• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 529
  • Last Modified:

Replacing SBS 2003 with 2008 R2 Std Server

I am replacing an old SBS 2003 server with 2008 R2 server.

1.  New server joined to the domain and dcpromod
2.  AD shows up properly with all users and computer accounts on newserver
3.  DNS does not look replicated??   The forward zones for the local pcs are not there.
 
Ran dcdiag /q on new server here are the results please help!!? ;)

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator.DAWSON15>dcdiag /q
         Warning: DsGetDcName returned information for
         \\server15.dawson15.local, when we were trying to reach DCSERVER.
         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
         ......................... DCSERVER failed test Advertising
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=dawson15,DC=local
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=dawson15,DC=local
         ......................... DCSERVER failed test NCSecDesc
         Unable to connect to the NETLOGON share! (\\DCSERVER\netlogon)
         [DCSERVER] An net use or LsaPolicy operation failed with error 67,
         The network name cannot be found..
         ......................... DCSERVER failed test NetLogons
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error
         1355
         A Good Time Server could not be located.
         ......................... dawson15.local failed test LocatorCheck
0
j-teksolutions
Asked:
j-teksolutions
1 Solution
 
j-teksolutionsAuthor Commented:
Update DCDIAG - got the time server issue resolved and I also see the forward zone now

However there are still issues

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator.DAWSON15>net start w32time
The requested service has already been started.

More help is available by typing NET HELPMSG 2182.


C:\Users\Administrator.DAWSON15>net stop w32time && net start w32time
The Windows Time service is stopping...
The Windows Time service was stopped successfully.

The Windows Time service is starting.......
The Windows Time service was started successfully.


C:\Users\Administrator.DAWSON15>dcdiag /q
         Warning: DsGetDcName returned information for
         \\server15.dawson15.local, when we were trying to reach DCSERVER.
         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
         ......................... DCSERVER failed test Advertising
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=dawson15,DC=local
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=dawson15,DC=local
         ......................... DCSERVER failed test NCSecDesc
         Unable to connect to the NETLOGON share! (\\DCSERVER\netlogon)
         [DCSERVER] An net use or LsaPolicy operation failed with error 67,
         The network name cannot be found..
         ......................... DCSERVER failed test NetLogons
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
0
 
kmt333Commented:
Did you prepare the domain for 2008?  http://www.petri.co.il/prepare-for-server-2008-r2-domain-controller.htm.  Also, there are additional steps to move from sbs 2003 to Windows Standard (non-SBS).  Are you migrating to SBS 2008 or straight-up Windows?

KMT
0
 
Neil RussellTechnical Development LeadCommented:
Silly but have to ask type questions....

1) Both servers are ON yes?
2) IPCONFIG /ALL  compares correctly on both servers?
3) 2008 server you can PING dawson15.local correctly?
0
Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

 
j-teksolutionsAuthor Commented:
adprep /forestprep and adprep /domainprep ran successfully on the old sbs server using of course the 2008 R2 adprep dir

No more SBS straight to 2008 R2 Standard OS as per header of this post
Thanks!

both servers on

just rebooting the new server now its running 23 updates back in a sec
0
 
j-teksolutionsAuthor Commented:
Guys just to mention the goal is to demote the sbs - take its IP to the new server and netdom rename the new server so all clients see this as the new domain controller GC ok
0
 
j-teksolutionsAuthor Commented:
UPDATE - made the new server a GC.  Transferred the 5 FSMO Roles
taking down SBS to see if client pcs logon using new dc....  then planning to DCPROMO /forceremoval on SBS
0
 
Sarang TinguriaSr EngineerCommented:
do not forceremove until and unless your dcdiag /q is clear and you have netlogon and sysvol shared check replication before forceremoval using repadmin /showrepl  and repadmin /replsum
Make sure you remove ip of old dns server from client search order or DHCP server

remember to clean metadata after force removal

Forcefull removal of DC:
http://support.microsoft.com/kb/332199

Metadata cleanup:
http://www.petri.co.il/delete_failed_dcs_from_ad.htm

rename domain controller
http://www.petri.co.il/rename-windows-server-2008-domain-controllers.htm
0
 
j-teksolutionsAuthor Commented:
Thanks Sarang,  ok problems on the reboot of new server
AD will not open now - FYI I did not dcpromo forceremoval of the old sbs
it simply shut it down for a test
The domain it says cannot be contacted now?
0
 
