johnkan
asked on
Demoting a Win 2000 Server DC so it can join another domain.
Hello
I am replacing a Win 2000 Server that is currently the DC in a single server domain. I am replacing it with a new server running Win 2012 Server Essentials.
I understand I can't introduce the 2012 server using the 'migrate domain' installation mode so here is what I am looking at doing.
1. Demote the 2000 server so it is not a DC for its domain, DOMAIN1
2. Join the 2000 server to the new 2012 server domain DOMAIN2
3. Join all of the workstations, there are only 10 of them, to DOMAIN2
The reason I am wanting to do it this way is I need to be able to have both servers on the same domain so their the old servers files can be copied across to the new server, and also because there is a server product that runs on the 2000 server that needs to be installed on the new server but still needs to be available to the workstations until that process is completed.
If there is an easier way to achieve this please don't hesitate to suggest it.
Thanks heaps in advance
I am replacing a Win 2000 Server that is currently the DC in a single server domain. I am replacing it with a new server running Win 2012 Server Essentials.
I understand I can't introduce the 2012 server using the 'migrate domain' installation mode so here is what I am looking at doing.
1. Demote the 2000 server so it is not a DC for its domain, DOMAIN1
2. Join the 2000 server to the new 2012 server domain DOMAIN2
3. Join all of the workstations, there are only 10 of them, to DOMAIN2
The reason I am wanting to do it this way is I need to be able to have both servers on the same domain so their the old servers files can be copied across to the new server, and also because there is a server product that runs on the 2000 server that needs to be installed on the new server but still needs to be available to the workstations until that process is completed.
If there is an easier way to achieve this please don't hesitate to suggest it.
Thanks heaps in advance
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi experts
We have already purchased Win 2012 SErver essentials...
Can this be the Hyper-V host for Win 2008 lab server ?. I'm assuming it can.
Also, the 2000 Server is running in mixed 'domain' mode, will this make a difference to my approach ?.
Prior to demoting the 2000 DC server, will this approach change the 2000 server DC in any way?. Or will it function as normal prior to demotion ?.
Thanks
We have already purchased Win 2012 SErver essentials...
Can this be the Hyper-V host for Win 2008 lab server ?. I'm assuming it can.
Also, the 2000 Server is running in mixed 'domain' mode, will this make a difference to my approach ?.
Prior to demoting the 2000 DC server, will this approach change the 2000 server DC in any way?. Or will it function as normal prior to demotion ?.
Thanks
ASKER
Further to the Hyper-v VM,
I've found the following link below on TechNet, is this the VM I am to download and install in my Hyper-V server..?
Hyper-V Server 2008 R2 SP1
Thanks
I've found the following link below on TechNet, is this the VM I am to download and install in my Hyper-V server..?
Hyper-V Server 2008 R2 SP1
Thanks
where is link ?
ASKER
Hi Santosh
Sorry, looksl like I will need to create the Win2008 server VM from scratch as I have the Win2008 server media but can't download the Hyper-v 2008 server. Account to download it has expired.
Sorry, looksl like I will need to create the Win2008 server VM from scratch as I have the Win2008 server media but can't download the Hyper-v 2008 server. Account to download it has expired.
if you have 2008 R2 then it should be in roles.
http://www.petri.co.il/installing-hyper-v-on-windows-server-2008-r2.htm#
http://www.petri.co.il/installing-hyper-v-on-windows-server-2008-r2.htm#
ASKER
Hi Santosh
So, what I'm planning on doing is installing the Win2008 server as a VM on the Win 2012 Essentials server.
Thanks
So, what I'm planning on doing is installing the Win2008 server as a VM on the Win 2012 Essentials server.
Thanks
ohh ok
ASKER
Hi Santosh
As recommended, looking to...
install Win2008 server as VM on Win 2012 Essentials server
'Migrate' AD stuff from 2000 server over to Win2008 server and make the 2008 server a DC
then Join 'host' Win 2012 essentials server to Win2008 managed domain (where Win2008 is the DC).
Demote 2000 server
Move, or reinstall apps, printers etc to Win 2012 essentials server
Copy files over to 2012 Essentials server
decommission Win 2000 server
switch off 2008 server
I think I understand the steps recommended earlier in this question.
Thanks
As recommended, looking to...
install Win2008 server as VM on Win 2012 Essentials server
'Migrate' AD stuff from 2000 server over to Win2008 server and make the 2008 server a DC
then Join 'host' Win 2012 essentials server to Win2008 managed domain (where Win2008 is the DC).
Demote 2000 server
Move, or reinstall apps, printers etc to Win 2012 essentials server
Copy files over to 2012 Essentials server
decommission Win 2000 server
switch off 2008 server
I think I understand the steps recommended earlier in this question.
Thanks
yes correct, but please make sure wait for 1 to 2 days before demoting and decommission the servers.
You cannot run hyper-v and essentials side by side. Essentials mist be a guest VM.
ASKER
Hi Cliff
If the Essentials must be a guest VM, what would be the 'host' OS ?.
Is that only if hyper-v is used for the virtualisation of the 2008 server ?.
thanks
If the Essentials must be a guest VM, what would be the 'host' OS ?.
Is that only if hyper-v is used for the virtualisation of the 2008 server ?.
thanks
Well, I personally don't recommend running an older version of hyper-v with newer guest VMs. You can get strange interactions with integration services.
So given that caveat as well, if you don't have a license for 2012 Standard or datacenter, I'd grab the latest free version of hyper-v server, which is 2012 R2. It requires command line knowledge, and can only run hyper-v, but it is very good at what it does. You can run essentials and 2008 as guests.
So given that caveat as well, if you don't have a license for 2012 Standard or datacenter, I'd grab the latest free version of hyper-v server, which is 2012 R2. It requires command line knowledge, and can only run hyper-v, but it is very good at what it does. You can run essentials and 2008 as guests.
ASKER
hi Cliff
I've had experience virtualising servers using VMware and VirtualBox so do you see any problems if I use these to virtualise the 2008 server. They would be installed on the host 2012 Essentials server..
Thanks
I've had experience virtualising servers using VMware and VirtualBox so do you see any problems if I use these to virtualise the 2008 server. They would be installed on the host 2012 Essentials server..
Thanks
Yes, I see problems. Having ADDS coexist with virtualization is almost always a bad idea. You hit memory and disk I/O issues more often than not.
I have no problems with VMWare as a company, but for virtualizing servers, you should use ESX (ESXi is also free) and like hyper-v, it is its on OS. You wouldn't run ESX on essentials. Their desktop virtualization product is not suitable for server workloads.
Tangentially, I'd not run virtualbox with other roles. I'd dedicate the host OS to virtualbox and then run other workloads like essentials as guests. But that requires a host OS license, so virtualbox is usually not cost effective when windows is being considered for the host OS.
I have no problems with VMWare as a company, but for virtualizing servers, you should use ESX (ESXi is also free) and like hyper-v, it is its on OS. You wouldn't run ESX on essentials. Their desktop virtualization product is not suitable for server workloads.
Tangentially, I'd not run virtualbox with other roles. I'd dedicate the host OS to virtualbox and then run other workloads like essentials as guests. But that requires a host OS license, so virtualbox is usually not cost effective when windows is being considered for the host OS.
ASKER
Hi Santosh
Just a question about the use of either Win 2003 server or Win 2008 server as an intermediate step to get the server with AD on it that is compatible with 2012 Server Essentials.
Is it any easier to migrate the AD to 2003 server or 2008 server from 2000 Server ?.
Just wondering if as 2003 server was the version just after 2000 server that it may be easier ?.
You mentioned 2003 server in your response.
Thanks
Just a question about the use of either Win 2003 server or Win 2008 server as an intermediate step to get the server with AD on it that is compatible with 2012 Server Essentials.
Is it any easier to migrate the AD to 2003 server or 2008 server from 2000 Server ?.
Just wondering if as 2003 server was the version just after 2000 server that it may be easier ?.
You mentioned 2003 server in your response.
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Santosh
One of the steps to go from 2000 to 2008 is ...
'2. Upgrade the Windows 2000 forest schema by running "adprep /forestprep"
command on old server'
Any chance this could 'break' the Win 2000 server. I guess there is always a chance with this sort of thing...
Thanks
One of the steps to go from 2000 to 2008 is ...
'2. Upgrade the Windows 2000 forest schema by running "adprep /forestprep"
command on old server'
Any chance this could 'break' the Win 2000 server. I guess there is always a chance with this sort of thing...
Thanks
no, its only to update the schema version. you are safe to run this command.
note: you need to run this command on 2000 server by using 2008 DVD. run adprep32 as windows 2000 is 32bit OS.
note: you need to run this command on 2000 server by using 2008 DVD. run adprep32 as windows 2000 is 32bit OS.
