Solved

Demoting a Win 2000 Server DC so it can join another domain.

Posted on 2014-03-20
79
474 Views
Last Modified: 2014-05-21
Hello

I am replacing a Win 2000 Server that is currently the DC in a single server domain. I am replacing it with a new server running Win 2012 Server Essentials.

I understand I can't introduce the 2012 server using the 'migrate domain' installation mode so here is what I am looking at doing.

1. Demote the 2000 server so it is not a DC for its domain, DOMAIN1

2. Join the 2000 server to the new 2012 server domain DOMAIN2

3. Join all of the workstations, there are only 10 of them, to DOMAIN2

The reason I am wanting to do it this way is I need to be able to have both servers on the same domain so their the old servers files can be copied across to the new server, and also because there is a server product that runs on the 2000 server that needs to be installed on the new server but still needs to be available to the workstations until that process is completed.

If there is an easier way to achieve this please don't hesitate to suggest it.

Thanks heaps in advance
0
Comment
Question by:johnkan
  • 50
  • 21
  • 8
79 Comments
 
LVL 13

Assisted Solution

by:Santosh Gupta
Santosh Gupta earned 400 total points
Comment Utility
Hi,

please correct me if i am wrong. In simple term "you want to use Windows 2012 server and remove the Windows 2000 server, Also you current domain controller is running on windows 2000 and its only one server in your domain.

Try this to add 2012 directly to you 2000 domain.. http://blogs.technet.com/b/askpfeplat/archive/2012/09/03/introducing-the-first-windows-server-2012-domain-controller.aspx


if it not works then create the Virtual machines and install the trail operating systems.
First of all you should raise both of your domain and forest functional level to 2003, the migrate consecutively from 2000 to 2008, and from 2008 to 2012.
0
 

Author Comment

by:johnkan
Comment Utility
Hello Santosh

That's correct. The problem is that the minimum server OS I can upgrade directly from is 2003 server, according to the article.

I was trying to avoid having to upgrade the existing 2000 server to 2003 or 2008 because if this fails, I wont have the functioning 2000 server to use either...

thanks heaps
0
 
LVL 13

Accepted Solution

by:
Santosh Gupta earned 400 total points
Comment Utility
Hi,

1. Create a Virtual machine on your 2012 hyper-V.
2.  install the 2003 OS
3. add to 2000 Domain and promote as Domain controller.
4. move all FSMO and other data to 2003.
5. Demote and Perform metadata cleanup for 2000
6. update the FFL and DFL to 2003
7. now follow that URL and update to 2012.

It will provide you the benefit of Zero Downtime.
0
 
LVL 56

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 100 total points
Comment Utility
I can't say that there is an *easier* way to do what you want, but there are *safer* ways.

First, I will stress that running a LOB app on a domain controller is a bad idea. There are two main issues:

1) Security. A domain controller holds the "keys to the kingdom" so to speak. So any issue with the LOB app has the potential to crash your entire network. This is *really* bad...

2) A domain controller doesn't have "local" accounts or a local security database. Many (as in most) LOB apps use service accounts so they can keep running even when a user isn't logged in. Demoting a DC takes off the only account database on that server (since it doesn't have a local one) and *creates* a new local database so it can run as a member server. But that has a side-effect of destroying the service accounts that the LOB app was using. Basically, demoting a DC while a LOB app is running almost always breaks the LOB app.

For these reasons, you'll see LOB apps...even ones from Microsoft...like Exchange....recommend against running on a DC. And even if you ignore "recommendations" they have documentation that explicitly says that you cannot promote or demote a server after exchange has been installed. That is a decision you *have* to make before installing Exchange. Most other LOB apps have similar restrictions.

All this comes around to....demoting that 2000 DC will likely break your app. Don't do it. And that gets you into an ugly situation of getting your 2012 machine into your network. So here is my "not easy, but safe" suggestion:

1) If you haven't bought any server licenses yet, buy 2012 R2 Standard. It comes with "1+2" virtualization rights, which means you can run 2 VMs on one machine without buying more licenses.

2) Install the host OS (can be VMWare or Hyper-V, your choice. I'd go Hyper-V myself.)

3) Install one 2012 R2 VM.

4) Joine the new VM to the existing domain. Even though the domain is 2000, this should still work since you *aren't* trying to make the new server a DC.

5) Migrate your LOB app to the new VM server and files/data as well.

6) Grab a technet lab VM for 2008 R2 or similar. Lab VMs are not meant for production, but this isn't a permanent situation so no worries there. These are usually distributed as VHDs. Configure the VM on your Hyper-V machine as instructed in the lab documentation.

7) Join the 2008 R2 VM to your domain. Follow documentation to add a replica DC. This is important that you follow those steps *Exactly.* We want ZERO replication issues before proceeding.

8) You are now set to demote the 2000 server. The LOB app is already elsewhere, so that is no worries. You've also migrated your data. And now you have a new DC handling those duties. Power off the server, make sure you don't see problems. And if things run smoothly with the old DC off for a few days, demote and decommission.

9) Clean up AD of all references to the old server. This includes entries in sites and services, DNS, etc.

10) Change the forest and domain functional levels to 2003 (or higher) now that the 2000 server is gone.

11) Now you are in a state where 2012 R2 can be a DC. Create a new VM and install the OS of your choice for a DC. That can be 2012 R2 Standard or 2012 R2 Essentials if your environment is small and you want the Essentials features.

12) Add the ADDS role and run the post-installation configuration wizard. The wizard now handles the duties that adprep (forest and domain) and dcpromo used to handle. Again, follow the replica DC documentation exactly, looking for replication issues (there are often a few) and resolving them.

13) Now demote and decommission your 2008 R2 lab VM.

14) Again, clean up AD references to the 2008 R2 lab VM.

You've now migrated your environment, including LOB apps, to a new, much more supportable architecture with minimal downtime, that *doesn't* require rejoining machines to a new domain, and avoids potential issues with 2000 as well as problems with demoting a DC with an LOB app on it.

It takes planning, and a coordinated effort, but I think you'll find it worthwhile.