Sarang TinguriaSr EngineerCommented:
Is your new DC is pointing to selft IP in nic card tcp/ip properties?
0
 
j-teksolutionsAuthor Commented:
for dns?   127.0.0.1 yes
so strange it worked perfectly untill a reboot
It was fsmo role holder and the GC
Should I dcdiag /q post?
0
 
Sarang TinguriaSr EngineerCommented:
remove loopback and add IP of new DC
post dcdiag /q
Make sure you do not have any event ID 13568 in File replication service in any of Old or new DC
0
 
j-teksolutionsAuthor Commented:
ok will do...FYI I put the actual IP
I ran metadata cleanup process to remove the old sbs
I confirmed via ADSIEDT that only the new dc is there ok
Removed any dns entry that pointed to the old sbs all the way through DNS
AD opens!!
NOW!  I am going to reboot the new DC.  I will believe it when I see it on the reboot,   my bet is AD / DNS breaks again.   Will post DC Diag /q after the reboot sarang thanks so much man will update in a min or 2
0
 
j-teksolutionsAuthor Commented:
Big delay on applying computer settings which usually means more fixing=( will post dcdiag
0
 
j-teksolutionsAuthor Commented:
HERE WE GO:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator.DAWSON15>dcdiag /q
         Fatal Error:DsGetDcName (DCSERVER) call failed, error 1355
         The Locator could not find the server.
         ......................... DCSERVER failed test Advertising
         An error event occurred.  EventID: 0xC0000466
            Time Generated: 09/19/2012   15:34:50
            Event String:
            Active Directory Domain Services was unable to establish a connectio
n with the global catalog.
         ......................... DCSERVER failed test KccEvent
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=dawson15,DC=local
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=dawson15,DC=local
         ......................... DCSERVER failed test NCSecDesc
         Unable to connect to the NETLOGON share! (\\DCSERVER\netlogon)
         [DCSERVER] An net use or LsaPolicy operation failed with error 67,
         The network name cannot be found..
         ......................... DCSERVER failed test NetLogons
         An error event occurred.  EventID: 0xC00038D6
            Time Generated: 09/19/2012   15:39:05
            Event String:
            The DFS Namespace service could not initialize cross forest trust in
formation on this domain controller, but it will periodically retry the operatio
n. The return code is in the record data.
         An error event occurred.  EventID: 0xC00038D6
            Time Generated: 09/19/2012   15:39:20
            Event String:
            The DFS Namespace service could not initialize cross forest trust in
formation on this domain controller, but it will periodically retry the operatio
n. The return code is in the record data.
         An error event occurred.  EventID: 0xC00038D6
            Time Generated: 09/19/2012   15:39:35
            Event String:
            The DFS Namespace service could not initialize cross forest trust in
formation on this domain controller, but it will periodically retry the operatio
n. The return code is in the record data.
         An error event occurred.  EventID: 0xC00038D6
            Time Generated: 09/19/2012   15:39:50
            Event String:
            The DFS Namespace service could not initialize cross forest trust in
formation on this domain controller, but it will periodically retry the operatio
n. The return code is in the record data.
         An error event occurred.  EventID: 0xC00038D6
            Time Generated: 09/19/2012   15:40:05
            Event String:
            The DFS Namespace service could not initialize cross forest trust in
formation on this domain controller, but it will periodically retry the operatio
n. The return code is in the record data.
         An error event occurred.  EventID: 0xC00038D6
            Time Generated: 09/19/2012   15:40:20
            Event String:
            The DFS Namespace service could not initialize cross forest trust in
formation on this domain controller, but it will periodically retry the operatio
n. The return code is in the record data.
         An error event occurred.  EventID: 0xC00038D6
            Time Generated: 09/19/2012   15:40:35
            Event String:
            The DFS Namespace service could not initialize cross forest trust in
formation on this domain controller, but it will periodically retry the operatio
n. The return code is in the record data.
         An error event occurred.  EventID: 0xC00038D6
            Time Generated: 09/19/2012   15:40:50
            Event String:
            The DFS Namespace service could not initialize cross forest trust in
formation on this domain controller, but it will periodically retry the operatio
n. The return code is in the record data.
         An error event occurred.  EventID: 0xC00038D6
            Time Generated: 09/19/2012   15:41:05
            Event String:
            The DFS Namespace service could not initialize cross forest trust in
formation on this domain controller, but it will periodically retry the operatio
n. The return code is in the record data.
         An error event occurred.  EventID: 0xC00038D6
            Time Generated: 09/19/2012   15:41:20
            Event String:
            The DFS Namespace service could not initialize cross forest trust in
formation on this domain controller, but it will periodically retry the operatio
n. The return code is in the record data.
         An error event occurred.  EventID: 0xC00038D6
            Time Generated: 09/19/2012   15:41:35
            Event String:
            The DFS Namespace service could not initialize cross forest trust in
formation on this domain controller, but it will periodically retry the operatio
n. The return code is in the record data.
         An error event occurred.  EventID: 0x00000469
            Time Generated: 09/19/2012   15:43:13
            Event String:
            The processing of Group Policy failed because of lack of network con
nectivity to a domain controller. This may be a transient condition. A success m
essage would be generated once the machine gets connected to the domain controll
er and Group Policy has succesfully processed. If you do not see a success messa
ge for several hours, then contact your administrator.
         An error event occurred.  EventID: 0x00000469
            Time Generated: 09/19/2012   15:43:23
            Event String:
            The processing of Group Policy failed because of lack of network con
nectivity to a domain controller. This may be a transient condition. A success m
essage would be generated once the machine gets connected to the domain controll
er and Group Policy has succesfully processed. If you do not see a success messa
ge for several hours, then contact your administrator.
         ......................... DCSERVER failed test SystemLog
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
0
 