ASKER
Hi Santosh
I have the 2008 DVD, is it just a binary on that DVD ?.
I have the 2008 DVD, is it just a binary on that DVD ?.
its a exe .
ASKER
Hi Santosh
OK, found it...
OK, found it...
ASKER
Hello Experts
Just an update, the user wants to complete their end-of-year accounts before the upgrade process is started, just in case.
I'll post again once the migration process has begun. I've created a 2008 server VM in preparation for this.
We are looking at starting this in one weeks time.
Thanks
Just an update, the user wants to complete their end-of-year accounts before the upgrade process is started, just in case.
I'll post again once the migration process has begun. I've created a 2008 server VM in preparation for this.
We are looking at starting this in one weeks time.
Thanks
ASKER
Hi Experts
Is it safe to run ADPPREP/forestprep on a system with users logged in or doe's it have to be run on the server when no other users are logged in ?.
I'm guessing there might be a reboot along the way as well maybe ?.
Thanks heaps
Is it safe to run ADPPREP/forestprep on a system with users logged in or doe's it have to be run on the server when no other users are logged in ?.
I'm guessing there might be a reboot along the way as well maybe ?.
Thanks heaps
Any process that makes changes has a chance of going wrong, so "safe" is rather subjective. But adprep can be run while users are logged in and no reboot is required.
ASKER
Hi
I think the current domain mode for the server is 'mixed mode'. Can I still run ADPREP /prepforest if its in this mode ?
Thanks
I think the current domain mode for the server is 'mixed mode'. Can I still run ADPREP /prepforest if its in this mode ?
Thanks
Yes
ASKER
Hi
OK, adprep /forestprep has completed successfully.
Is adprep /domainprep just a schema update or will it affect how the existing users/computers connect to the Win 2000 server. ?
Is it safe to run ?.
I will be introducing the Win2008 server next weekend.
Thanks
OK, adprep /forestprep has completed successfully.
Is adprep /domainprep just a schema update or will it affect how the existing users/computers connect to the Win 2000 server. ?
Is it safe to run ?.
I will be introducing the Win2008 server next weekend.
Thanks
When I said adprep was safe to run, it was inclusive for domain and forest.
ASKER
HI
When I run adprep32 /domainprep it wants me to change to 'native mode' before it will continue. If I change to 'native mode' will the existing Win2k pro, and WinXP pc's be able to logon still, I know really old kit they need to upgrade.
Thanks
When I run adprep32 /domainprep it wants me to change to 'native mode' before it will continue. If I change to 'native mode' will the existing Win2k pro, and WinXP pc's be able to logon still, I know really old kit they need to upgrade.
Thanks
2000 Native kills off support for NT4, but as the name implies, 2000 is fine.
2003 interim or native would cause issues.
2003 interim or native would cause issues.
ASKER
Great. No nt4 here.
Will continue this next week now. Getting booted out for the week
Thanks
Will continue this next week now. Getting booted out for the week
Thanks
ASKER
Hi Experts
Just changed 2000 Server domain mode to native from mixed.
Completed adprep32 /domainprep successfully.
Do I need to run "adprep32.exe /domainprep /gpprep" ?.
The following message came up after successful completion of adprep32 /domainprep and mentions this command.
Adprep successfully updated the domain-wide information.
The new cross domain planning functionality for Group Policy, RSOP Planning
Mode, requires file system and Active Directory Domain Services permissions
to be updated for existing Group Policy Objects (GPOs). You can enable this
functionality at any time by running "adprep.exe /domainprep /gpprep" on the
Active Directory Domain Controller that holds the infrastructure operations
master role.
This operation will cause all GPOs located in the policies folder of the
SYSVOL to be replicated once between the AD DCs in this domain.
Microsoft recommends reading KB Q324392, particularly if you have a large
number of Group policy Objects.
Just changed 2000 Server domain mode to native from mixed.
Completed adprep32 /domainprep successfully.
Do I need to run "adprep32.exe /domainprep /gpprep" ?.
The following message came up after successful completion of adprep32 /domainprep and mentions this command.
Adprep successfully updated the domain-wide information.
The new cross domain planning functionality for Group Policy, RSOP Planning
Mode, requires file system and Active Directory Domain Services permissions
to be updated for existing Group Policy Objects (GPOs). You can enable this
functionality at any time by running "adprep.exe /domainprep /gpprep" on the
Active Directory Domain Controller that holds the infrastructure operations
master role.
This operation will cause all GPOs located in the policies folder of the
SYSVOL to be replicated once between the AD DCs in this domain.
Microsoft recommends reading KB Q324392, particularly if you have a large
number of Group policy Objects.
ASKER
Hi Experts
OK, I've now run 'DCPROMO' successfully.
I have checked in user and computers and the 2008 intermediary server now appears as a domain controller.
Looking at the article there are 4 points next...
6. Run dcpromo on new server to promote it as an additional domain
controller in existing Windows 2000 domain, afterwards you may verify the
installation of Active Directory.
Newbie question, Ive run DCPROMO, how do I check Active Directory installed properly.
7. Enable Global Catalog on new server and manually Check Replication
Topology and afterwards manually trigger replication to synchronize Active
Directory database between 2 replica.
Newbie question, not sure how this is supposed to be completed
8. Disable Global Catalog on old server.
Newbie question, not sure how to complete this step.
9. Use NTDSUTIL utility to transfer all the 5 FSMO roles from old server to
new server. You'd better transfer FSMO roles via GUI method instead of
using NTDSUTIL.
Will the 2008 DC authenticate users before the steps above have been completed ?.
Thanks
OK, I've now run 'DCPROMO' successfully.
I have checked in user and computers and the 2008 intermediary server now appears as a domain controller.
Looking at the article there are 4 points next...
6. Run dcpromo on new server to promote it as an additional domain
controller in existing Windows 2000 domain, afterwards you may verify the
installation of Active Directory.
Newbie question, Ive run DCPROMO, how do I check Active Directory installed properly.
7. Enable Global Catalog on new server and manually Check Replication
Topology and afterwards manually trigger replication to synchronize Active
Directory database between 2 replica.
Newbie question, not sure how this is supposed to be completed
8. Disable Global Catalog on old server.
Newbie question, not sure how to complete this step.
9. Use NTDSUTIL utility to transfer all the 5 FSMO roles from old server to
new server. You'd better transfer FSMO roles via GUI method instead of
using NTDSUTIL.
Will the 2008 DC authenticate users before the steps above have been completed ?.
Thanks
Will the 2008 DC authenticate users before the steps above have been completed ?.
yes,
1. how do I check Active Directory installed properly
http://support.microsoft.com/kb/298143
2. not sure how this is supposed to be completed
http://technet.microsoft.com/en-us/library/cc758330%28v=ws.10%29.aspx
3. Disable Global Catalog
http://technet.microsoft.com/en-us/library/cc758330%28v=ws.10%29.aspx
ASKER
hi Santosh
Thanks, I'll try these tomorrow and post the results.
After I had run DCPROMO on the new server, I waited about 15 minutes and then I unplugged the network cable from the old server and tried to log into the network from one of the PC's. It seemed to take an age to log in and get to the desktop.
When I reconnected the old server to the network and then logged in again on the same PC it authenticated and got the the desktop much faster. So I wasn't sure whether the new server actually authenticated the user when the old server was disconnected.
Thanks
Thanks, I'll try these tomorrow and post the results.
After I had run DCPROMO on the new server, I waited about 15 minutes and then I unplugged the network cable from the old server and tried to log into the network from one of the PC's. It seemed to take an age to log in and get to the desktop.
When I reconnected the old server to the network and then logged in again on the same PC it authenticated and got the the desktop much faster. So I wasn't sure whether the new server actually authenticated the user when the old server was disconnected.
Thanks
ASKER
Hi experts.
On the new server under the SYSVOL directory there is no scripts directory or 'Policies' directories which there are on the old server. Do I just copy these to the new server or should they have been created automatically when I DCPromo'd ?.
Just want to know that the new server has authenticated the user when I try logging them in and have the old server disconnected from the network..
Thanks
On the new server under the SYSVOL directory there is no scripts directory or 'Policies' directories which there are on the old server. Do I just copy these to the new server or should they have been created automatically when I DCPromo'd ?.
Just want to know that the new server has authenticated the user when I try logging them in and have the old server disconnected from the network..
Thanks
ASKER
Hi
So far I've not done anything special with the DNS server entries on the new server.
could that have an effect on the new server authenticating user's ?.
I don't think the new server is authenticating users at this stage.
I've checked the installation as being correct, based on the knowledgebase article above..
1. how do I check Active Directory installed properly
http://support.microsoft.com/kb/298143
I feel its close but that I've missed something ..
Thanks
So far I've not done anything special with the DNS server entries on the new server.
could that have an effect on the new server authenticating user's ?.