-Cliff
0
 

Author Comment

by:johnkan
Comment Utility
Hi experts

We have already purchased Win 2012 SErver essentials...

Can this be the Hyper-V host for Win 2008 lab server ?. I'm assuming it can.

Also, the 2000 Server is running in mixed 'domain' mode, will this make a difference to my approach ?.

Prior to demoting the 2000 DC server, will this approach change the 2000 server DC in any way?. Or will it function as normal prior to demotion ?.


Thanks
0
 

Author Comment

by:johnkan
Comment Utility
Further to the Hyper-v VM,

I've found the following link below on TechNet, is this the VM I am to download and install in my Hyper-V server..?

Hyper-V Server 2008 R2 SP1

Thanks
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
where is link ?
0
 

Author Comment

by:johnkan
Comment Utility
Hi Santosh

Sorry, looksl like I will need to create the Win2008 server VM from scratch as I have the Win2008 server media but can't download the Hyper-v 2008 server. Account to download it has expired.
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
if you have 2008 R2 then it should be in roles.
http://www.petri.co.il/installing-hyper-v-on-windows-server-2008-r2.htm#
0
 

Author Comment

by:johnkan
Comment Utility
Hi Santosh

So, what I'm planning on doing is installing the Win2008 server as a VM on the Win 2012 Essentials server.

Thanks
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
ohh ok
0
 

Author Comment

by:johnkan
Comment Utility
Hi Santosh

As recommended, looking to...
install Win2008 server as VM on Win 2012 Essentials server

'Migrate' AD stuff from 2000 server over to Win2008 server and make the 2008 server a DC

then Join 'host' Win 2012 essentials server to Win2008 managed domain (where Win2008 is the DC).

Demote 2000 server

Move, or reinstall apps, printers etc to Win 2012 essentials server
Copy files over to 2012 Essentials server

decommission Win 2000 server
switch off 2008 server

I think I understand the steps recommended earlier in this question.

Thanks
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
yes correct, but please make sure wait for 1 to 2 days before demoting and decommission the servers.
0
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
You cannot run hyper-v and essentials side by side. Essentials mist be a guest VM.
0
 

Author Comment

by:johnkan
Comment Utility
Hi Cliff

If the Essentials must be a guest VM, what would be the 'host' OS ?.

Is that only if hyper-v is used for the virtualisation of the 2008 server ?.

thanks
0
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
Well, I personally don't recommend running an older version of hyper-v with newer guest VMs. You can get strange interactions with integration services.

So given that caveat as well, if you don't have a license for 2012 Standard or datacenter, I'd grab the latest free version of hyper-v server, which is 2012 R2. It requires command line knowledge, and can only run hyper-v, but it is very good at what it does. You can run essentials and 2008 as guests.
0
 

Author Comment

by:johnkan
Comment Utility
hi Cliff

I've had experience virtualising servers using VMware and VirtualBox so do you see any problems if I use these to virtualise the 2008 server. They would be installed on the host 2012 Essentials server..

Thanks
0
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
Yes, I see problems. Having ADDS coexist with virtualization is almost always a bad idea. You hit memory and disk I/O issues more often than not.

I have no problems with VMWare as a company, but for virtualizing servers, you should use ESX (ESXi is also free) and like hyper-v, it is its on OS. You wouldn't run ESX on essentials. Their desktop virtualization product is not suitable for server workloads.

Tangentially, I'd not run virtualbox with other roles. I'd dedicate the host OS to virtualbox and then run other workloads like essentials as guests. But that requires a host OS license, so virtualbox is usually not cost effective when windows is being considered for the host OS.
0
 

Author Comment

by:johnkan
Comment Utility
Hi Santosh

Just a question about the use of either Win 2003 server or Win 2008 server as an intermediate step to get the server with AD on it that is compatible with 2012 Server Essentials.

Is it any easier to migrate the AD to 2003 server or 2008 server from 2000 Server ?.

Just wondering if as 2003 server was the version just after 2000 server that it may be easier ?.

You mentioned 2003 server in your response.

Thanks
0
 
LVL 13

Assisted Solution

by:Santosh Gupta
Santosh Gupta earned 400 total points
Comment Utility
Hi,

There is both option available. Go through the both url and see whats feel easy for you.

you can go with 2000 to 08 as well.

2000 to 2008
http://www.windows-noob.com/forums/index.php?/topic/1783-ad-2000-migration-to-ad-2008/

2003 to 2012
http://blogs.technet.com/b/askpfeplat/archive/2012/09/03/introducing-the-first-windows-server-2012-domain-controller.aspx
0
 

Author Comment

by:johnkan
Comment Utility
Hi Santosh

One of the steps to go from 2000 to 2008 is ...

'2. Upgrade the Windows 2000 forest schema by running "adprep /forestprep"
command on old server'


Any chance this could 'break' the Win 2000 server. I guess there is always a chance with this sort of thing...

Thanks
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
no, its only to update the schema version. you are safe to run this command.

note: you need to run this command on 2000 server by using 2008 DVD. run adprep32 as windows 2000 is 32bit OS.
0
 

Author Comment

by:johnkan
Comment Utility
Hi Santosh

I have the 2008 DVD, is it just a binary on that DVD ?.
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
its a exe .
0
 

Author Comment

by:johnkan
Comment Utility
Hi Santosh

OK, found it...
0
 

Author Comment

by:johnkan
Comment Utility
Hello Experts

Just an update, the user wants to complete their end-of-year accounts before the upgrade process is started, just in case.

I'll post again once the migration process has begun. I've created a 2008 server VM in preparation for this.

We are looking at starting this in one weeks time.

Thanks
0
 

Author Comment

by:johnkan
Comment Utility
Hi Experts

Is it safe to run ADPPREP/forestprep on a system with users logged in or doe's it have to be run on the server when no other users are logged in ?.

I'm guessing there might be a reboot along the way as well maybe ?.

Thanks heaps
0
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
Any process that makes changes has a chance of going wrong, so "safe" is rather subjective. But adprep can be run while users are logged in and no reboot is required.
0
 

Author Comment

by:johnkan
Comment Utility
Hi

I think the current domain mode for the server is 'mixed mode'. Can I still run ADPREP /prepforest if its in this mode ?