Sarang TinguriaSr EngineerCommented:
You shouldn't have run metadata cleanup as the new dc is not healthy yet...
0
 
Sarang TinguriaSr EngineerCommented:
netdom query fsmo 
netdom query dc
dcdiag /test:dns
ipconfig /all

Open in new window

attach output here
0
 
j-teksolutionsAuthor Commented:
oops.  Makes sense.   Ad was open though?  Everything looked great all users computers etc..the sbs has been off for 2 hrs now.
I think this is DNS related and possibly other issues?
FYI - I took a partition image prior to transferring FSMO and metadata cleanup as a fall back=)
YOu think I need to roll back or?  Still dont see why AD was working before that reboot with SBS not being on for so long.
0
 
j-teksolutionsAuthor Commented:
IPCONFIG ALL

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator.DAWSON15>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : dcserver
   Primary Dns Suffix  . . . . . . . : dawson15.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : dawson15.local

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connecti
on
   Physical Address. . . . . . . . . : 44-37-E6-94-F7-62
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.15.30(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.15.1
   DNS Servers . . . . . . . . . . . : 192.168.15.30
   NetBIOS over Tcpip. . . . . . . . : Enabled

C:\Users\Administrator.DAWSON15>
0
 
j-teksolutionsAuthor Commented:
DCDIAG TEST:DNS


Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator.DAWSON15>dcdiag /test:dns

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = dcserver
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DCSERVER
      Starting test: Connectivity
         ......................... DCSERVER passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DCSERVER

      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... DCSERVER passed test DNS

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : dawson15

   Running enterprise tests on : dawson15.local
      Starting test: DNS
         ......................... dawson15.local passed test DNS