I don't think the new server is authenticating users at this stage.
I've checked the installation as being correct, based on the knowledgebase article above..
1. how do I check Active Directory installed properly
http://support.microsoft.com/kb/298143
I feel its close but that I've missed something ..
Thanks
ASKER
Hello Experts
The new server is definitely not authenticating at this stage.
I created a shared folder on the new server and with the old server disconnected, I cannot connect to that shared drive.
When I authenticate on the old server and try to connect to the shared drive I am allowed to connect.
I can confirm both new and old servers appear with the tick in the 'Global catalogue' under the server properties for both old and new servers under the servers container
Thanks
The new server is definitely not authenticating at this stage.
I created a shared folder on the new server and with the old server disconnected, I cannot connect to that shared drive.
When I authenticate on the old server and try to connect to the shared drive I am allowed to connect.
I can confirm both new and old servers appear with the tick in the 'Global catalogue' under the server properties for both old and new servers under the servers container
Thanks
Hi,
1. Make sure that you have added the New DC IP in the DNS of clients.
2. Run the DCDIAG /V on new server.
3. if you see error on report then also run DCDIAG /Test:DNS and share the result/errors if any.
1. Make sure that you have added the New DC IP in the DNS of clients.
2. Run the DCDIAG /V on new server.
3. if you see error on report then also run DCDIAG /Test:DNS and share the result/errors if any.
ASKER
Hi Santosh
Man!!!..Ok here is the output from DCDIAG.
old server is W2KSERVER2, new intermediary server is SERVER03 running Server 2008
It states there are 3 DC's of which 2 were old NT servers that a long since gone. I'm going to remove these from the Computer and users.
Hope this helps.
Thanks heaps
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine SERVER03, is a Directory Server.
Home Server = SERVER03
* Connecting to directory service on server SERVER03.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld, CN=Sites,C N=Configur ation,DC=o rgname,DC= local,LDAP _SCOPE_SUB TREE,(obje ctCategory =ntDSSiteS ettings),. ......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First- Site-Name, CN=Sites,C N=Configur ation,DC=o rgname,DC= local
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld, CN=Sites,C N=Configur ation,DC=o rgname,DC= local,LDAP _SCOPE_SUB TREE,(obje ctClass=nt DSDsa),... ....
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=W2KSERVER2,CN= Servers,CN =Default-F irst-Site- Name,CN=Si tes,CN=Con figuration ,DC=orgnam e,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=orgnameBDC,CN= Servers,CN =Default-F irst-Site- Name,CN=Si tes,CN=Con figuration ,DC=orgnam e,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=SERVER03,CN=Se rvers,CN=D efault-Fir st-Site-Na me,CN=Site s,CN=Confi guration,D C=orgname, DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
Ldap search capabality attribute search failed on server orgnameBDC, return
value = 81
Got error while checking if the DC is using FRS or DFSR. Error:
Win32 Error 81The VerifyReferences, FrsEvent and DfsrEvent tests might fail
because of this error.
* Found 3 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SE RVER03
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... SERVER03 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SE RVER03
Starting test: Advertising
Warning: DsGetDcName returned information for
\\w2kserver2.orgname.local , when we were trying to reach SERVER03.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... SERVER03 failed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
A warning event occurred. EventID: 0x800034FD
Time Generated: 04/23/2014 13:04:27
Event String:
File Replication Service is initializing the system volume with data from another domain controller. Computer SERVER03 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.
To check for the SYSVOL share, at the command prompt, type:
net share
When File Replication Service completes the initialization process, the SYSVOL share will appear.
The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replication interval between domain controllers.
A warning event occurred. EventID: 0x800034C8
Time Generated: 04/23/2014 13:04:29
Event String:
The File Replication Service has detected an enabled disk write cache on the drive containing the directory c:\windows\ntfrs\jet on the computer SERVER03. The File Replication Service might not recover when power to the drive is interrupted and critical updates are lost.
A warning event occurred. EventID: 0x800034C4
Time Generated: 04/23/2014 13:06:52
Event String:
The File Replication Service is having trouble enabling replication from w2kserver2.orgname.local to SERVER03 for c:\windows\sysvol\domain using the DNS name w2kserver2.orgname.local. FRS will keep retrying.
Following are some of the reasons you would see this warning.
[1] FRS can not correctly resolve the DNS name w2kserver2.orgname.local from this computer.
[2] FRS is not running on w2kserver2.orgname.local.
[3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
A warning event occurred. EventID: 0x800034C4
Time Generated: 04/23/2014 13:14:12
Event String:
The File Replication Service is having trouble enabling replication from orgnameBDC to SERVER03 for c:\windows\sysvol\domain using the DNS name orgnamebdc.orgname.local. FRS will keep retrying.
Following are some of the reasons you would see this warning.
[1] FRS can not correctly resolve the DNS name orgnamebdc.orgname.local from this computer.
[2] FRS is not running on orgnamebdc.orgname.local.
[3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
A warning event occurred. EventID: 0x800034C4
Time Generated: 04/23/2014 13:14:13
Event String:
The File Replication Service is having trouble enabling replication from W2KSERVER2 to SERVER03 for c:\windows\sysvol\domain using the DNS name w2kserver2.orgname.local. FRS will keep retrying.
Following are some of the reasons you would see this warning.
[1] FRS can not correctly resolve the DNS name w2kserver2.orgname.local from this computer.
[2] FRS is not running on w2kserver2.orgname.local.
[3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
......................... SERVER03 passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
Skip the test because the server is running FRS.
......................... SERVER03 passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
The registry lookup failed to determine the state of the SYSVOL. The
error returned was 0x0 "The operation completed successfully.".
Check the FRS event log to see if the SYSVOL has successfully been
shared.
......................... SERVER03 passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
A warning event occurred. EventID: 0x80000603
Time Generated: 04/23/2014 13:04:05
Event String:
Active Directory Domain Services could not disable the software-based disk write cache on the following hard disk.
Hard disk:
c:
Data might be lost during system failures.
A warning event occurred. EventID: 0x80000B46
Time Generated: 04/23/2014 13:04:18
Event String:
The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.
Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made. To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred. You are encouraged to configure those clients to not use such binds. Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds.
For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.
You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.
An error event occurred. EventID: 0xC0000827
Time Generated: 04/23/2014 13:10:05
Event String:
Active Directory Domain Services could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory Domain Services from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.
Source domain controller:
orgnamebdc
Failing DNS host name:
d93836ab-8fa9-41cc-b1b3-c5 0c5b27b183 ._msdcs.or gname.loca l
NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. To log all individual failure events, set the following diagnostics registry value to 1:
Registry Path:
HKLM\System\CurrentControl Set\Servic es\NTDS\Di agnostics\ 22 DS RPC Client
User Action:
1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.
2) Confirm that the source domain controller is running Active Directory Domain Services and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".
3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns
dcdiag /test:dns
4) Verify that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:
dcdiag /test:dns
5) For further analysis of DNS error failures see KB 824449:
http://support.microsoft.com/?kbid=824449
Additional Data
Error value:
11004 The requested name is valid, but no data of the requested type was found.
A warning event occurred. EventID: 0x80000785
Time Generated: 04/23/2014 13:10:05
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
Directory partition:
CN=Configuration,DC=orgnam e,DC=local
Source directory service:
CN=NTDS Settings,CN=orgnameBDC,CN= Servers,CN =Default-F irst-Site- Name,CN=Si tes,CN=Con figuration ,DC=orgnam e,DC=local
Source directory service address:
d93836ab-8fa9-41cc-b1b3-c5 0c5b27b183 ._msdcs.or gname.loca l
Intersite transport (if any):
This directory service will be unable to replicate with the source directory service until this problem is corrected.
User Action
Verify if the source directory service is accessible or network connectivity is available.
Additional Data
Error value:
8524 The DSA operation is unable to proceed because of a DNS lookup failure.
......................... SERVER03 failed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=W2KSERVER2,CN= Servers,CN =Default-F irst-Site- Name,CN=Si tes,CN=Con figuration ,DC=orgnam e,DC=local
Role Domain Owner = CN=NTDS Settings,CN=W2KSERVER2,CN= Servers,CN =Default-F irst-Site- Name,CN=Si tes,CN=Con figuration ,DC=orgnam e,DC=local
Role PDC Owner = CN=NTDS Settings,CN=W2KSERVER2,CN= Servers,CN =Default-F irst-Site- Name,CN=Si tes,CN=Con figuration ,DC=orgnam e,DC=local
Role Rid Owner = CN=NTDS Settings,CN=W2KSERVER2,CN= Servers,CN =Default-F irst-Site- Name,CN=Si tes,CN=Con figuration ,DC=orgnam e,DC=local
Role Infrastructure Update Owner = CN=NTDS Settings,CN=W2KSERVER2,CN= Servers,CN =Default-F irst-Site- Name,CN=Si tes,CN=Con figuration ,DC=orgnam e,DC=local
......................... SERVER03 passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC SERVER03 on DC SERVER03.