Thanks
0
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
Yes
0
 

Author Comment

by:johnkan
Comment Utility
Hi

OK, adprep /forestprep has completed successfully.

Is adprep /domainprep just a schema update or will it affect how the existing users/computers connect to the Win 2000 server. ?

Is it safe to run ?.

I will be introducing the Win2008 server next weekend.

Thanks
0
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
When I said adprep was safe to run, it was inclusive for domain and forest.
0
 

Author Comment

by:johnkan
Comment Utility
HI

When I run adprep32 /domainprep it wants me to change to 'native mode' before it will continue. If I change to 'native mode' will the existing Win2k pro, and WinXP pc's be able to logon still, I know really old kit they need to upgrade.

Thanks
0
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
2000 Native kills off support for NT4, but as the name implies, 2000 is fine.

2003 interim or native would cause issues.
0
 

Author Comment

by:johnkan
Comment Utility
Great. No nt4 here.
 Will continue this next week now. Getting booted out for the week
Thanks
0
 

Author Comment

by:johnkan
Comment Utility
Hi Experts

Just changed 2000 Server domain mode to native from mixed.

Completed adprep32 /domainprep successfully.

Do I need to run "adprep32.exe /domainprep /gpprep" ?.

The following message came up after successful completion of adprep32 /domainprep and mentions this command.

Adprep successfully updated the domain-wide information.

The new cross domain planning functionality for Group Policy, RSOP Planning
Mode, requires file system and Active Directory Domain Services permissions
to be updated for existing Group Policy Objects (GPOs). You can enable this
functionality at any time by running "adprep.exe /domainprep /gpprep" on the
Active Directory Domain Controller that holds the infrastructure operations
master role.
This operation will cause all GPOs located in the policies folder of the
SYSVOL to be replicated once between the AD DCs in this domain.
Microsoft recommends reading KB Q324392, particularly if you have a large
number of Group policy Objects.
0
 

Author Comment

by:johnkan
Comment Utility
Hi Experts

OK, I've now run 'DCPROMO' successfully.

I have checked in user and computers and the 2008 intermediary server now appears as a domain controller.

Looking at the article there are 4 points next...

6. Run dcpromo on new server to promote it as an additional domain
controller in existing Windows 2000 domain, afterwards you may verify the
installation of Active Directory.
Newbie question, Ive run DCPROMO, how do I check Active Directory installed properly.

7. Enable Global Catalog on new server and manually Check Replication
Topology and afterwards manually trigger replication to synchronize Active
Directory database between 2 replica.
Newbie question, not sure how this is supposed to be completed

8. Disable Global Catalog on old server.
Newbie question, not sure how to complete this step.

9. Use NTDSUTIL utility to transfer all the 5 FSMO roles from old server to
new server. You'd better transfer FSMO roles via GUI method instead of
using NTDSUTIL.


Will the 2008 DC authenticate users before the steps above have been completed ?.

Thanks
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
Will the 2008 DC authenticate users before the steps above have been completed ?.

yes,


1. how do I check Active Directory installed properly
http://support.microsoft.com/kb/298143

2. not sure how this is supposed to be completed

http://technet.microsoft.com/en-us/library/cc758330%28v=ws.10%29.aspx

3. Disable Global Catalog

http://technet.microsoft.com/en-us/library/cc758330%28v=ws.10%29.aspx
0
 

Author Comment

by:johnkan
Comment Utility
hi Santosh

Thanks, I'll try these tomorrow and post the results.

After I had run DCPROMO on the new server, I waited about 15 minutes and then I unplugged the network cable from the old server and tried to log into the network from one of the PC's. It seemed to take an age to log in and get to the desktop.

When I reconnected the old server to the network and then logged in again on the same PC it authenticated and got the the desktop much faster. So I wasn't sure whether the new server actually authenticated the user when the old server was disconnected.

Thanks
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:johnkan
Comment Utility
Hi experts.

On the new server under the SYSVOL directory there is no scripts directory or 'Policies' directories which there are on the old server. Do I just copy these to the new server or should they have been created automatically when I DCPromo'd ?.

Just want to know that the new server has authenticated the user when I try logging them in and have the old server disconnected from the network..

Thanks
0
 

Author Comment

by:johnkan
Comment Utility
Hi

So far I've not done anything special with the DNS server entries on the new server.

could that have an effect on the new server authenticating user's ?.

I don't think the new server is authenticating users at this stage.

I've checked the installation as being correct, based on the knowledgebase article above..

1. how do I check Active Directory installed properly
http://support.microsoft.com/kb/298143

I feel its close but that I've missed something ..

Thanks
0
 

Author Comment

by:johnkan
Comment Utility
Hello Experts

The new server is definitely not authenticating at this stage.

I created a shared folder on the new server and with the old server disconnected, I cannot connect to that shared drive.

When I authenticate on the old server and try to connect to the shared drive I am allowed to connect.

I can confirm both new and old servers appear with the tick in the 'Global catalogue' under the server properties for both old and new  servers under the servers container

Thanks
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
Hi,

1. Make sure that you have added the New DC IP in the DNS of clients.

2. Run the DCDIAG /V on new server.

3. if you see error on report then also run DCDIAG /Test:DNS and share the result/errors if any.
0
 

Author Comment

by:johnkan
Comment Utility
Hi Santosh

Man!!!..Ok here is the output from DCDIAG.

old server is W2KSERVER2, new intermediary server is SERVER03 running Server 2008

It states there are 3 DC's of which 2 were old NT servers that a long since gone. I'm going to remove these from the Computer and users.

Hope this helps.

Thanks heaps

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   * Verifying that the local machine SERVER03, is a Directory Server.
   Home Server = SERVER03

   * Connecting to directory service on server SERVER03.

   * Identified AD Forest.
   Collecting AD specific global data
   * Collecting site info.

   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=orgname,DC=local,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
   The previous call succeeded
   Iterating through the sites
   Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=orgname,DC=local
   Getting ISTG and options for the site
   * Identifying all servers.

