imij11
asked on
Server 2003 to Server 2012 migration gone bad
OK here goes. I will try to explain what has transpired and see if I get climb out of the whole I have dug my self into. I was assigned the task of migrating our current SBS 2003 server to a new Server 2012 DC. The environment is pretty simple 1 SBS 2003 server acting as the PDC for the environment. It used to control MS Exchange but we moved that to the cloud about a year ago and now it acts simply as the PDC and file server.
Over the weekend I introduced new Server 2012 box into the environment and attached it to the domain. Here's what happened.
*From the SBS 2003 server I went into AD domains and trusts and raised the domain functional level to 2003.
*I then added the AD Domain Services role on the Server 2012 box and everything went smoothly.
*I went into Active Directory Users and Computers on the 2012 server and changed the RID, PDC, and Infrastructure operation master to the new 2012 server.
*I changed the Domain Naming and Schema operations master to the 2012 server as well through the MMC snap in.
At this point everything seemed to be working just fine. I ran netdom query fsmo and it was showing the 2012 server as the owner of all the roles. I then went to create a new group policy and I realized I could not. It appeared that the ntfrs wasn't replicating to the new server. I researched a few technet articles and decided to do a non-authoritative sysvol restore by editing the burflags to D2 in the registry (http://support.microsoft.com/kb/290762). Here's where the real problems began.
After restarting the ntfrs service I started having login problems from workstations. I was also having trouble communicating between the 2 servers. I decided to transfer the Operation master roles back to the SBS 2003 server to see if that would correct some of the issues. I was able to do this from the Active Directory snap ins on the 2012 server. I did a netdom query and verified that the roles had been transfered back to the 2003 server. I then rebooted both DC's and when they came back up I tried to go into Users and Computers on the 2012 server and I got a error "you cannot modify domain or trust information because a primary domain controller (PDC) emulator cannot be contacted. Please verify that the PDC emulator and the network are both online and functioning properly." I realized that I could no longer access any active directory snap ins on the 2012 server.
I went to the SBS 2003 DC and queried the fsmo and it returned "the specified domain either does not exist or could not be contacted." I then tried to open the AD domains and trusts and received an error that it could not connect to the domain. I opened DNS and the pointers looked ok so I queried fsmo again and it returned all 5 roles with the SBS 2003 server name. I went back to the 2012 server and tried to access the AD and I still received an error that it couldn't find the domain. I went back to the SBS 2003 and queried fsmo again and this time it could not connect.
I am now in a loop where the fsmo roles appear to be available only on the SBS 2003 server and for about 10 minutes at a time. I'm guessing it's some kind of replication problem with sysvol / netlogon but I'm not really sure what to do from here. I will post a copy of dcdiag and netdiag below. I welcome any help you can give.
DC Diag
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site\BGBSERV R
Starting test: Connectivity
......................... BGBSERVR passed test Connectivity
Doing primary tests
Testing server: Default-First-Site\BGBSERV R
Starting test: Replications
......................... BGBSERVR passed test Replications
Starting test: NCSecDesc
......................... BGBSERVR passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\BGBSERVR\netlogon)
[BGBSERVR] An net use or LsaPolicy operation failed with error 1203, No network provider accepted the given network path..
......................... BGBSERVR failed test NetLogons
Starting test: Advertising
Fatal Error:DsGetDcName (BGBSERVR) call failed, error 1355
The Locator could not find the server.