* SPN found :LDAP/SERVER03.orgname.loc al/orgname .local
* SPN found :LDAP/SERVER03.orgname.loc al
* SPN found :LDAP/SERVER03
* SPN found :LDAP/SERVER03.orgname.loc al/orgname
* SPN found :LDAP/d2c2952a-d421-4d08-a 481-cb0024 f074e2._ms dcs.orgnam e.local
* SPN found :E3514235-4B06-11D1-AB04-0 0C04FC2DCD 2/d2c2952a -d421-4d08 -a481-cb00 24f074e2/o rgname.loc al
* SPN found :HOST/SERVER03.orgname.loc al/orgname .local
* SPN found :HOST/SERVER03.orgname.loc al
* SPN found :HOST/SERVER03
* SPN found :HOST/SERVER03.orgname.loc al/orgname
* SPN found :GC/SERVER03.orgname.local /orgname.l ocal
......................... SERVER03 passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC SERVER03.
The forest is not ready for RODC. Will skip checking ERODC ACEs.
* Security Permissions Check for
CN=Schema,CN=Configuration ,DC=orgnam e,DC=local
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=orgnam e,DC=local
(Configuration,Version 3)
* Security Permissions Check for
DC=orgname,DC=local
(Domain,Version 3)
......................... SERVER03 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Unable to connect to the NETLOGON share! (\\SERVER03\netlogon)
[SERVER03] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... SERVER03 failed test NetLogons
Starting test: ObjectsReplicated
SERVER03 is in domain DC=orgname,DC=local
Checking for CN=SERVER03,OU=Domain Controllers,DC=orgname,DC= local in domain DC=orgname,DC=local on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=SERVER03,CN=Se rvers,CN=D efault-Fir st-Site-Na me,CN=Site s,CN=Confi guration,D C=orgname, DC=local in domain CN=Configuration,DC=orgnam e,DC=local on 1 servers
Object is up-to-date on all servers.
......................... SERVER03 passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
CN=Schema,CN=Configuration ,DC=orgnam e,DC=local
Latency information for 2 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 1 had no latency information (Win2K DC).
CN=Configuration,DC=orgnam e,DC=local
Latency information for 2 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 1 had no latency information (Win2K DC).
DC=orgname,DC=local
Latency information for 2 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 1 had no latency information (Win2K DC).
* Replication Site Latency Check
......................... SERVER03 passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 3660 to 1073741823
* w2kserver2.orgname.local is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 3160 to 3659
* rIDPreviousAllocationPool is 3160 to 3659
* rIDNextRID: 3160
......................... SERVER03 passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... SERVER03 passed test Services
Starting test: SystemLog
* The System Event log test
A warning event occurred. EventID: 0x80040022
Time Generated: 04/23/2014 13:04:05
Event String:
The driver disabled the write cache on device \Device\Harddisk0\DR0.
A warning event occurred. EventID: 0x80040022
Time Generated: 04/23/2014 13:04:05
Event String:
The driver disabled the write cache on device \Device\Harddisk0\DR0.
A warning event occurred. EventID: 0x80040022
Time Generated: 04/23/2014 13:04:05
Event String:
The driver disabled the write cache on device \Device\Harddisk0\DR0.
A warning event occurred. EventID: 0x8000001D
Time Generated: 04/23/2014 13:04:13
Event String:
The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
A warning event occurred. EventID: 0x0000008E
Time Generated: 04/23/2014 13:05:46
Event String:
The time service has stopped advertising as a time source because the local clock is not synchronized.
Found no errors in "System" Event log in the last 60 minutes.
......................... SERVER03 passed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference)
CN=SERVER03,OU=Domain Controllers,DC=orgname,DC= local and backlink on
CN=SERVER03,CN=Servers,CN= Default-Fi rst-Site-N ame,CN=Sit es,CN=Conf iguration, DC=orgname ,DC=local
are correct.
The system object reference (serverReferenceBL)
CN=SERVER03,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=orgna me,DC=loca l
and backlink on
CN=NTDS Settings,CN=SERVER03,CN=Se rvers,CN=D efault-Fir st-Site-Na me,CN=Site s,CN=Confi guration,D C=orgname, DC=local
are correct.
The system object reference (frsComputerReferenceBL)
CN=SERVER03,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=orgna me,DC=loca l
and backlink on CN=SERVER03,OU=Domain Controllers,DC=orgname,DC= local
are correct.
......................... SERVER03 passed test VerifyReferences
Test omitted by user request: VerifyReplicas
Test omitted by user request: DNS
Test omitted by user request: DNS
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : orgname
Starting test: CheckSDRefDom
......................... orgname passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... orgname passed test CrossRefValidation
Running enterprise tests on : orgname.local
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\w2kserver2.orgname.local
Locator Flags: 0xe00001fd
PDC Name: \\w2kserver2.orgname.local
Locator Flags: 0xe00001fd
Time Server Name: \\w2kserver2.orgname.local
Locator Flags: 0xe00001fd
Preferred Time Server Name: \\w2kserver2.orgname.local
Locator Flags: 0xe00001fd
KDC Name: \\w2kserver2.orgname.local
Locator Flags: 0xe00001fd
......................... orgname.local passed test LocatorCheck
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
......................... orgname.local passed test Intersite
Man!!!..Ok here is the output from DCDIAG.
old server is W2KSERVER2, new intermediary server is SERVER03 running Server 2008
It states there are 3 DC's of which 2 were old NT servers that a long since gone. I'm going to remove these from the Computer and users.
Hope this helps.
Thanks heaps
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine SERVER03, is a Directory Server.
Home Server = SERVER03
* Connecting to directory service on server SERVER03.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=W2KSERVER2,CN=
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=orgnameBDC,CN=
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=SERVER03,CN=Se
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
Ldap search capabality attribute search failed on server orgnameBDC, return
value = 81
Got error while checking if the DC is using FRS or DFSR. Error:
Win32 Error 81The VerifyReferences, FrsEvent and DfsrEvent tests might fail
because of this error.
* Found 3 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SE
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... SERVER03 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SE
Starting test: Advertising
Warning: DsGetDcName returned information for
\\w2kserver2.orgname.local
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... SERVER03 failed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
A warning event occurred. EventID: 0x800034FD
Time Generated: 04/23/2014 13:04:27
Event String:
File Replication Service is initializing the system volume with data from another domain controller. Computer SERVER03 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.
To check for the SYSVOL share, at the command prompt, type:
net share
When File Replication Service completes the initialization process, the SYSVOL share will appear.
The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replication interval between domain controllers.
A warning event occurred. EventID: 0x800034C8
Time Generated: 04/23/2014 13:04:29
Event String:
The File Replication Service has detected an enabled disk write cache on the drive containing the directory c:\windows\ntfrs\jet on the computer SERVER03. The File Replication Service might not recover when power to the drive is interrupted and critical updates are lost.
A warning event occurred. EventID: 0x800034C4
Time Generated: 04/23/2014 13:06:52
Event String:
The File Replication Service is having trouble enabling replication from w2kserver2.orgname.local to SERVER03 for c:\windows\sysvol\domain using the DNS name w2kserver2.orgname.local. FRS will keep retrying.
Following are some of the reasons you would see this warning.
[1] FRS can not correctly resolve the DNS name w2kserver2.orgname.local from this computer.
[2] FRS is not running on w2kserver2.orgname.local.
[3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
A warning event occurred. EventID: 0x800034C4
Time Generated: 04/23/2014 13:14:12
Event String:
The File Replication Service is having trouble enabling replication from orgnameBDC to SERVER03 for c:\windows\sysvol\domain using the DNS name orgnamebdc.orgname.local. FRS will keep retrying.
Following are some of the reasons you would see this warning.
[1] FRS can not correctly resolve the DNS name orgnamebdc.orgname.local from this computer.
[2] FRS is not running on orgnamebdc.orgname.local.
[3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
A warning event occurred. EventID: 0x800034C4
Time Generated: 04/23/2014 13:14:13
Event String:
The File Replication Service is having trouble enabling replication from W2KSERVER2 to SERVER03 for c:\windows\sysvol\domain using the DNS name w2kserver2.orgname.local. FRS will keep retrying.
Following are some of the reasons you would see this warning.
[1] FRS can not correctly resolve the DNS name w2kserver2.orgname.local from this computer.
[2] FRS is not running on w2kserver2.orgname.local.
[3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
......................... SERVER03 passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
Skip the test because the server is running FRS.