   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=orgname,DC=local,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
   The previous call succeeded....
   The previous call succeeded
   Iterating through the list of servers
   Getting information for the server CN=NTDS Settings,CN=W2KSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=orgname,DC=local
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=orgnameBDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=orgname,DC=local
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=SERVER03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=orgname,DC=local
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   * Identifying all NC cross-refs.

   Ldap search capabality attribute search failed on server orgnameBDC, return

   value = 81
   Got error while checking if the DC is using FRS or DFSR. Error:

   Win32 Error 81The VerifyReferences, FrsEvent and DfsrEvent tests might fail

   because of this error.

   * Found 3 DC(s). Testing 1 of them.

   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\SERVER03

      Starting test: Connectivity

         * Active Directory LDAP Services Check
         Determining IP4 connectivity
         * Active Directory RPC Services Check
         ......................... SERVER03 passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\SERVER03

      Starting test: Advertising

         Warning: DsGetDcName returned information for

         \\w2kserver2.orgname.local, when we were trying to reach SERVER03.

         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.

         ......................... SERVER03 failed test Advertising

      Test omitted by user request: CheckSecurityError

      Test omitted by user request: CutoffServers

      Starting test: FrsEvent

         * The File Replication Service Event log test
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         A warning event occurred.  EventID: 0x800034FD

            Time Generated: 04/23/2014   13:04:27

            Event String:

            File Replication Service is initializing the system volume with data from another domain controller. Computer SERVER03 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.

             

            To check for the SYSVOL share, at the command prompt, type:

            net share

             

            When File Replication Service completes the initialization process, the SYSVOL share will appear.

             

            The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replication interval between domain controllers.

         A warning event occurred.  EventID: 0x800034C8

            Time Generated: 04/23/2014   13:04:29

            Event String:

            The File Replication Service has detected an enabled disk write cache on the drive containing the directory c:\windows\ntfrs\jet on the computer SERVER03. The File Replication Service might not recover when power to the drive is interrupted and critical updates are lost.

         A warning event occurred.  EventID: 0x800034C4

            Time Generated: 04/23/2014   13:06:52

            Event String:

            The File Replication Service is having trouble enabling replication from w2kserver2.orgname.local to SERVER03 for c:\windows\sysvol\domain using the DNS name w2kserver2.orgname.local. FRS will keep retrying.

             Following are some of the reasons you would see this warning.

             

             [1] FRS can not correctly resolve the DNS name w2kserver2.orgname.local from this computer.

             [2] FRS is not running on w2kserver2.orgname.local.

             [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.

             

             This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

         A warning event occurred.  EventID: 0x800034C4

            Time Generated: 04/23/2014   13:14:12

            Event String:

            The File Replication Service is having trouble enabling replication from orgnameBDC to SERVER03 for c:\windows\sysvol\domain using the DNS name orgnamebdc.orgname.local. FRS will keep retrying.

             Following are some of the reasons you would see this warning.

             

             [1] FRS can not correctly resolve the DNS name orgnamebdc.orgname.local from this computer.

             [2] FRS is not running on orgnamebdc.orgname.local.

             [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.

             

             This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

         A warning event occurred.  EventID: 0x800034C4

            Time Generated: 04/23/2014   13:14:13

            Event String:

            The File Replication Service is having trouble enabling replication from W2KSERVER2 to SERVER03 for c:\windows\sysvol\domain using the DNS name w2kserver2.orgname.local. FRS will keep retrying.

             Following are some of the reasons you would see this warning.

             

             [1] FRS can not correctly resolve the DNS name w2kserver2.orgname.local from this computer.

             [2] FRS is not running on w2kserver2.orgname.local.

             [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.

             

             This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

         ......................... SERVER03 passed test FrsEvent

      Starting test: DFSREvent

         The DFS Replication Event Log.
         Skip the test because the server is running FRS.

         ......................... SERVER03 passed test DFSREvent

      Starting test: SysVolCheck

         * The File Replication Service SYSVOL ready test
         The registry lookup failed to determine the state of the SYSVOL.  The

         error returned  was 0x0 "The operation completed successfully.".

         Check the FRS event log to see if the SYSVOL has successfully been

         shared.
         ......................... SERVER03 passed test SysVolCheck

      Starting test: KccEvent

         * The KCC Event log test
         A warning event occurred.  EventID: 0x80000603

            Time Generated: 04/23/2014   13:04:05

            Event String:

            Active Directory Domain Services could not disable the software-based disk write cache on the following hard disk.

             

            Hard disk:

            c:

             

            Data might be lost during system failures.

         A warning event occurred.  EventID: 0x80000B46

            Time Generated: 04/23/2014   13:04:18

            Event String:

            The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate,  Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that  are performed on a cleartext (non-SSL/TLS-encrypted) connection.  Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.

             

            Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made.  To assist in identifying these clients, if such binds occur this  directory server will log a summary event once every 24 hours indicating how many such binds  occurred.  You are encouraged to configure those clients to not use such binds.  Once no such events are observed  for an extended period, it is recommended that you configure the server to reject such binds.

             

            For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.

             

            You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind.  To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.

         An error event occurred.  EventID: 0xC0000827

            Time Generated: 04/23/2014   13:10:05

            Event String:

            Active Directory Domain Services could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory Domain Services from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.

             

            Source domain controller:

             orgnamebdc

            Failing DNS host name:

             d93836ab-8fa9-41cc-b1b3-c50c5b27b183._msdcs.orgname.local

             

            NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur.  To log all individual failure events, set the following diagnostics registry value to 1:

             

            Registry Path:

            HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client

             

            User Action:

             

             1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.

             

             2) Confirm that the source domain controller is running Active Directory Domain Services and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".

             

             3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns

             

              dcdiag /test:dns

             

             4) Verify that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:

             

              dcdiag /test:dns

             

             5) For further analysis of DNS error failures see KB 824449:

               http://support.microsoft.com/?kbid=824449

             

            Additional Data

            Error value:

             11004 The requested name is valid, but no data of the requested type was found.

           

         A warning event occurred.  EventID: 0x80000785

            Time Generated: 04/23/2014   13:10:05

            Event String:

            The attempt to establish a replication link for the following writable directory partition failed.

