended to perform such activities in business hrs
0
 
Duke001Author Commented:
Ok.
I am going to do this, outside of the office-time then if things run well I will assign the points to you all.

In the meantime thanks for your support.
0
 
Duke001Author Commented:
Hi All,

I would like to apologizes for the delay but a lot of things happened here as we are preparing the "office move".

I have managed to finish the task and I would to thank you all for being so patient and helpful.

Thanks
0
 
Sarang TinguriaSr EngineerCommented:
Good to hear that you accomplished what you were looking for :-)
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 37
  • 23
  • 9
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now