......................... SERVER03 passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
The registry lookup failed to determine the state of the SYSVOL. The
error returned was 0x0 "The operation completed successfully.".
Check the FRS event log to see if the SYSVOL has successfully been
shared.
......................... SERVER03 passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
A warning event occurred. EventID: 0x80000603
Time Generated: 04/23/2014 13:04:05
Event String:
Active Directory Domain Services could not disable the software-based disk write cache on the following hard disk.
Hard disk:
c:
Data might be lost during system failures.
A warning event occurred. EventID: 0x80000B46
Time Generated: 04/23/2014 13:04:18
Event String:
The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.
Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made. To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred. You are encouraged to configure those clients to not use such binds. Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds.
For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.
You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.
An error event occurred. EventID: 0xC0000827
Time Generated: 04/23/2014 13:10:05
Event String:
Active Directory Domain Services could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory Domain Services from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.
Source domain controller:
orgnamebdc
Failing DNS host name:
d93836ab-8fa9-41cc-b1b3-c5
NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. To log all individual failure events, set the following diagnostics registry value to 1:
Registry Path:
HKLM\System\CurrentControl
User Action:
1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.
2) Confirm that the source domain controller is running Active Directory Domain Services and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".
3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns
dcdiag /test:dns
4) Verify that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:
dcdiag /test:dns
5) For further analysis of DNS error failures see KB 824449:
http://support.microsoft.com/?kbid=824449
Additional Data
Error value:
11004 The requested name is valid, but no data of the requested type was found.
A warning event occurred. EventID: 0x80000785
Time Generated: 04/23/2014 13:10:05
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
Directory partition:
CN=Configuration,DC=orgnam
Source directory service:
CN=NTDS Settings,CN=orgnameBDC,CN=
Source directory service address:
d93836ab-8fa9-41cc-b1b3-c5
Intersite transport (if any):
This directory service will be unable to replicate with the source directory service until this problem is corrected.
User Action
Verify if the source directory service is accessible or network connectivity is available.
Additional Data
Error value:
8524 The DSA operation is unable to proceed because of a DNS lookup failure.
......................... SERVER03 failed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=W2KSERVER2,CN=
Role Domain Owner = CN=NTDS Settings,CN=W2KSERVER2,CN=
Role PDC Owner = CN=NTDS Settings,CN=W2KSERVER2,CN=
Role Rid Owner = CN=NTDS Settings,CN=W2KSERVER2,CN=
Role Infrastructure Update Owner = CN=NTDS Settings,CN=W2KSERVER2,CN=
......................... SERVER03 passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC SERVER03 on DC SERVER03.
* SPN found :LDAP/SERVER03.orgname.loc
* SPN found :LDAP/SERVER03.orgname.loc
* SPN found :LDAP/SERVER03
* SPN found :LDAP/SERVER03.orgname.loc
* SPN found :LDAP/d2c2952a-d421-4d08-a
* SPN found :E3514235-4B06-11D1-AB04-0
* SPN found :HOST/SERVER03.orgname.loc
* SPN found :HOST/SERVER03.orgname.loc
* SPN found :HOST/SERVER03
* SPN found :HOST/SERVER03.orgname.loc
* SPN found :GC/SERVER03.orgname.local
......................... SERVER03 passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC SERVER03.
The forest is not ready for RODC. Will skip checking ERODC ACEs.
* Security Permissions Check for
CN=Schema,CN=Configuration
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=orgnam
(Configuration,Version 3)
* Security Permissions Check for
DC=orgname,DC=local
(Domain,Version 3)
......................... SERVER03 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Unable to connect to the NETLOGON share! (\\SERVER03\netlogon)
[SERVER03] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... SERVER03 failed test NetLogons
Starting test: ObjectsReplicated
SERVER03 is in domain DC=orgname,DC=local
Checking for CN=SERVER03,OU=Domain Controllers,DC=orgname,DC=
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=SERVER03,CN=Se
Object is up-to-date on all servers.
......................... SERVER03 passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
CN=Schema,CN=Configuration
Latency information for 2 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 1 had no latency information (Win2K DC).
CN=Configuration,DC=orgnam
Latency information for 2 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 1 had no latency information (Win2K DC).
DC=orgname,DC=local
Latency information for 2 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 1 had no latency information (Win2K DC).
* Replication Site Latency Check
......................... SERVER03 passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 3660 to 1073741823
* w2kserver2.orgname.local is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 3160 to 3659
* rIDPreviousAllocationPool is 3160 to 3659
* rIDNextRID: 3160
......................... SERVER03 passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... SERVER03 passed test Services
Starting test: SystemLog
* The System Event log test
A warning event occurred. EventID: 0x80040022
Time Generated: 04/23/2014 13:04:05
Event String:
The driver disabled the write cache on device \Device\Harddisk0\DR0.
A warning event occurred. EventID: 0x80040022
Time Generated: 04/23/2014 13:04:05
Event String:
The driver disabled the write cache on device \Device\Harddisk0\DR0.
A warning event occurred. EventID: 0x80040022
Time Generated: 04/23/2014 13:04:05
Event String:
The driver disabled the write cache on device \Device\Harddisk0\DR0.
A warning event occurred. EventID: 0x8000001D
Time Generated: 04/23/2014 13:04:13
Event String:
The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
A warning event occurred. EventID: 0x0000008E
Time Generated: 04/23/2014 13:05:46
Event String:
The time service has stopped advertising as a time source because the local clock is not synchronized.
Found no errors in "System" Event log in the last 60 minutes.
......................... SERVER03 passed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference)
CN=SERVER03,OU=Domain Controllers,DC=orgname,DC=
CN=SERVER03,CN=Servers,CN=
are correct.
The system object reference (serverReferenceBL)
CN=SERVER03,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=orgna
and backlink on
CN=NTDS Settings,CN=SERVER03,CN=Se
are correct.
The system object reference (frsComputerReferenceBL)
CN=SERVER03,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=orgna
and backlink on CN=SERVER03,OU=Domain Controllers,DC=orgname,DC=
are correct.
......................... SERVER03 passed test VerifyReferences
Test omitted by user request: VerifyReplicas
Test omitted by user request: DNS
Test omitted by user request: DNS
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : orgname
Starting test: CheckSDRefDom
......................... orgname passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... orgname passed test CrossRefValidation
Running enterprise tests on : orgname.local
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\w2kserver2.orgname.local
Locator Flags: 0xe00001fd
PDC Name: \\w2kserver2.orgname.local
Locator Flags: 0xe00001fd
Time Server Name: \\w2kserver2.orgname.local
Locator Flags: 0xe00001fd
Preferred Time Server Name: \\w2kserver2.orgname.local
Locator Flags: 0xe00001fd
KDC Name: \\w2kserver2.orgname.local
Locator Flags: 0xe00001fd
......................... orgname.local passed test LocatorCheck
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
......................... orgname.local passed test Intersite
ASKER
Hi Santosh
According to this output to dcdiag /V the file replication service has not uet finished replicating. When I use 'net share' the SYSVOL share is not present on the 2008 server yet.
How can I tell if its even trying to replicate.
I have deleted the orgnameBDCserver as a domain controller from the 2008 server and ticked that the computer is no longer available. So this test should not appear when I run DCdiag once that domain controller has been recognised as no longer available I'm guessing.
According to this output to dcdiag /V the file replication service has not uet finished replicating. When I use 'net share' the SYSVOL share is not present on the 2008 server yet.
How can I tell if its even trying to replicate.
I have deleted the orgnameBDCserver as a domain controller from the 2008 server and ticked that the computer is no longer available. So this test should not appear when I run DCdiag once that domain controller has been recognised as no longer available I'm guessing.
ASKER
Hi Santosh
Attached is the latest output from DCDIAG /V
One thing about it is there is still a reference to a DC named orgnameBDC. This is non-existent and doe's not appear under Active Directory sites and services' anymore, but do appear under 'Active Directory users and computers', so not sure why it's still being included.
This is exactly other seem to have reported when introducing 2008R2 servers to 2003 domains or 2000 Domains whereby the replication and sharing of the SYSVOL folder is never completed properly.
Any idea's as to how this is resolved ?.
Thanks heaps.
dcdiag-afterremoving-nonexistant.txt
Attached is the latest output from DCDIAG /V
One thing about it is there is still a reference to a DC named orgnameBDC. This is non-existent and doe's not appear under Active Directory sites and services' anymore, but do appear under 'Active Directory users and computers', so not sure why it's still being included.
This is exactly other seem to have reported when introducing 2008R2 servers to 2003 domains or 2000 Domains whereby the replication and sharing of the SYSVOL folder is never completed properly.
Any idea's as to how this is resolved ?.
Thanks heaps.
dcdiag-afterremoving-nonexistant.txt
Hi,
Lets fix it first.