             

            Directory partition:

            CN=Configuration,DC=orgname,DC=local

            Source directory service:

            CN=NTDS Settings,CN=orgnameBDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=orgname,DC=local

            Source directory service address:

            d93836ab-8fa9-41cc-b1b3-c50c5b27b183._msdcs.orgname.local

            Intersite transport (if any):

             

             

            This directory service will be unable to replicate with the source directory service until this problem is corrected.

             

            User Action

            Verify if the source directory service is accessible or network connectivity is available.

             

            Additional Data

            Error value:

            8524 The DSA operation is unable to proceed because of a DNS lookup failure.

         ......................... SERVER03 failed test KccEvent

      Starting test: KnowsOfRoleHolders

         Role Schema Owner = CN=NTDS Settings,CN=W2KSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=orgname,DC=local
         Role Domain Owner = CN=NTDS Settings,CN=W2KSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=orgname,DC=local
         Role PDC Owner = CN=NTDS Settings,CN=W2KSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=orgname,DC=local
         Role Rid Owner = CN=NTDS Settings,CN=W2KSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=orgname,DC=local
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=W2KSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=orgname,DC=local
         ......................... SERVER03 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         Checking machine account for DC SERVER03 on DC SERVER03.
         * SPN found :LDAP/SERVER03.orgname.local/orgname.local
         * SPN found :LDAP/SERVER03.orgname.local
         * SPN found :LDAP/SERVER03
         * SPN found :LDAP/SERVER03.orgname.local/orgname
         * SPN found :LDAP/d2c2952a-d421-4d08-a481-cb0024f074e2._msdcs.orgname.local
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/d2c2952a-d421-4d08-a481-cb0024f074e2/orgname.local
         * SPN found :HOST/SERVER03.orgname.local/orgname.local
         * SPN found :HOST/SERVER03.orgname.local
         * SPN found :HOST/SERVER03
         * SPN found :HOST/SERVER03.orgname.local/orgname
         * SPN found :GC/SERVER03.orgname.local/orgname.local
         ......................... SERVER03 passed test MachineAccount

      Starting test: NCSecDesc

         * Security Permissions check for all NC's on DC SERVER03.
         The forest is not ready for RODC. Will skip checking ERODC ACEs.
         * Security Permissions Check for

           CN=Schema,CN=Configuration,DC=orgname,DC=local
            (Schema,Version 3)
         * Security Permissions Check for

           CN=Configuration,DC=orgname,DC=local
            (Configuration,Version 3)
         * Security Permissions Check for

           DC=orgname,DC=local
            (Domain,Version 3)
         ......................... SERVER03 passed test NCSecDesc

      Starting test: NetLogons

         * Network Logons Privileges Check
         Unable to connect to the NETLOGON share! (\\SERVER03\netlogon)

         [SERVER03] An net use or LsaPolicy operation failed with error 67,

         The network name cannot be found..

         ......................... SERVER03 failed test NetLogons

      Starting test: ObjectsReplicated

         SERVER03 is in domain DC=orgname,DC=local
         Checking for CN=SERVER03,OU=Domain Controllers,DC=orgname,DC=local in domain DC=orgname,DC=local on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=SERVER03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=orgname,DC=local in domain CN=Configuration,DC=orgname,DC=local on 1 servers
            Object is up-to-date on all servers.
         ......................... SERVER03 passed test ObjectsReplicated

      Test omitted by user request: OutboundSecureChannels

      Starting test: Replications

         * Replications Check
         * Replication Latency Check
            CN=Schema,CN=Configuration,DC=orgname,DC=local
               Latency information for 2 entries in the vector were ignored.
                  1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  1 had no latency information (Win2K DC).  
            CN=Configuration,DC=orgname,DC=local
               Latency information for 2 entries in the vector were ignored.
                  1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  1 had no latency information (Win2K DC).  
            DC=orgname,DC=local
               Latency information for 2 entries in the vector were ignored.
                  1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  1 had no latency information (Win2K DC).  
         * Replication Site Latency Check
         ......................... SERVER03 passed test Replications

      Starting test: RidManager

         * Available RID Pool for the Domain is 3660 to 1073741823
         * w2kserver2.orgname.local is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 3160 to 3659
         * rIDPreviousAllocationPool is 3160 to 3659
         * rIDNextRID: 3160
         ......................... SERVER03 passed test RidManager

      Starting test: Services

         * Checking Service: EventSystem
         * Checking Service: RpcSs
         * Checking Service: NTDS
         * Checking Service: DnsCache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... SERVER03 passed test Services

      Starting test: SystemLog

         * The System Event log test
         A warning event occurred.  EventID: 0x80040022

            Time Generated: 04/23/2014   13:04:05

            Event String:

            The driver disabled the write cache on device \Device\Harddisk0\DR0.

         A warning event occurred.  EventID: 0x80040022

            Time Generated: 04/23/2014   13:04:05

            Event String:

            The driver disabled the write cache on device \Device\Harddisk0\DR0.

         A warning event occurred.  EventID: 0x80040022

            Time Generated: 04/23/2014   13:04:05

            Event String:

            The driver disabled the write cache on device \Device\Harddisk0\DR0.

         A warning event occurred.  EventID: 0x8000001D

            Time Generated: 04/23/2014   13:04:13

            Event String:

            The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

         A warning event occurred.  EventID: 0x0000008E

            Time Generated: 04/23/2014   13:05:46

            Event String:

            The time service has stopped advertising as a time source because the local clock is not synchronized.