......................... BGBSERVR failed test Advertising
Starting test: KnowsOfRoleHolders
......................... BGBSERVR passed test KnowsOfRoleHolders
Starting test: RidManager
......................... BGBSERVR passed test RidManager
Starting test: MachineAccount
......................... BGBSERVR passed test MachineAccount
Starting test: Services
......................... BGBSERVR passed test Services
Starting test: ObjectsReplicated
......................... BGBSERVR passed test ObjectsReplicated
Starting test: frssysvol
......................... BGBSERVR passed test frssysvol
Starting test: frsevent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... BGBSERVR failed test frsevent
Starting test: kccevent
......................... BGBSERVR passed test kccevent
Starting test: systemlog
......................... BGBSERVR passed test systemlog
Starting test: VerifyReferences
......................... BGBSERVR passed test VerifyReferences
Running partition tests on : TAPI3Directory
Starting test: CrossRefValidation
......................... TAPI3Directory passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... TAPI3Directory passed test CheckSDRefDom
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : domain
Starting test: CrossRefValidation
......................... domain passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... domain passed test CheckSDRefDom
Running enterprise tests on : domain.local
Starting test: Intersite
......................... domain.local passed test Intersite
Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQU IRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERV ER_PREFERR ED) call failed, error 1355
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
A KDC could not be located - All the KDCs are down.
......................... domain.local failed test FsmoCheck
Net DIAG
.......................... ........
Computer Name: BGBSERVR
DNS Host Name: bgbservr.domain.local
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 2 Stepping 9, GenuineIntel
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : bgbservr
IP Address . . . . . . . . : 172.31.98.114
Subnet Mask. . . . . . . . : 255.255.255.240
Default Gateway. . . . . . : 172.31.98.113
Dns Servers. . . . . . . . : 172.31.98.114
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
Global results:
Domain membership test . . . . . . : Failed
[WARNING] Ths system volume has not been completely replicated to the local machine. This machine is not working properly as a DC.
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{91A28149-0BCD -4799-A730 -9F9DE668E E21}
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '172.31.98.114' and other DCs also have some of the names registered.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{91A28149-0BCD -4799-A730 -9F9DE668E E21}
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{91A28149-0BCD -4799-A730 -9F9DE668E E21}
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Failed
[FATAL] Cannot find DC in domain 'DOMAIN'. [ERROR_NO_SUCH_DOMAIN]
DC list test . . . . . . . . . . . : Failed
'DOMAIN': Cannot find DC to get DC list from [test skipped].
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Skipped
'DOMAIN': Cannot find DC to get DC list from [test skipped].
LDAP test. . . . . . . . . . . . . : Failed
Cannot find DC to run LDAP tests on. The error occurred was: The specified domain either does not exist or could not be contacted.
[WARNING] Cannot find DC in domain 'DOMAIN'. [ERROR_NO_SUCH_DOMAIN]
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Skipped
Note: run "netsh ipsec dynamic show /?" for more detailed information
The command completed successfully
Over the weekend I introduced new Server 2012 box into the environment and attached it to the domain. Here's what happened.
*From the SBS 2003 server I went into AD domains and trusts and raised the domain functional level to 2003.
*I then added the AD Domain Services role on the Server 2012 box and everything went smoothly.
*I went into Active Directory Users and Computers on the 2012 server and changed the RID, PDC, and Infrastructure operation master to the new 2012 server.
*I changed the Domain Naming and Schema operations master to the 2012 server as well through the MMC snap in.
At this point everything seemed to be working just fine. I ran netdom query fsmo and it was showing the 2012 server as the owner of all the roles. I then went to create a new group policy and I realized I could not. It appeared that the ntfrs wasn't replicating to the new server. I researched a few technet articles and decided to do a non-authoritative sysvol restore by editing the burflags to D2 in the registry (http://support.microsoft.com/kb/290762). Here's where the real problems began.
After restarting the ntfrs service I started having login problems from workstations. I was also having trouble communicating between the 2 servers. I decided to transfer the Operation master roles back to the SBS 2003 server to see if that would correct some of the issues. I was able to do this from the Active Directory snap ins on the 2012 server. I did a netdom query and verified that the roles had been transfered back to the 2003 server. I then rebooted both DC's and when they came back up I tried to go into Users and Computers on the 2012 server and I got a error "you cannot modify domain or trust information because a primary domain controller (PDC) emulator cannot be contacted. Please verify that the PDC emulator and the network are both online and functioning properly." I realized that I could no longer access any active directory snap ins on the 2012 server.