C:\Users\Administrator.DAWSON15>
0
 
j-teksolutionsAuthor Commented:
The 2 NETDOM commands require being connected to the domain?  cant run them yet
0
 
j-teksolutionsAuthor Commented:
For the sake of time I will have to abort soon - I cannot stay much longer at the clients and may need to rebuild the domain and re attach all clients to the new domain =(  Let me know if I should wait I really appreciate your help sarang
0
 
Sarang TinguriaSr EngineerCommented:
thats fine if you can perform manual Job ....and there are less no's of users and computers

Now start with 2008 only
0
 
j-teksolutionsAuthor Commented:
I have done this with STD servers there is something with SBS that makes the difference=(
0
 
Sarang TinguriaSr EngineerCommented:
If standard is Dog then the SBS is rhinocerus of issues.
Totally different and is  vanished in 2012 Windows versions
0
 
j-teksolutionsAuthor Commented:
Thank god I hate SBS always have-
0
 
Sarang TinguriaSr EngineerCommented:
But you will be facing Windows Server 2012 Essentials--:)
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
This was probably pretty simple.  And common in my experience.

You Said:
I ran metadata cleanup process to remove the old sbs

WHY!??!?!  This was pointless and now you cannot turn the old server back on on the network without possibly creating problems

Frankly, I would start over it should be far faster than trying to troubleshoot this since I'm not convinced your AD has even fully replicated at this point.

Blow away the new server.

Then power up the SBS box.  Use the instructions in http://www.petri.co.il/delete_failed_dcs_from_ad.htm as mentioned earlier to remove the NEW DC from the SBS system.

Once you're back to where you started you need not run ADPREP again - that's been done.

First, run DCDIAG /C /E /V on the SBS server.  Check the health of AD BEFORE you start adding things otherwise you're just replicating problems which is counterproductive.

Solve those issues.

Once nothing unexpected appears in DCDIAG /C /E /V on the SBS box, THEN add the new server and make it a DC.

Once it's a DC, VERIFY replication is working.  Go to lunch to ensure it has time (it should be near instant, but I like giving it time to ENSURE it's all replicated.

After you've given it time, run DCDIAG /C /E /V on BOTH servers and verify nothing unexpected fails.

*** ONE COMMON FAILURE I'VE SEEN - and I suspect this is what happened the first time you did it - is that FRS fails to replicate the NetLogon share and Sysvol shares.  A check of their existence should tell you - and compare them to the SBS server.  If they aren't there, then you need to reset them using the BurFlags entry in the registry.  More information on this here: http://support.microsoft.com/kb/315457

Once the NetLogon shares match up, you can test that things are working properly by shutting down the SBS server.  DO NOT - repeat, ***** DO NOT ***** seize roles, use ADSI Edit to "clean up" anything, or otherwise force anything to happen on the new server.  If it's setup properly, it will work.  If it's not, you'll have problems.  FSMO roles can be offline (ESPECIALLY in a small network) for WEEKS without anything in the domain noticing (actual time depends on tombstone time (default 60 days) and how often things in the network change).  Log on to machines on the network and ENSURE they are authenticating and NOT using cached credentials.  Do this by logging in as a user who has NEVER logged in to that PC.  If authentication is working properly, then they will authenticate otherwise, you'll get a message that the user cannot log on (or you might get a message that there are no logon servers available).

Once you have confirmed everything is working with AD, you can finish your migration and complete the NORMAL demotion of the SBS server by FIRST uninstalling Exchange (even if it wasn't used) and then by run DCPROMO on the SBS server to PROPERLY demote the SBS server.

(I hated SBS too... then I LEARNED it.  Turns out, it's a FANTASTIC system if you UNDERSTAND what they did and keep in mind it's target audience, according to MS.  I came from an Enterprise environment into consulting to small businesses and it definitely was an adjustment... but once I learned it, I loved it.  In some ways, you need not worry about it since the product as it has existed is going away... but that doesn't mean the replacements won't be used and need to be understood to be properly supported).
0
 
j-teksolutionsAuthor Commented:
Very thorough thanks so much.  For the sake of time I had to rebuild the domain and join all the clients again.  I will keep this as a guide for sure!
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now