         Found no errors in "System" Event log in the last 60 minutes.
         ......................... SERVER03 passed test SystemLog

      Test omitted by user request: Topology

      Test omitted by user request: VerifyEnterpriseReferences

      Starting test: VerifyReferences

         The system object reference (serverReference)

         CN=SERVER03,OU=Domain Controllers,DC=orgname,DC=local and backlink on

         CN=SERVER03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=orgname,DC=local

         are correct.
         The system object reference (serverReferenceBL)

         CN=SERVER03,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=orgname,DC=local

         and backlink on

         CN=NTDS Settings,CN=SERVER03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=orgname,DC=local

         are correct.
         The system object reference (frsComputerReferenceBL)

         CN=SERVER03,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=orgname,DC=local

         and backlink on CN=SERVER03,OU=Domain Controllers,DC=orgname,DC=local

         are correct.
         ......................... SERVER03 passed test VerifyReferences

      Test omitted by user request: VerifyReplicas

   
      Test omitted by user request: DNS

      Test omitted by user request: DNS

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : orgname

      Starting test: CheckSDRefDom

         ......................... orgname passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... orgname passed test CrossRefValidation

   
   Running enterprise tests on : orgname.local

      Test omitted by user request: DNS

      Test omitted by user request: DNS

      Starting test: LocatorCheck

         GC Name: \\w2kserver2.orgname.local

         Locator Flags: 0xe00001fd
         PDC Name: \\w2kserver2.orgname.local
         Locator Flags: 0xe00001fd
         Time Server Name: \\w2kserver2.orgname.local
         Locator Flags: 0xe00001fd
         Preferred Time Server Name: \\w2kserver2.orgname.local
         Locator Flags: 0xe00001fd
         KDC Name: \\w2kserver2.orgname.local
         Locator Flags: 0xe00001fd
         ......................... orgname.local passed test LocatorCheck

      Starting test: Intersite

         Skipping site Default-First-Site-Name, this site is outside the scope

         provided by the command line arguments provided.
         ......................... orgname.local passed test Intersite
0
 

Author Comment

by:johnkan
Comment Utility
Hi Santosh

According to this output to dcdiag /V the file replication service has not uet finished replicating. When I use 'net share' the SYSVOL share is not present on the 2008 server yet.

How can I tell if its even trying to replicate.

I have deleted the orgnameBDCserver as a domain controller from the 2008 server and ticked that the computer is no longer available. So this test should not appear when I run DCdiag once that domain controller has been recognised as no longer available I'm guessing.
0
 

Author Comment

by:johnkan
Comment Utility
Hi Santosh

Attached is the latest output from DCDIAG /V

One thing about it is there is still a reference to a DC named orgnameBDC. This is non-existent and doe's not appear under Active Directory sites and services' anymore, but do appear under 'Active Directory users and computers', so not sure why it's still being included.

This is exactly other seem to have reported when introducing 2008R2 servers to 2003 domains or 2000 Domains whereby the replication and sharing of the SYSVOL folder is never completed properly.

Any idea's as to how this is resolved ?.

Thanks heaps.
dcdiag-afterremoving-nonexistant.txt
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
Hi,



One thing about it is there is still a reference to a DC named orgnameBDC. This is non-existent and doe's not appear under Active Directory sites and services' anymore, but do appear under 'Active Directory users and computers', so not sure why it's still being included.

Lets fix it first.

1st cleanup metadata from active directory for failed server with ntdsutil
http://support.microsoft.com/kb/216498

Note:Make sure there is no entry remain in ADUC, DNS and site & services


When I use 'net share' the SYSVOL share is not present on the 2008 servert

Lets fix it now.

#1 follow the below to enable the share.

Set the SysvolReady Flag registry value to "0" and then back to "1" in the registry.

 Click Start, click Run, type regedit, and then click OK.
 Locate the following subkey in Registry Editor:

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]

 In the details pane, right-click SysvolReady Flag, and then click Modify.
 In the Value data box, type 0 and then click OK.
 Again in the details pane, right-click SysvolReady Flag, and then click
 Modify.  In the Value data box, type 1, and then click OK.

 Then run NET SHARE and see if the SYSVOL and NETLOGON share is present.

http://support.microsoft.com/kb/315457

##2
if sysvol share is present then try the authoritative restore of server by playing with registry.

http://support.microsoft.com/kb/315457

###3
Enable Loose Replication Consistency


 To enable Loose Replication Consistency, follow these steps on the domain controller 2003 that reports the errors messages. Locate and click the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

2.Click Add Value on the Edit menu.
3.Add the following value:
Value Name: Strict Replication Consistency
 Data type: REG_DWORD
 Value data: If the value is 1, change it to 0.
0
 

Author Comment

by:johnkan
Comment Utility
Hi Santosh

With the first item ...

1st cleanup metadata from active directory for failed server with ntdsutil
http://support.microsoft.com/kb/216498

I ran this procedure on the old 2000 SErver to remove it from that server. do I run the same thing on the temporary Win 2008 server also ?.

I'll run through all of these steps tomorrow, Thursday, and post the results once completed.

Thanks heaps
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
Hi,

No, if you run metadata clean-up on W2KSERVER2 then you do not need to run it on other DC. it will automatically removed once replicated.
0
 

Author Comment

by:johnkan
Comment Utility
Hi Santosh

I thought (hoped) that might be the case.

I'll post the results of the other actions later on today.

Thanks
John
0
 

Author Comment

by:johnkan
Comment Utility
Hi Santosh

Step #1,
The initial value of the key value was already 0.

After completing #1 and  the step below, the SYSVOL share is now present but there is no NETLOGON share should I have one as well as the SYSVOL share on the 2008 server ?.


Then run NET SHARE and see if the SYSVOL and NETLOGON share is present.
0
 

Author Comment

by:johnkan
Comment Utility
Hello Santosh

When I run Linkd as part of step #2, I get the error message back stating 'Linkd' is not recognised as an internal or internal command.

When I restart the FRS service the sysvolready flag is reset to 0, and the SYSVOL share no longer appears as a share wehn I run 'net share'.

Thanks
0
 

Author Comment

by:johnkan
Comment Utility
Hi Santosh

Hang on!!!!.. I take that back. Helps if I have the  NTFRS service started on the Authoritative controller before i start the FRS service on the new server!!!.

I now have SYSVOL and NETLOGON shares when I issue net share.