1st cleanup metadata from active directory for failed server with ntdsutil
http://support.microsoft.com/kb/216498
Note:Make sure there is no entry remain in ADUC, DNS and site & services
Lets fix it now.
#1 follow the below to enable the share.
Set the SysvolReady Flag registry value to "0" and then back to "1" in the registry.
Click Start, click Run, type regedit, and then click OK.
Locate the following subkey in Registry Editor:
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Ne tlogon\Par ameters]
In the details pane, right-click SysvolReady Flag, and then click Modify.
In the Value data box, type 0 and then click OK.
Again in the details pane, right-click SysvolReady Flag, and then click
Modify. In the Value data box, type 1, and then click OK.
Then run NET SHARE and see if the SYSVOL and NETLOGON share is present.
http://support.microsoft.com/kb/315457
##2
if sysvol share is present then try the authoritative restore of server by playing with registry.
http://support.microsoft.com/kb/315457
###3
Enable Loose Replication Consistency
To enable Loose Replication Consistency, follow these steps on the domain controller 2003 that reports the errors messages. Locate and click the following registry key:
HKEY_LOCAL_MACHINE\System\ CurrentCon trolSet\Se rvices\NTD S\Paramete rs
2.Click Add Value on the Edit menu.
3.Add the following value:
Value Name: Strict Replication Consistency
Data type: REG_DWORD
Value data: If the value is 1, change it to 0.
One thing about it is there is still a reference to a DC named orgnameBDC. This is non-existent and doe's not appear under Active Directory sites and services' anymore, but do appear under 'Active Directory users and computers', so not sure why it's still being included.
Lets fix it first.
1st cleanup metadata from active directory for failed server with ntdsutil
http://support.microsoft.com/kb/216498
Note:Make sure there is no entry remain in ADUC, DNS and site & services
When I use 'net share' the SYSVOL share is not present on the 2008 servert
Lets fix it now.
#1 follow the below to enable the share.
Set the SysvolReady Flag registry value to "0" and then back to "1" in the registry.
Click Start, click Run, type regedit, and then click OK.
Locate the following subkey in Registry Editor:
[HKEY_LOCAL_MACHINE\SYSTEM
In the details pane, right-click SysvolReady Flag, and then click Modify.
In the Value data box, type 0 and then click OK.
Again in the details pane, right-click SysvolReady Flag, and then click
Modify. In the Value data box, type 1, and then click OK.
Then run NET SHARE and see if the SYSVOL and NETLOGON share is present.
http://support.microsoft.com/kb/315457
##2
if sysvol share is present then try the authoritative restore of server by playing with registry.
http://support.microsoft.com/kb/315457
###3
Enable Loose Replication Consistency
To enable Loose Replication Consistency, follow these steps on the domain controller 2003 that reports the errors messages. Locate and click the following registry key:
HKEY_LOCAL_MACHINE\System\
2.Click Add Value on the Edit menu.
3.Add the following value:
Value Name: Strict Replication Consistency
Data type: REG_DWORD
Value data: If the value is 1, change it to 0.
ASKER
Hi Santosh
With the first item ...
1st cleanup metadata from active directory for failed server with ntdsutil
http://support.microsoft.com/kb/216498
I ran this procedure on the old 2000 SErver to remove it from that server. do I run the same thing on the temporary Win 2008 server also ?.
I'll run through all of these steps tomorrow, Thursday, and post the results once completed.
Thanks heaps
With the first item ...
1st cleanup metadata from active directory for failed server with ntdsutil
http://support.microsoft.com/kb/216498
I ran this procedure on the old 2000 SErver to remove it from that server. do I run the same thing on the temporary Win 2008 server also ?.
I'll run through all of these steps tomorrow, Thursday, and post the results once completed.
Thanks heaps
Hi,
No, if you run metadata clean-up on W2KSERVER2 then you do not need to run it on other DC. it will automatically removed once replicated.
No, if you run metadata clean-up on W2KSERVER2 then you do not need to run it on other DC. it will automatically removed once replicated.
ASKER
Hi Santosh
I thought (hoped) that might be the case.
I'll post the results of the other actions later on today.
Thanks
John
I thought (hoped) that might be the case.
I'll post the results of the other actions later on today.
Thanks
John
ASKER
Hi Santosh
Step #1,
The initial value of the key value was already 0.
After completing #1 and the step below, the SYSVOL share is now present but there is no NETLOGON share should I have one as well as the SYSVOL share on the 2008 server ?.
Then run NET SHARE and see if the SYSVOL and NETLOGON share is present.
Step #1,
The initial value of the key value was already 0.
After completing #1 and the step below, the SYSVOL share is now present but there is no NETLOGON share should I have one as well as the SYSVOL share on the 2008 server ?.
Then run NET SHARE and see if the SYSVOL and NETLOGON share is present.
ASKER
Hello Santosh
When I run Linkd as part of step #2, I get the error message back stating 'Linkd' is not recognised as an internal or internal command.
When I restart the FRS service the sysvolready flag is reset to 0, and the SYSVOL share no longer appears as a share wehn I run 'net share'.
Thanks
When I run Linkd as part of step #2, I get the error message back stating 'Linkd' is not recognised as an internal or internal command.
When I restart the FRS service the sysvolready flag is reset to 0, and the SYSVOL share no longer appears as a share wehn I run 'net share'.
Thanks
ASKER
Hi Santosh
Hang on!!!!.. I take that back. Helps if I have the NTFRS service started on the Authoritative controller before i start the FRS service on the new server!!!.
I now have SYSVOL and NETLOGON shares when I issue net share.
OK, now step #3
Hang on!!!!.. I take that back. Helps if I have the NTFRS service started on the Authoritative controller before i start the FRS service on the new server!!!.
I now have SYSVOL and NETLOGON shares when I issue net share.
OK, now step #3
ASKER
Hello Santosh
step #3
I've added the new DWORD value for with the name "Strict Replication Consistency"
Should I try the DCDIAG thing again ?.
Thanks
John
step #3
I've added the new DWORD value for with the name "Strict Replication Consistency"
Should I try the DCDIAG thing again ?.
Thanks
John
Hi,
1. DC named orgnameBDC is still showing under 'Active Directory users?
2. try to replicate first it should replicate.
3. now run the DCDIAG /V if you see any error then also run DCDIAG /Test:dns
1. DC named orgnameBDC is still showing under 'Active Directory users?
2. try to replicate first it should replicate.
3. now run the DCDIAG /V if you see any error then also run DCDIAG /Test:dns
ASKER
Hi Santosh
OK, I'll need to do this 28.4.2014 now.
no access to servers until then.
I didn't mention that after I completed step #2 that replication completed and the SYSVOL tree and all of the login scripts replicated to the new server, so thats a BIG step forward.
I'll post any results from the DCDIAG /V and DCDIAG /Test:dns if there are errors.
Thanks heaps
John
OK, I'll need to do this 28.4.2014 now.
no access to servers until then.
I didn't mention that after I completed step #2 that replication completed and the SYSVOL tree and all of the login scripts replicated to the new server, so thats a BIG step forward.
I'll post any results from the DCDIAG /V and DCDIAG /Test:dns if there are errors.
Thanks heaps
John
ASKER
hi Santosh
Looks like DCDIAG /test:dns ran without errors. I've attached the output of it.
DCDIAG /V had 2 errors.
a) Dcom error due to the use of the external ISP's DNS somewhere.
b) Replications check. At this time this was run initially, the old servers nic was disconnected. I'm assuming the replication failure is due to the next replication cycle not having been completed yet ?. I 've attached the output of DCDIAG /V to this post also.
c) there are some nfs time errors too which I'm not sure how to correct.
Otherwise, what I was able to determine was that with the old DC disconnected from the network, the test user, is being authenticated by the intermediary 2008 server and their logon script run, which I dont think would happen if authentication were not working on the 2008 intermediary server ?..
I'm going to leave the 2008 server on and hope it replicates naturally for a day. I've had it switched off since the FRS service started to work.
I look forward to your post.
Thanks heaps
dcdiag-test-dns-20140428.txt
dcdiag-v-20140428.txt
Looks like DCDIAG /test:dns ran without errors. I've attached the output of it.
DCDIAG /V had 2 errors.
a) Dcom error due to the use of the external ISP's DNS somewhere.
b) Replications check. At this time this was run initially, the old servers nic was disconnected. I'm assuming the replication failure is due to the next replication cycle not having been completed yet ?. I 've attached the output of DCDIAG /V to this post also.
c) there are some nfs time errors too which I'm not sure how to correct.
Otherwise, what I was able to determine was that with the old DC disconnected from the network, the test user, is being authenticated by the intermediary 2008 server and their logon script run, which I dont think would happen if authentication were not working on the 2008 intermediary server ?..