I went to the SBS 2003 DC and queried the fsmo and it returned "the specified domain either does not exist or could not be contacted." I then tried to open the AD domains and trusts and received an error that it could not connect to the domain. I opened DNS and the pointers looked ok so I queried fsmo again and it returned all 5 roles with the SBS 2003 server name. I went back to the 2012 server and tried to access the AD and I still received an error that it couldn't find the domain. I went back to the SBS 2003 and queried fsmo again and this time it could not connect.
I am now in a loop where the fsmo roles appear to be available only on the SBS 2003 server and for about 10 minutes at a time. I'm guessing it's some kind of replication problem with sysvol / netlogon but I'm not really sure what to do from here. I will post a copy of dcdiag and netdiag below. I welcome any help you can give.
DC Diag
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site\BGBSERV
Starting test: Connectivity
......................... BGBSERVR passed test Connectivity
Doing primary tests
Testing server: Default-First-Site\BGBSERV
Starting test: Replications
......................... BGBSERVR passed test Replications
Starting test: NCSecDesc
......................... BGBSERVR passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\BGBSERVR\netlogon)
[BGBSERVR] An net use or LsaPolicy operation failed with error 1203, No network provider accepted the given network path..
......................... BGBSERVR failed test NetLogons
Starting test: Advertising
Fatal Error:DsGetDcName (BGBSERVR) call failed, error 1355
The Locator could not find the server.
......................... BGBSERVR failed test Advertising
Starting test: KnowsOfRoleHolders
......................... BGBSERVR passed test KnowsOfRoleHolders
Starting test: RidManager
......................... BGBSERVR passed test RidManager
Starting test: MachineAccount
......................... BGBSERVR passed test MachineAccount
Starting test: Services
......................... BGBSERVR passed test Services
Starting test: ObjectsReplicated
......................... BGBSERVR passed test ObjectsReplicated
Starting test: frssysvol
......................... BGBSERVR passed test frssysvol
Starting test: frsevent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... BGBSERVR failed test frsevent
Starting test: kccevent
......................... BGBSERVR passed test kccevent
Starting test: systemlog
......................... BGBSERVR passed test systemlog
Starting test: VerifyReferences
......................... BGBSERVR passed test VerifyReferences
Running partition tests on : TAPI3Directory
Starting test: CrossRefValidation
......................... TAPI3Directory passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... TAPI3Directory passed test CheckSDRefDom
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : domain
Starting test: CrossRefValidation
......................... domain passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... domain passed test CheckSDRefDom
Running enterprise tests on : domain.local
Starting test: Intersite
......................... domain.local passed test Intersite
Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQU
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERV
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
A KDC could not be located - All the KDCs are down.
......................... domain.local failed test FsmoCheck
Net DIAG
..........................
Computer Name: BGBSERVR
DNS Host Name: bgbservr.domain.local
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 2 Stepping 9, GenuineIntel
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : bgbservr
IP Address . . . . . . . . : 172.31.98.114
Subnet Mask. . . . . . . . : 255.255.255.240
Default Gateway. . . . . . : 172.31.98.113
Dns Servers. . . . . . . . : 172.31.98.114
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
Global results:
Domain membership test . . . . . . : Failed
[WARNING] Ths system volume has not been completely replicated to the local machine. This machine is not working properly as a DC.
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{91A28149-0BCD
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '172.31.98.114' and other DCs also have some of the names registered.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{91A28149-0BCD
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{91A28149-0BCD
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Failed
[FATAL] Cannot find DC in domain 'DOMAIN'. [ERROR_NO_SUCH_DOMAIN]
DC list test . . . . . . . . . . . : Failed
'DOMAIN': Cannot find DC to get DC list from [test skipped].
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Skipped
'DOMAIN': Cannot find DC to get DC list from [test skipped].
LDAP test. . . . . . . . . . . . . : Failed
Cannot find DC to run LDAP tests on. The error occurred was: The specified domain either does not exist or could not be contacted.
[WARNING] Cannot find DC in domain 'DOMAIN'. [ERROR_NO_SUCH_DOMAIN]
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Skipped
Note: run "netsh ipsec dynamic show /?" for more detailed information
The command completed successfully
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.