OK, now step #3
0
 

Author Comment

by:johnkan
Comment Utility
Hello Santosh

step #3
I've added the new DWORD value for with the name "Strict Replication Consistency"

Should I try the DCDIAG thing again ?.

Thanks
John
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
Hi,

1. DC named orgnameBDC is still showing  under 'Active Directory users?
2. try to replicate first it should replicate.
3. now run the  DCDIAG /V if you see any error then also run DCDIAG /Test:dns
0
 

Author Comment

by:johnkan
Comment Utility
Hi Santosh

OK, I'll need to do this 28.4.2014 now.

no access to servers until then.

I didn't mention that after I completed step #2 that replication completed and the SYSVOL tree and all of the login scripts replicated to the new server, so thats a BIG step forward.

I'll post any results from the DCDIAG /V and DCDIAG /Test:dns if there are errors.

Thanks heaps
John
0
 

Author Comment

by:johnkan
Comment Utility
hi Santosh

Looks like DCDIAG /test:dns ran without errors. I've attached the output of it.

DCDIAG /V had 2 errors.

a) Dcom error due to the use of the external ISP's DNS somewhere.
b) Replications check. At this time this was run initially, the old servers nic was disconnected. I'm assuming the replication failure is due to the next replication cycle not having been completed yet ?. I 've attached the output of DCDIAG /V to this post also.

c) there are some nfs time errors too which I'm not sure how to correct.

Otherwise, what I was able to determine was that with the old DC disconnected from the network, the test user, is being authenticated by the intermediary 2008 server and their logon script run, which I dont think would happen if authentication were not working on the 2008 intermediary server ?..

I'm going to leave the 2008 server on and hope it replicates naturally for a day. I've had it switched off since the FRS service started to work.

I look forward to your post.

Thanks heaps
dcdiag-test-dns-20140428.txt
dcdiag-v-20140428.txt
0
 

Author Comment

by:johnkan
Comment Utility
Hi Santosh

OK, I let the DC's replicate over-night and as hoped, the dcdiag /V comes up really clean looking.

can you confirm that ?. I've attached the latest output of dcdiag /V to this post.

I've also confirmed all of the the different OS's on the network are authenticated by the temp 2008 server when the old server is disconnected.

So I guess the next step is to demote the old server so I can then get the 2012 server essentials server joined to the domain and then get rid of the temp 2008 server ??.

thanks
John
dcdiag-v-20140429.txt
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
Yes, result is clean. no issue you can go ahead.
0
 

Author Comment

by:johnkan
Comment Utility
Hello Santosh

To re-cap,

Here wa my original plan...
As recommended, looking to...
install Win2008 server as VM on Win 2012 Essentials server

'Migrate' AD stuff from 2000 server over to Win2008 server and make the 2008 server a DC

then Join 'host' Win 2012 essentials server to Win2008 managed domain (where Win2008 is the DC).

Demote 2000 server

Move, or reinstall apps, printers etc to Win 2012 essentials server
Copy files over to 2012 Essentials server

decommission Win 2000 server
switch off 2008 server



Here are the 4 steps I am currently completing...

6. Run dcpromo on new server to promote it as an additional domain
controller in existing Windows 2000 domain, afterwards you may verify the
installation of Active Directory. COMPLETED

7. Enable Global Catalog on new server and manually Check Replication
Topology and afterwards manually trigger replication to synchronize Active
Directory database between 2 replica. COMPLETED

8. Disable Global Catalog on old server. Not yet completed.

9. Use NTDSUTIL utility to transfer all the 5 FSMO roles from old server to
new server. You'd better transfer FSMO roles via GUI method instead of
using NTDSUTIL.

Looking at this, as the temporary 2008 server is now acting as a DC in the domain, can I now join the Win 2012 essentials server to the domain, and make it a domain controller as well, before demoting the Win2000 server ?.

Also, do I have to disable the Global catalog on the old server at this stage ?. Not sure if this means it will stop authenticating ..

Thanks heaps
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
Also, do I have to disable the Global catalog on the old server at this stage ?. Not sure if this means it will stop authenticating ..

First change the DNS server IP in DHCP server, so that all systems can use 2008 as DNS, Disable the global catalog server, and wait for a day and see if every thing is going fine.
http://technet.microsoft.com/en-us/library/cc758330(v=ws.10).aspx


Looking at this, as the temporary 2008 server is now acting as a DC in the domain, can I now join the Win 2012 essentials server to the domain, and make it a domain controller as well, before demoting the Win2000 server ?.

Windows Server 2012 requires a Windows Server 2003 forest functional level. That is, before you can add a domain controller that runs Windows Server 2012 to an existing Active Directory forest, the forest functional level must be Windows Server 2003 or higher. This means that domain controllers that run Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 can operate in the same forest, but domain controllers that run Windows 2000 Server are not supported and will block installation of a domain controller that runs Windows Server 2012. If the forest contains domain controllers running Windows Server 2003 or later but the forest functional level is still Windows 2000, the installation is also blocked.

Windows 2000 domain controllers must be removed prior to adding Windows Server 2012 domain controllers to your forest. In this case, consider the following workflow:
0
 

Author Comment

by:johnkan
Comment Utility
hi Santosh

Ok, so I'm hearing I must demote the Win2000 Server and make it a member server only first. This will leave the temporary 2008 Server DC to which I can then join the Win 2012 essentials server.

Once the 2012 essentials server is joined to the domain...from post earlier on...

I add the ADDS role and run the post-installation configuration wizard. The wizard now handles the duties that adprep (forest and domain) and dcpromo used to handle. Again, follow the replica DC documentation exactly, looking for replication issues (there are often a few) and resolving them.

Sorry, I don't see the bit in your post after the ..

'In this case, consider the following workflow:'

Can you post that bit for me again?.

thanks heaps
John
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
Hi,

My Apology.... ignore  In this case, consider the following workflow:  section.
0
 

Author Comment

by:johnkan
Comment Utility
Hi Santosh

OK, disabled Global Catalog on Win2000 DC. Now going to let it run that way for 2 days..