I'm going to leave the 2008 server on and hope it replicates naturally for a day. I've had it switched off since the FRS service started to work.
I look forward to your post.
Thanks heaps
dcdiag-test-dns-20140428.txt
dcdiag-v-20140428.txt
ASKER
Hi Santosh
OK, I let the DC's replicate over-night and as hoped, the dcdiag /V comes up really clean looking.
can you confirm that ?. I've attached the latest output of dcdiag /V to this post.
I've also confirmed all of the the different OS's on the network are authenticated by the temp 2008 server when the old server is disconnected.
So I guess the next step is to demote the old server so I can then get the 2012 server essentials server joined to the domain and then get rid of the temp 2008 server ??.
thanks
John
dcdiag-v-20140429.txt
OK, I let the DC's replicate over-night and as hoped, the dcdiag /V comes up really clean looking.
can you confirm that ?. I've attached the latest output of dcdiag /V to this post.
I've also confirmed all of the the different OS's on the network are authenticated by the temp 2008 server when the old server is disconnected.
So I guess the next step is to demote the old server so I can then get the 2012 server essentials server joined to the domain and then get rid of the temp 2008 server ??.
thanks
John
dcdiag-v-20140429.txt
Yes, result is clean. no issue you can go ahead.
ASKER
Hello Santosh
To re-cap,
Here wa my original plan...
As recommended, looking to...
install Win2008 server as VM on Win 2012 Essentials server
'Migrate' AD stuff from 2000 server over to Win2008 server and make the 2008 server a DC
then Join 'host' Win 2012 essentials server to Win2008 managed domain (where Win2008 is the DC).
Demote 2000 server
Move, or reinstall apps, printers etc to Win 2012 essentials server
Copy files over to 2012 Essentials server
decommission Win 2000 server
switch off 2008 server
Here are the 4 steps I am currently completing...
6. Run dcpromo on new server to promote it as an additional domain
controller in existing Windows 2000 domain, afterwards you may verify the
installation of Active Directory. COMPLETED
7. Enable Global Catalog on new server and manually Check Replication
Topology and afterwards manually trigger replication to synchronize Active
Directory database between 2 replica. COMPLETED
8. Disable Global Catalog on old server. Not yet completed.
9. Use NTDSUTIL utility to transfer all the 5 FSMO roles from old server to
new server. You'd better transfer FSMO roles via GUI method instead of
using NTDSUTIL.
Looking at this, as the temporary 2008 server is now acting as a DC in the domain, can I now join the Win 2012 essentials server to the domain, and make it a domain controller as well, before demoting the Win2000 server ?.
Also, do I have to disable the Global catalog on the old server at this stage ?. Not sure if this means it will stop authenticating ..
Thanks heaps
To re-cap,
Here wa my original plan...
As recommended, looking to...
install Win2008 server as VM on Win 2012 Essentials server
'Migrate' AD stuff from 2000 server over to Win2008 server and make the 2008 server a DC
then Join 'host' Win 2012 essentials server to Win2008 managed domain (where Win2008 is the DC).
Demote 2000 server
Move, or reinstall apps, printers etc to Win 2012 essentials server
Copy files over to 2012 Essentials server
decommission Win 2000 server
switch off 2008 server
Here are the 4 steps I am currently completing...
6. Run dcpromo on new server to promote it as an additional domain
controller in existing Windows 2000 domain, afterwards you may verify the
installation of Active Directory. COMPLETED
7. Enable Global Catalog on new server and manually Check Replication
Topology and afterwards manually trigger replication to synchronize Active
Directory database between 2 replica. COMPLETED
8. Disable Global Catalog on old server. Not yet completed.
9. Use NTDSUTIL utility to transfer all the 5 FSMO roles from old server to
new server. You'd better transfer FSMO roles via GUI method instead of
using NTDSUTIL.
Looking at this, as the temporary 2008 server is now acting as a DC in the domain, can I now join the Win 2012 essentials server to the domain, and make it a domain controller as well, before demoting the Win2000 server ?.
Also, do I have to disable the Global catalog on the old server at this stage ?. Not sure if this means it will stop authenticating ..
Thanks heaps
Also, do I have to disable the Global catalog on the old server at this stage ?. Not sure if this means it will stop authenticating ..
First change the DNS server IP in DHCP server, so that all systems can use 2008 as DNS, Disable the global catalog server, and wait for a day and see if every thing is going fine.
http://technet.microsoft.com/en-us/library/cc758330(v=ws.10).aspx
Looking at this, as the temporary 2008 server is now acting as a DC in the domain, can I now join the Win 2012 essentials server to the domain, and make it a domain controller as well, before demoting the Win2000 server ?.
Windows Server 2012 requires a Windows Server 2003 forest functional level. That is, before you can add a domain controller that runs Windows Server 2012 to an existing Active Directory forest, the forest functional level must be Windows Server 2003 or higher. This means that domain controllers that run Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 can operate in the same forest, but domain controllers that run Windows 2000 Server are not supported and will block installation of a domain controller that runs Windows Server 2012. If the forest contains domain controllers running Windows Server 2003 or later but the forest functional level is still Windows 2000, the installation is also blocked.
Windows 2000 domain controllers must be removed prior to adding Windows Server 2012 domain controllers to your forest. In this case, consider the following workflow:
ASKER
hi Santosh
Ok, so I'm hearing I must demote the Win2000 Server and make it a member server only first. This will leave the temporary 2008 Server DC to which I can then join the Win 2012 essentials server.
Once the 2012 essentials server is joined to the domain...from post earlier on...
I add the ADDS role and run the post-installation configuration wizard. The wizard now handles the duties that adprep (forest and domain) and dcpromo used to handle. Again, follow the replica DC documentation exactly, looking for replication issues (there are often a few) and resolving them.
Sorry, I don't see the bit in your post after the ..
'In this case, consider the following workflow:'
Can you post that bit for me again?.
thanks heaps
John
Ok, so I'm hearing I must demote the Win2000 Server and make it a member server only first. This will leave the temporary 2008 Server DC to which I can then join the Win 2012 essentials server.
Once the 2012 essentials server is joined to the domain...from post earlier on...
I add the ADDS role and run the post-installation configuration wizard. The wizard now handles the duties that adprep (forest and domain) and dcpromo used to handle. Again, follow the replica DC documentation exactly, looking for replication issues (there are often a few) and resolving them.
Sorry, I don't see the bit in your post after the ..
'In this case, consider the following workflow:'
Can you post that bit for me again?.
thanks heaps
John
Hi,
My Apology.... ignore In this case, consider the following workflow: section.
My Apology.... ignore In this case, consider the following workflow: section.
ASKER
Hi Santosh
OK, disabled Global Catalog on Win2000 DC. Now going to let it run that way for 2 days..
John
OK, disabled Global Catalog on Win2000 DC. Now going to let it run that way for 2 days..
John
ASKER
Hi Santosh
Ok, i've left the 2000 server and 2008 server running over the last few days and things still seem to be working fine....
Here are the 4 steps I am currently completing...
6. Run dcpromo on new server to promote it as an additional domain
controller in existing Windows 2000 domain, afterwards you may verify the
installation of Active Directory. COMPLETED
7. Enable Global Catalog on new server and manually Check Replication
Topology and afterwards manually trigger replication to synchronize Active
Directory database between 2 replica. COMPLETED
8. Disable Global Catalog on old server. COMPLETED.
9. Use NTDSUTIL utility to transfer all the 5 FSMO roles from old server to
new server. You'd better transfer FSMO roles via GUI method instead of
using NTDSUTIL.
So I'm going to run the NTDSUTIL utility from the 2008 Server. I'm guessing this will automatically demote the Win2000 server ?.
Thanks heaps
John
Ok, i've left the 2000 server and 2008 server running over the last few days and things still seem to be working fine....
Here are the 4 steps I am currently completing...
6. Run dcpromo on new server to promote it as an additional domain
controller in existing Windows 2000 domain, afterwards you may verify the
installation of Active Directory. COMPLETED
7. Enable Global Catalog on new server and manually Check Replication
Topology and afterwards manually trigger replication to synchronize Active
Directory database between 2 replica. COMPLETED
8. Disable Global Catalog on old server. COMPLETED.
9. Use NTDSUTIL utility to transfer all the 5 FSMO roles from old server to
new server. You'd better transfer FSMO roles via GUI method instead of
using NTDSUTIL.
So I'm going to run the NTDSUTIL utility from the 2008 Server. I'm guessing this will automatically demote the Win2000 server ?.
Thanks heaps
John
ASKER
Hi Santosh
Actually, if my 2008 Server is already acting as a DC with the GC enabled then have I already transferred the FSMO roles, with the actions completed so far ?.
If so do I need to just demote the Win2000 server ?. Not sure what I run to demote the Win2000 server.
Once I've demoted the Win2000 Server I will join the 2012 Essentials server to the domain and add the ADDS role to then make it a DC.
I will then leave the 2008 Server for a couple of days. I will keep the Win2000 server running as a member server.
After the wait, I will want to remove the 2008 temporary server.
Thanks heaps
John
Actually, if my 2008 Server is already acting as a DC with the GC enabled then have I already transferred the FSMO roles, with the actions completed so far ?.
If so do I need to just demote the Win2000 server ?. Not sure what I run to demote the Win2000 server.
Once I've demoted the Win2000 Server I will join the 2012 Essentials server to the domain and add the ADDS role to then make it a DC.
I will then leave the 2008 Server for a couple of days. I will keep the Win2000 server running as a member server.
After the wait, I will want to remove the 2008 temporary server.
Thanks heaps
John
ASKER
Hi Santosh
Sorry, on further reading, I am wanting to now 'transfer' the FSMO roles to the 2008 Server...
I'm going to follow these steps...
Transfer FSMO roles
To transfer the FSMO roles by using the Ntdsutil utility, follow these steps:
Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being transferred. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer Schema master or Domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.
Click Start, click Run, type ntdsutil in the Open box, and then click OK.
Type roles, and then press ENTER.
Note To see a list of available commands at any one of the prompts in the Ntdsutil utility, type ?, and then press ENTER.
Type connections, and then press ENTER.
Type connect to server servername, and then press ENTER, where servername is the name of the domain controller you want to assign the FSMO role to.
At the server connections prompt, type q, and then press ENTER.
Type transfer role, where role is the role that you want to transfer. For a list of roles that you can transfer, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to transfer the RID master role, type transfer rid master. The one exception is for the PDC emulator role, whose syntax is transfer pdc, not transfer pdc emulator.
At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.
Thanks heaps
John
Sorry, on further reading, I am wanting to now 'transfer' the FSMO roles to the 2008 Server...
I'm going to follow these steps...
Transfer FSMO roles
To transfer the FSMO roles by using the Ntdsutil utility, follow these steps:
Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being transferred. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer Schema master or Domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.
Click Start, click Run, type ntdsutil in the Open box, and then click OK.
Type roles, and then press ENTER.
Note To see a list of available commands at any one of the prompts in the Ntdsutil utility, type ?, and then press ENTER.
Type connections, and then press ENTER.
Type connect to server servername, and then press ENTER, where servername is the name of the domain controller you want to assign the FSMO role to.
At the server connections prompt, type q, and then press ENTER.
Type transfer role, where role is the role that you want to transfer. For a list of roles that you can transfer, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to transfer the RID master role, type transfer rid master. The one exception is for the PDC emulator role, whose syntax is transfer pdc, not transfer pdc emulator.
At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.
Thanks heaps
John
Hi,
i would prefer to transfer the FSMO roles via GUI mode.
http://kpytko.pl/2011/08/26/transferring-fsmo-roles-from-gui/
http://support.microsoft.com/kb/255690
i would prefer to transfer the FSMO roles via GUI mode.
http://kpytko.pl/2011/08/26/transferring-fsmo-roles-from-gui/
http://support.microsoft.com/kb/255690
ASKER
Hi Santosh
I'll check out the GUI to do it for this one.
doing this tomorrow.
I'll post the results.
Newbie question, but will this automatically make the Win2000 server just a member server or, is there a further step to demoting a DC to become a member server ?.
Thanks heaps
John
I'll check out the GUI to do it for this one.
doing this tomorrow.
I'll post the results.
Newbie question, but will this automatically make the Win2000 server just a member server or, is there a further step to demoting a DC to become a member server ?.
Thanks heaps
John
No,
You need to demote it.
You need to demote it.
ASKER
Hi Santosh
Ok. transfer of FSMO and demotion of Win2000 Server to member server completed.
Everything still works!!!
Fantastic!!!.
I think we can call this one finished
This is probably one of the longest threads you may have been involved with.
thanks heaps for sticking with it.
John
Ok. transfer of FSMO and demotion of Win2000 Server to member server completed.
Everything still works!!!
Fantastic!!!.
I think we can call this one finished
This is probably one of the longest threads you may have been involved with.
thanks heaps for sticking with it.
John
ASKER
hi Santosh
Updated DFL and FFL to Win 2008 R2, which is my temporary server.
I was about to join the Win 2012 essentials server to my domain, but can't as by default when I initially set up the Win 2012 essentials server it also installed the Certificate Authority service.
Can I uninstall the CA service on the Win 2012 server so that I can then join the domain and then add the ADDS role as described at the start of this ?
The Win 2008R2 VM is hosted on the Win 2012 Essentials Server at present.
thanks heaps
John
Updated DFL and FFL to Win 2008 R2, which is my temporary server.
I was about to join the Win 2012 essentials server to my domain, but can't as by default when I initially set up the Win 2012 essentials server it also installed the Certificate Authority service.
Can I uninstall the CA service on the Win 2012 server so that I can then join the domain and then add the ADDS role as described at the start of this ?
The Win 2008R2 VM is hosted on the Win 2012 Essentials Server at present.
thanks heaps
John
Yes,
you can just add ADDS role, it will automatically join it to domain.
you can just add ADDS role, it will automatically join it to domain.
ASKER
hi Santosh
Do I need to remove the CA service then before I add the ADDS role ?.
I was trying to join the domain using the old advanced settings under 'system' in control panel, and thats when I saw the 'change' button was grayed out.
I hadn't thought of just adding the ADDS role without removing the CA service role first.
Thanks heaps
John
Do I need to remove the CA service then before I add the ADDS role ?.
I was trying to join the domain using the old advanced settings under 'system' in control panel, and thats when I saw the 'change' button was grayed out.
I hadn't thought of just adding the ADDS role without removing the CA service role first.
Thanks heaps
John
Ok, uninstall the Certificate Authority service then try.
Note: Make sure you dont have any other SBS in your domain.
Note: Make sure you dont have any other SBS in your domain.
ASKER
Hi Santosh
OK,
1. Uninstalled CA service. This allowed me to join the existing 2008R2 domain
2. Uninstalled AD services (these had already been installed when I initially set the 212 essentials server up). I wanted to do this to start with the Wizard.
3. Successfully Joined demoted 2012 server to 2008R2 domain.
Next step to run configuration Wizard to turn the 2012 server into DC which will transfer the FSMO roles from temporary 208R2 server
I'll post the results of this next couple of days.
Thanks
OK,
1. Uninstalled CA service. This allowed me to join the existing 2008R2 domain
2. Uninstalled AD services (these had already been installed when I initially set the 212 essentials server up). I wanted to do this to start with the Wizard.
3. Successfully Joined demoted 2012 server to 2008R2 domain.
Next step to run configuration Wizard to turn the 2012 server into DC which will transfer the FSMO roles from temporary 208R2 server
I'll post the results of this next couple of days.
Thanks
ASKER
Hi Santosh
Ran the configuration Wizard to turn the 2012 Essentials server into a DC successfully
Transferred the FSMO roles successfully.
Disabled the 'GC' property on the 2008 server
final step to shut off the temporary 2008 server to make sure the new servers operating correctly as the DC and authenticating properly.
I'll post the results of this step tomorrow.
thanks heaps
John
Ran the configuration Wizard to turn the 2012 Essentials server into a DC successfully
Transferred the FSMO roles successfully.
Disabled the 'GC' property on the 2008 server
final step to shut off the temporary 2008 server to make sure the new servers operating correctly as the DC and authenticating properly.
I'll post the results of this step tomorrow.
thanks heaps
John
ASKER
Hello Santosh
OK, have had the 2008 temp server off now for a couple of days and the 2012 Essentials server is still working as expected.
Looking really good.
I'll check again in a couple of day's but I think this is sorted.
I'll post the final status in after the weekend.
Thanks heaps
John
OK, have had the 2008 temp server off now for a couple of days and the 2012 Essentials server is still working as expected.
Looking really good.
I'll check again in a couple of day's but I think this is sorted.
I'll post the final status in after the weekend.
Thanks heaps
John
ASKER
Hi Experts
Thank you both for your excellent in-depth guidance with this migration and especially for sticking with it. The challenge was We only had access to the system during business hours and mostly only during their lunch breaks.
Thanks so much.
I wish I could have had more points to award to this.
John
Thank you both for your excellent in-depth guidance with this migration and especially for sticking with it. The challenge was We only had access to the system during business hours and mostly only during their lunch breaks.
Thanks so much.
I wish I could have had more points to award to this.
John
ASKER
That's correct. The problem is that the minimum server OS I can upgrade directly from is 2003 server, according to the article.
I was trying to avoid having to upgrade the existing 2000 server to 2003 or 2008 because if this fails, I wont have the functioning 2000 server to use either...
thanks heaps