John
0
 

Author Comment

by:johnkan
Comment Utility
Hi Santosh

Ok, i've left the 2000 server and 2008 server running over the last few days and things still seem to be working fine....

Here are the 4 steps I am currently completing...

6. Run dcpromo on new server to promote it as an additional domain
controller in existing Windows 2000 domain, afterwards you may verify the
installation of Active Directory. COMPLETED

7. Enable Global Catalog on new server and manually Check Replication
Topology and afterwards manually trigger replication to synchronize Active
Directory database between 2 replica. COMPLETED

8. Disable Global Catalog on old server. COMPLETED.

9. Use NTDSUTIL utility to transfer all the 5 FSMO roles from old server to
new server. You'd better transfer FSMO roles via GUI method instead of
using NTDSUTIL.


So I'm going to run the NTDSUTIL utility from the 2008 Server. I'm guessing this will automatically demote the Win2000 server ?.

Thanks heaps
John
0
 

Author Comment

by:johnkan
Comment Utility
Hi Santosh

Actually, if my 2008 Server is already acting as a DC with the GC enabled then have I already transferred the FSMO roles, with the actions completed so far ?.

If so do I need to just demote the Win2000 server ?. Not sure what I run to demote the Win2000 server.

Once I've demoted the Win2000 Server I will join the 2012 Essentials server to the domain and add the ADDS role to then make it a DC.

I will then leave the 2008 Server for a couple of days. I will keep the Win2000 server running as a member server.

After the wait, I will want to remove the 2008 temporary server.

Thanks heaps
John
0
 

Author Comment

by:johnkan
Comment Utility
Hi Santosh

Sorry, on further reading, I am wanting to now 'transfer' the FSMO roles to the 2008 Server...

I'm going to follow these steps...

Transfer FSMO roles

To transfer the FSMO roles by using the Ntdsutil utility, follow these steps:
Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being transferred. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer Schema master or Domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.
Click Start, click Run, type ntdsutil in the Open box, and then click OK.
Type roles, and then press ENTER.

Note To see a list of available commands at any one of the prompts in the Ntdsutil utility, type ?, and then press ENTER.
Type connections, and then press ENTER.
Type connect to server servername, and then press ENTER, where servername is the name of the domain controller you want to assign the FSMO role to.
At the server connections prompt, type q, and then press ENTER.
Type transfer role, where role is the role that you want to transfer. For a list of roles that you can transfer, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to transfer the RID master role, type transfer rid master. The one exception is for the PDC emulator role, whose syntax is transfer pdc, not transfer pdc emulator.
At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.


Thanks heaps
John
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
0
 

Author Comment

by:johnkan
Comment Utility
Hi Santosh

I'll check out the GUI to do it for this one.

doing this tomorrow.

I'll post the results.

Newbie question, but will this automatically make the Win2000 server just a member server or, is there a further step to demoting a DC to become a member server ?.

Thanks heaps
John
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
No,

You need to demote it.
0
 

Author Comment

by:johnkan
Comment Utility
Hi Santosh

Ok. transfer of FSMO and demotion of Win2000 Server to member server completed.

Everything still works!!!

Fantastic!!!.

I think we can call this one finished

This is probably one of the longest threads you may have been involved with.

thanks heaps for sticking with it.

John
0
 

Author Comment

by:johnkan
Comment Utility
hi Santosh

Updated DFL and FFL to Win 2008 R2, which is my temporary server.

I was about to join the Win 2012 essentials server to my domain, but can't as by default when I initially set up the Win 2012 essentials server it also installed the Certificate Authority service.

Can I uninstall the CA service on the Win 2012 server so that I can then join the domain and then add the ADDS role as described at the start of this ?

The Win 2008R2 VM is hosted on the Win 2012 Essentials Server at present.

thanks heaps
John
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
Yes,

you can just add ADDS role, it will automatically join it to domain.
0
 

Author Comment

by:johnkan
Comment Utility
hi Santosh

Do I need to remove the CA service then before I add the ADDS role ?.

I was trying to join the domain using the old advanced settings under 'system' in control panel, and thats when I saw the 'change' button was grayed out.

I hadn't thought of just adding the ADDS role without removing the CA service role first.

Thanks heaps

John
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
Ok, uninstall  the Certificate Authority service then try.

Note: Make sure you dont have any other SBS in your domain.
0
 

Author Comment

by:johnkan
Comment Utility
Hi Santosh

OK,

1. Uninstalled CA service. This allowed me to join the existing 2008R2 domain
2. Uninstalled AD services (these had already been installed when I initially set the 212 essentials server up). I wanted to do this to start with the Wizard.
3. Successfully Joined demoted 2012 server to 2008R2 domain.

Next step to run configuration Wizard to turn the 2012 server into DC which will transfer the FSMO roles from temporary 208R2 server

I'll post the results of this next couple of days.

Thanks
0
 

Author Comment

by:johnkan
Comment Utility
Hi Santosh

Ran the configuration Wizard to turn the 2012 Essentials server into a DC successfully

Transferred the FSMO roles successfully.

Disabled the 'GC' property on the 2008 server

final step to shut off the temporary 2008 server to make sure the new servers operating correctly as the DC and authenticating properly.

I'll post the results of this step tomorrow.

thanks heaps
John
0
 

Author Comment

by:johnkan
Comment Utility
Hello Santosh

OK, have had the 2008 temp server off now for a couple of days and the 2012 Essentials server is still working as expected.

Looking really good.

I'll check again in a couple of day's but I think this is sorted.

I'll post the final status in after the weekend.

Thanks heaps
John
0
 

Author Comment

by:johnkan
Comment Utility
Hi Experts

Thank you both for your excellent in-depth guidance with this migration and especially for sticking with it. The challenge was We only had access to the system during business hours and mostly only during their lunch breaks.

Thanks so much.

I wish I could have had more points to award to this.

John
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

This article will review the basic installation and configuration for Windows Software Update Services (WSUS) in a Windows 2012 R2 environment.  WSUS is a Microsoft tool that allows administrators to manage and control updates to be approved and ins…
Know what services you can and cannot, should and should not combine on your server.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now